Why Enterprise Identity Management is so daunting?

Identity management has been a mature market for over a decade now, however why do enterprises find it difficult to implement and worse not able to get a good ROI from Identity Management implementations?

Identity Management was introduced in last decade to combat a regulatory and compliance requirements , slowly as the enterprises realized the benefits and capabilities of the products the trend moved towards achieving efficiency and uplift for organization in terms of automation. However in the process missing the fact of what end user needs. Especially this becomes prevalent for what it is called a "Firefighter" or "emergency" access. In that an access is required to solve a critical business or IT problem on an urgent basis. Most of the time is spent finding how to request this particular access and gathering approvals - if its off hours, good luck getting it on time. Provisioning of actual access is least of the worry. Enterprises worry about having too much access but having too little access to do your job effectively is a worrisome trend. More often than not, we lose the focus of what we do in today's world - being user centric. Traditionally IT always has been focused on the needs of the business by analyzing requirements and "checking off the boxes" around capabilities doing that we lost the focus on what the end user wants and expects. It's the same challenge in Identity Management.

Can I get this access so I can do my job?

Last year at Gartner IAM conference, there was a slide of "rocks and sand" that jived very well with me. We in Enterprise Identity Management are so focused on getting the sand filled in the jar, we loose the rocks. As far as rocks are concerned in Identity Management, the focus has been shifted from compliance, regulations and end user access needs to being an automation tool to do the jobs of humans and reduce cost. Identity Management primarily must solve the problem for what it was promised for - bringing down organization risks , getting a singular view of "who has access to what", monitoring, access reviews and getting right access to users as soon as possible without having them jump through multiple hoops. So what's not working? Simply put, we can't see the big rocks in Identity Management..but why?

More often than not, the organizational policies for Identity Management are not clearly defined. Either they're buried deep in information security policies in some cryptic language or it is in the head of some account administration analyst. The problem is simple - a unified fibre that supposed to tie all pieces together from core security policies to organizational values to technology to end user do not exist. Most often technology team that implementing an Identity Management product do not have clear idea of what and why things need to be done in certain way. Their tendency is to look at business and wait for them to tell what to do. Secondly there isn't enough emphasis on planning a deployment. What adds most value to the organization and end users is often overlooked or poorly understood. For ex: trying an end to end automation in very first phase of product, runs the risk of front loading majority of project risk or worst, losing the confidence in the ability to successfully implement it. However access request for end users and workflow provides much greater value. Gartner has a very clear view about how to assess "risk to value" for an Identity Management implementation. They make a very convincing argument.

Trying out complex fulfillment integrations proves very risky providing a very little value to end users.

Conclusion:

In my opinion risk based and end user centric Identity Management deployment provides greater value to organization. Enabling users with the right access at the right time provides a very high level of customer satisfaction and productivity across organization, managing high risk apps lowers the risk of exposure for an organization. IAM leaders should look at this principals while planning IAM deployment.

Credit: Gartner, google.com

Prashant Kulkarni is a seasoned Identity Management professional. He is passionate about technology, identity management and user interface. He is based in San Francisco Bay Area, CA.