Welcome!

Microsoft Cloud Authors: Kevin Benedict, Pat Romanski, Liz McMillan, Lori MacVittie, Elizabeth White

Related Topics: Microservices Expo, Java IoT, Microsoft Cloud, Containers Expo Blog, Agile Computing, Cloud Security

Microservices Expo: Article

The Marriage of Tech and Business… and How to Prevent a Divorce

Best practices for organization-wide identity and access management

Evolving regulatory compliance requirements can be a major headache for the IT teams responsible for identity and access management (IAM). Sarbanes Oxley, the wide range of privacy regulations and other federal requirements, have transformed IAM from a problem that keeps the chief information security officer up at night into a true business concern shared by all company executives. Knowing who has access to what information within your organization - and whether they should have that access - is a deceptively complex issue that has the potential to drive a wedge between even the healthiest of relationships across the business.

On the surface, it may seem as though the nuts and bolts of IAM should reside in a company's IT department. This is because there are many islands of information stored in databases across the business that are managed and administered by the IT team. In addition, employee access to particular areas of the network is usually enabled and revoked by IT.

The problem is that these functions are just the tip of the iceberg when it comes to effectively managing your identity governance program.

IAM Is Driven by Business Requirements
It has long been recognized that identity and access management must be process-driven if it is to gain any longer-term traction within an organization. In fact, Gartner highlighted the importance of process in a 2005 research report, stating that "Identity and access management is not only a set of technologies but also a set of processes that address fundamental issues about handling the strategic asset of identity in any enterprise. Establishing a long-term solution for managing identity requires understanding these basic processes."

Why is the process so important?

Any change to the identity of an employee is triggered by the business. The identity attributes of an employee are created when they are hired (onboarding), changed when they are promoted or assigned new responsibilities (change in responsibility), and must be restricted when they leave the organization (offboarding).

A strong partnership between IT and the company's business divisions is essential to ensure that:

  • There is a process to capture all of the changes that happen to the identity of an employee during their life cycle within an organization.
  • The business has established and approved the policies under which employee access will be granted or denied.
  • Changes are processed within the identified framework (i.e., no one is given access "through the backdoor").

By involving business owners early in the development of your IAM program - including human resources as it traditionally "owns" the bulk of employee attributes, like name, address, social security number and banking information - companies will improve the chances of executing their IAM goals on time and on budget.

Create a Culture of Continuous Compliance
Traditional approaches to identity and access governance take a reactive approach to meeting compliance requirements. If the sole measure of success is the ability to generate an attestation report, the company will always be in "firefighting" mode. It is far better to prevent access violations from happening than trying to chase them down once they occur. At that point, the security breach has already taken place, inappropriate access has already been granted and the damage has been done.

The goal of an effective identity governance initiative should be to ensure that employees are only given the access that is assigned to them under a clearly defined set of rules in accordance with company policy. On the other hand, requests for access that would violate a policy (e.g., separation of duties) should be denied and the appropriate manager should be alerted that a request has been made that would violate company policy. By working with business divisions to set these proactive policy parameters up front, the company is able to create a true culture of continuous compliance.

Your IAM Program Should Deliver More than Compliance
Compliance is a necessary evil. However, if handled correctly, compliance can also create the opportunity for meaningful efficiency improvements and cost reductions throughout an organization.

By managing the identity of your employees centrally and establishing proper business processes to manage identities, companies are able to:

  • Shorten new employee onboarding time to less than a day: It is important to capture the primary attributes needed to create an employee identity during the onboarding process and feed this information to all related systems (e.g., payroll, HR, Active Directory, SAP). This approach gives employees the access and assets they need to be productive on their first day with the company.
  • Eliminate repetitive manual data entry: A large Canadian retailer recently identified more than 90 attributes that make up the identity of their employees. More important, it also realized that these attributes were being manually re-entered up to ten times for different purposes across the company. Once it began managing their identity administration centrally, the retailer was able to capture data with no re-entry, thereby eliminating hundreds of redundant entries per employee.
  • Lower administrative costs: Improving time to productivity, streamlining administrative functions, and simplifying audits will result in millions of dollars saved, depending on the size of the organization.

Learn from Past Failures
Many organizations have been down the IAM solution path before with varying degrees of success. The problem-solving responsibility has traditionally been handed off to - you guessed it - the IT department, which typically attempts to solve the issue via technological solutions. As discussed earlier, the challenge is that the IT department is trying to solve the issue when it doesn't own the information or the process. Attempting an IT-only fix, centered around third-party technology and buy-in from other departments, leads to annoyance at best and losses in time and capital at worse.

In spite of these challenges, there is hope for organizations looking for the Holy Grail of IAM. Below are some best practices organizations can employ to improve their internal IAM processes:

  • Solicit business involvement early: IT cannot solve the problem alone. They're the custodians and the business is the end user. IT must engage with business and HR in lay language and find common denominators.
  • Create an identity warehouse: Conduct a thorough cleaning of identity data housed by various internal systems so there is easy reconciliation and clear visibility into access granted to employees.
  • Fix the controls: Implement procedures early in the business process (i.e., during onboarding), and make sure they are followed, to derive the most value from your identity and access management program.
  • Process, process, process: IT spends a significant portion of its time and budget on the dreary work of managing identities. IT and the business divisions can realize measurable benefits from implementing processes that drive down wasted time and money.
  • Go paperless: Going paperless with IAM liberates employees from the stacks of paper on their desks. An electronic IAM system can lighten the load across divisions by identifying holdups and speeding timelines.
  • Prevention is the key: Get away from the "putting out the fires" mentality. True process control means that fires are prevented.

Conclusion
Approaching IAM in a process-oriented way allows organizations to deal with potential problems proactively. When implemented properly, these best practices can help streamline IAM processes across all organizational departments, resulting in shortened onboarding, reduced costs, increased efficiency and regulatory compliance. Those are goals the whole company can get behind.

More Stories By Jay O'Donnell

Jay O’Donnell is the CEO and founder of N8 Identity and spearheads the continuing development of N8 Identity’s industry-leading solutions. One of the early pioneers of the identity and access management (IAM) industry, he initially founded an IAM consulting business in 2000. After overseeing dozens of large-scale IAM projects, he led the development of Employee Lifecycle Manager® in 2007 to meet the need for a software solution that delivered pre-defined identity and access processes throughout the lifecycle of a user within an organization. Jay is an internationally recognized expert in information security, compliance, identity management, federated identity and directory services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...