Part 02 - Identity and Organisational Transformation (Trigoso, 2013)
Series | |
|---|---|
Title | Part 02 - Identity and Organisational Transformation |
Author | |
Publication | 2013 |
Series Abstract | This is the second part of a series entitled “Quantitative Identity Management ”. This series presents an innovative approach to Identity Management, showing how this area can be objectively planned, delivered and measured, contrary to the conventional view that considers it as a “cost” and as strictly focused on “security.” |
Part Summary | Part 2. What is IAM? We look beyond the usual emphasis either on access control or regulatory compliance, opening the perspectives. If the focus were regulatory or narrowly addressed access control, it would be strange to think about quantitative measures in that context. |
Many times, I have been asked, "What is Identity management and how does it work?" Many Security professionals are still unsure about the scope and nature of this discipline. Identity management is above everything else a Security discipline where the ultimate goal is to achieve efficiency and organisational excellence. It was already relevant in all types of organisations where informational processes are more or less well “protected,” but Identity data is not considered an asset and is not managed with appropriate processes. It is more relevant in a stage where the majority of users are not within the organisational boundaries. It would be an error though to see Identity management as just a way of reducing complexity and costs of user management. We can do that for sure, by means of automation and workflow engines, but would reduce Identity Management to a normal technology-centric discipline. The truth is that neither automation nor workflows nor the desired user management tools can work by themselves, and Identity management always has a very strong component of organisational transformation.
Within the conventional framework, Identity management tended to put much emphasis on setting up role-based access controls. This still makes sense today for some areas of the organisation and some sets of applications that require an approach based on roles, but in the expanded enterprise, it is difficult if not impossible to express Identity management requirements in terms of an organisation-wide role model. Neither the diversity of applications, nor the variety of users and locations allow for a single model, and hence it is essential to have a more flexible, distributed approach. It is necessary to consider other ways to "manage" external identities, for example self-service, third-party registration, lightweight authentication and federation services. The "roles" of the external identity types cannot be defined in the same terms as the "internal roles," as these depend on data owned by the organisation under employment contracts and job definitions. On the other hand, this evolution is leading to the recognition that external users should and can only be managed by the external entities themselves (including the assurance providers and the individuals involved).
Corresponding to this, the main direction of the effort is now not towards access control, but to access enablement. Selective enablement, providing access to a deeper, more complex and layered set of assurance levels finally amounts to access control. The emphasis is on giving access and selectively enabling access channels, so the control objective is achieved in a different way.
This different approach also means the focus is now on performance of the entire identity and data exchanges, and not on security. In the past, Identity data was primarily bound to separate "silos" or islands of IT solutions, and the evolution of Identity management was dependent on the upgrade and improvement road map of the other areas in the IT departments. In the new period, Identity management becomes less technological, more standardised, and moves both inside and outside of the organisation. In this sense, it becomes more and more independent of specific platforms or technology brands.
Today it is still difficult to see the result of this evolution, but the first steps have already been taken by many organisations, especially those that have seen the complete failure of attempts to centralise Identity management following the "enterprise" model. The current emphasis on regulatory compliance, driven by legislation, also obscures the underlying transformation but will soon leave the forefront of business concerns, as people begin to see there are audit issues precisely when Identity is not owned and managed, whereas the Compliance emphasis is currently 100% reactive and improvised, and thus repetitive, costly, expeditious, and unsustainable.[i]
In the new period, too, when Identity becomes data, the focus is on performance. By this, I mean the performance of the information exchange network as a whole. When speaking of performance, what I mean is Quantitative Identity Management, as announced by the title of the present chapter, but we still need to cover some other points before addressing the new idea.
[i] Compliance emphasis is unsustainable when it becomes a reactive, audit-driven practice instead of being a normal, standardised business practice.
© Carlos Trigoso 2012-2013
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
