Disaster-Proof Identity Management: Start with a Strong Foundation

June 30, 2016

Can you afford to have your Identity Management project fail?

If not, we have some tips to prevent your Identity & Access Management (IAM) project from going off the rails. Much like constructing a building requires a strong foundation to succeed, laying the proper groundwork will help you provide an IAM architecture that is scalable, reliable, and flexible. Once the foundation is properly in place, additional connectors and features introduce a discrete risk that is easier to manage. Let’s start by defining what we mean by an IAM Foundation:

There are four (4) key components to any IAM foundation:

  1. Authoritative Source:  A system or database that is the authority for a given user type or user attribute. Authoritative data sources are usually a system, such as your Human Resources Information System (HRIS), that are actively maintained and have high data quality. The first step is to identify the Authoritative Source for each user class you will manage:Screen Shot 2016-06-30 at 7.51.38 AM
  2. Central Identity Store:  An LDAP compliant directory that establishes, maintains, and provisions identities throughout the business lifecycle based on data from the Authoritative Sources.  The Identity Store is the cornerstone of the overall Identity and Access management solution that supports the user account lifecycle and provides access control.
  3. Active Directory Integration:  The connector from the Central Identity Store to Active Directory creates a user accounts with access to the Network, File & Print, Shared Drives, and core business applications. Basically, this connector provides users with the base level of access they need to be productive on Day 1.
  4. Audit Repository: A system that stores audit logs from activities within the IAM solution. This repository supports security and compliance requirements and is a separate component from the directory services layer of the solution. 

8 Tips to Build a Solid IAM Foundation

  1. Map your Business Processes - Create process maps of all your onboarding and off-boarding processes from end to end for each user type. These process maps will provide the steps, timing, and rules for getting a user identity created and provisioned with the proper accounts, access, and assets. The Central Identity Store requires a greater focus on the processes for migrating data from systems of record and providing that data to other services, systems, and application directories.
  2. Create Data Maps – Define the flow of data from the Authoritative Source to the Central Repository and on to Active Directory. This will make it clear where the data originates, where it is going, and make sure that the data flow is accurate and that any transformations are well understood.
  3. Establish Project Governance – Define a simple IAM Governance Board that meets regularly to develop overall guidelines for the directory and project, such as the criteria for adding data to the directory and how those decisions are made. This helps avoid missed requirements, formalizes decisions, and supports decision-making later when the project team can get bogged down in details.
  4. Focus on Data Quality Early - Identifying the Authoritative Source for each user class is a critical component in establishing an Identity Management solution. More importantly, defining how your organization will maintain the correctness of the data in the Identity Store, given that some portion of the data in the Authoritative Sources will be out-of-date, contain mistakes, and/or is not consistently formatted. Most organizations address data quality issues within the Authoritative Source. While such policies reduce the amount of transformations required to handle erroneous data, they may undermine the usability of the directory for consumers, if the administrators of the source systems are not engaged in the project.
  5. Design with the End in Mind – The foundational infrastructure will support all users and provide basic network and application access. The directory structures should be well thought out and implemented for the long run, but the directory can be populated sparsely at first and expanded as the applications are added. When designing the solution, the initial infrastructure must be able to accommodate growth, both in the use of the first applications and the addition of new ones. Do not skimp on hardware or redundancy.
  6. Document and Socialize – Formal Solution Requirements and Design documentation allows business, IT, security, data custodians, and other stakeholders to review and validate the solution before it is built. More importantly, it provides the developers with an understanding of the technical details and overarching architecture they are working to implement.
  7. Rigorous Testing - Develop a test plan for the IAM foundation, core connectors, and any Phase I applications to communicate performance metrics and facilitate user testing. The IAM Foundation should be deployed to your test environment for extensive System, Integration, and User Acceptance Testing (UAT). UAT depends on a diversity of business stakeholders to put the solution through its paces, identify and resolve any impactful defects. We recommend having stakeholders officially "sign off" on the solution once testing is complete.
  8. Develop a Communications Plan - Managing expectations and publicizing quick wins is critical to acceptance of the IAM solution. We recommend a combination of face-to-face conversations and presentations as well as web-based/email communications. The former allows the presenter to tailor the message to audiences such as the leadership, data stewards, and technical staff, and the latter keeps the overall message consistent. If possible, identify ways to involve stakeholders in the decision and policy-making process.

In the end, most IAM projects fall short because they fail to follow a disciplined process that drives out all the relevant details. The brass ring is automating the routine tasks necessary to manage the user lifecycle, network and application access, network security, and meet regulatory compliance requirements. The complexity of these projects should not be underestimated, nor should the challenge in creating an architecture that can manage multiple data sets and user types across a range of geographies and processes. The tips above will help you avoid the most common IAM pitfalls and build a robust foundation for your Identity Management program.

If you enjoyed this post, please share it with your network and follow us @Idenhaus for more IAM insights and best practices.

Photo Credit: Flickr

More News