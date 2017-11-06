Identity and access management has evolved over the years from straightforward system-level account and privilege administration to include password synchronization and single sign-on (SSO), multi-factor authentication (MFA), compliance, governance, policy management, event and behavioral analytics, and risk management.

Given all the disciplines and processes involved, it’s no wonder that simply getting the assurance that users are who they say they are can seem impossibly difficult. To be sure, identity today is more complex than it was 10 or 15 years ago, with the need to accommodate multiple disciplines and processes. Here are two strategies to help make it easier.

1. Align Your Identity Project to a Service

As Mick Jagger famously once said, “You can’t always get what you want, but if you try sometimes, you just might find you get what you need.” To get what you need, take a page from other IT projects and align your identity project to a service:

Determine the most critical success factors and prioritize them against risk mitigation, process efficiencies, and user impact.

Create attainable expectations and goals, pre-determining new capabilities and resource savings that adjacent technologies and disciplines may be able to leverage.

Think about long-term flexibility, sustainment, maintenance, and support.

In short, don’t try to “boil the ocean.” Instead, focus on what matter most.

2. Take a Business-Driven Approach

Much of the difficulty with managing identities comes from seeing identity as an afterthought instead of a foundational component of the business. For example, if you’re starting an identity project, start with defining your top 100 business-critical applications. Then gather information about who has access to what, so you can provision access, perform segregation of duties (SoD) against them, and so forth.

The challenge is that each application is completely different. Are you supposed to use 100 different data collection processes? 100 different sets of rules? 100 provisioning adapters? That’s obviously impractical – and unnecessary, if you treat identity as foundational to the business. To do this, you must:

Define identity management standards and guidelines for any technology you bring into your organization. This will help establish expectations such as providing access information to a centralized platform and having an interface for automated provisioning.

Define a standard common authentication and authorization platform such as Active Directory or LDAP. This lets you standardize your management of identity and access wherever possible.

Define a standard process and approach for all technology to follow (including terminology, common SoD, and privilege classifications) and track exceptions to the standard.

If you’re moving to the cloud, this effort can make a huge difference in speed of adoption and control of services in the future. And if you ever change cloud providers, a strategy that’s based on a business-driven approach will make it easier to transition smoothly and maintain the same level of service.

To learn more about the importance of bringing a business perspective to identity strategy, read the Forrester report “Build Your Identity and Access Management Strategy” (April 3, 2017).