Working with identity and access is more of a journey than a destination. Many of the areas above have dependencies in both directions, and it is important to gradually improve each one. For every iteration, the system matures. One method of evolving is to continuously ask 5 questions:
- Who works here?
- What should they do and why?
- How do we make sure and improve?
- What can go wrong?
- Are we playing by the rules?
Who works here?
It might look like an easy question to answer, but most often it is more complex than one would think. The easy answer is “the employees”, but looking at use of IT in an organization, there are usually wide varieties of users such as consultants, partners, suppliers, customers and more. This question is answered by work in the area of Identity. Within Identity there are two major areas. One is the connection from an Identity Manager to other applications and directories and the other area is how the identities should be “proven” as users access the IT infrastructure.
What should they do and why?
Besides knowing who the users are, it is important to understand what they should have access to and why. It is both to make sure that they get the access they need to do their job, but also make sure they do not get access to information that they are not privilege to. Most organizations try to define groups, attributes and/or roles that the users belong to, which in its turn is the basis for what access they should get, which is the authorization. There are many models for this, but in reality, most often it becomes a combination of them. The highest level of decisions is if the user should have any access to an application, and the second highest level is typically what role the user should have. Sometimes there is also a deeper level of authorization where the IAM solution decides on individual “permissions”. The enforcement is all about how the IAM solution shares this information to the application, and how the application makes sure it follows the policies.
How do we make sure and improve?
As mentioned above, this is more of a journey, and the systems under control are not static. Governance is often looked upon as an obstacle, but handled correctly and proactively, it can become a resource and create a structure that makes life easier. It is important to be able to follow what happens. To avoid overload, it is important to detect changes to what is considered normal. Based on this information there is always room for improvement, and changes should be controlled. An uncontrolled change can have a negative impact in many ways. What is important is that since an audit often goes back 12 months, it is important to be able to answer what access was possible during that time. Automation can often handle many events, but exceptions to automation must be possible, and also tracked.
What can go wrong?
No one can build a perfect system where nothing goes wrong. It is important to analyze what one should be prepared for, have a plan on how to fix it, and understand the impact or consequences. With mitigation one can also reduce the risk that it actually happens.
Are we playing by the rules?
When defining policies and setting the level of control, it is important to follow the rules defined both internally and externally. Compliance frameworks can be used as measuring sticks of progress and as a driver for making changes to the other four areas.
Management – ”top down” or ”bottom up”
Different organizations have different approaches, but in the more mature the organization, the more common it is with ”bottom up”. A very immature and reactive organization also uses the “bottom up” approach, but with a lot of pain and seldom good results. The first proactive steps are to try to answer the five questions from the top. It is hard to decide what a person should do, unless you know if they are working ”here”.