Identity management is a prime example how a simple problem can become a complex problem? Think about identity management in a corporate environment. The problem statement of IDM is to manage the identity or credentials of an employee across the enterprise.
An employee joins a company, he or she shall have credentials, and based on the role he or she will perform, the access privilege shall be provided to the various systems like email, financial, portfolio systems etc. The system will use the access control to ensure the correct privilege will be provided to the right users. May be after some time, the employee will move to a different functional department, or perform a different role and the system must be able to accommodate those changes to ensure the privileges are provided based on the new role. After a while, the employee had had lost interest in the current roles or business strategy of the enterprise or what so ever and decide to quit the company. Then the systems he or she had access to, must be changed and ensure that he or she does not access after he or she quit the company. It also could be termination or retirement. The enterprise systems which are using his or her credentials should continue to run with out interruption after removing or deactivating the employee’s credentials in the systems.
The problem statement seems to be very straight forward and it really easy to solve. However, the IDM is a complex problem to solve in the industry. The reason why the simple problem became a complex problem is due to the lack of enterprise solution design thinking in solving the problem in the past. In the past (in last 7-10 years)every systems in the enterprise had a silo approach to solve this problem and did not realize the touch points, access control management and the audit requirements (like internal audit, external audits FSA, SOX).
Due to the regulatory mandatory requirement and work effort required to consolidate the reports of access control of individual system in an enterprise level, an centralized, automated solution is very much required now.
Simple problem by design became complex by improper implementation now requires an enterprise solution. There are big players in the market to provide the IDM solutions. Some of the key big players are
There are some new key players also providing the IDM solution. The key question to ask at this stage is how much to centralize the IDM solution.
In my opinion, we do not want to buy a complex band aid solution to solve a made up complex problem. The real enterprise, long term solution for the problem is as follows.
- Define your process when an employee joins, transfer, quits and rejoins (quit and join again in a different role)
- Define a small set of roles across the enterprise (my gut ratio 15:300, ie one role per every 20 employess) for a small scale company
- Implement those process in the HRIS and IDM centralized solution
- Make all enterprise systems to use the centralized solution. (yeah yeah, I hear you that there is 40 years old system in mainframe and it is going to cost lots of money to develop a connector to the centralized IDM solution. If you are running a mission critical system,which is 40 years old, you are not really quite ready for this generation of business model. You are putting yours core business in very high risk and you need to hire an well seasoned enterprise architect right away!!)
- Develop a connector in each enterprise systems to connect to the centralized IDM for both authentication and authorization.