I have just completed a product selection exercise with a customer who has past experience of a failed solution with one of the Big Vendor products. In doing this I found it useful to refer to the Gartner IAM Maturity Model, because what is the use of fancy (/expensive) features if you don’t actually have the data, processes, and clear understanding of access roles to make use of them.
This is my own summary of the five stages of maturity against common IAM product features. I expect I will continue to refine this over time, but here’s my start.
|Level||Characteristics||Main Problems||Key IAM Product Features|
|1. Initial||Account creation and management done ad-hoc, as needs arise, with no particular consistency or process.||Not scalable beyond a certain user population. Too much dependency on individuals who just know how to do the thing.||Skip the products and invest in documenting account management processes per account types, and rules around access control.|
|2. Developing||Processes followed within individual systems, to varying degrees of exactitude. Generally, as processes are created or modified, pre-existing accounts or records are not updated to match.||User on-boarding is drawn out, with requests sent to different teams for accounts, access and equipment.
Security are starting to get testy about all the enabled accounts for people who’ve left.
|A basic identity synchronization and provisioning service, like the MIM Sync service, is perfect for this stage, as it will start enforcing consistency and surfacing incorrect source data.
It is also important to consider best fit of platform with existing sys-op skills as there is unlikely to be dedicated staff to manage the solution.
|3. Defined||There is now some sharing of identity and organisational data between systems, and processes have been documented end-to-end, looking for inefficiencies that can be resolved.||As integration increases, the risk of bad data or practises in one system “infecting” downstream systems increases. Testing becomes arduous and some people loudly recall how much they liked the good ‘ole cowboy days.||Excellent logging which shows where data changes originated. Features like SailPoint’s after-the-fact approval of “native” changes made in target systems can help enforce procedure on those that might still be avoiding it.|
|4. Managed||An identity data architecture exists and is kept up-to-date.
Identity interoperability is a key factor in product selection.
|How best to leverage existing systems and well-managed organisational data to provide access that is appropriate, available straight away, and adaptive to risk metrics.||Role-based and Adaptive access control, Federated authentication and Just in Time provisioning.
To reference Gartner again, the Magic Quandrant leaders are positively judged on these sorts of features, but without the maturity level the customer organisation won’t get much value from them.
|5. Optimized||Proactive stewardship and enhancement of data and processes in source systems that deliver efficiencies and improvements across the business, with genuine recognition of the value achieved.||Congratulations, you have reached Nirvana!
Be careful however as back-sliding is possible so vigilance is required, particularly if management start talking about outsourcing HR.
|At this stage of smooth operations you may be able to consider a less expensive, IdaaS option, having fewer special cases and idiosyncratic processes to work around.|