IAM Maturity and product selection

I have just completed a product selection exercise with a customer who has past experience of a failed solution with one of the Big Vendor products. In doing this I found it useful to refer to the Gartner IAM Maturity Model, because what is the use of fancy (/expensive) features if you don’t actually have the data, processes, and clear understanding of access roles to make use of them.

This is my own summary of the five stages of maturity against common IAM product features.

Level Characteristics Main Problems Key IAM Product Features
1. Initial Account creation and management done ad-hoc, as needs arise, with no particular consistency or process. Not scalable beyond a certain user population. Too much dependency on individuals who just know how to do the thing. Skip the products and invest in documenting account management processes per account types, and rules around access control.
2. Developing Processes followed within individual systems, to varying degrees of exactitude. Generally, as processes are created or modified, pre-existing accounts or records are not updated to match. User on-boarding is drawn out, with requests sent to different teams for accounts, access and equipment.

Security are starting to get testy about all the enabled accounts for people who’ve left.

A basic identity synchronization and provisioning service, like the MIM Sync service, is perfect for this stage, as it will start enforcing consistency and surfacing incorrect source data.

It is also important to consider best fit of platform with existing sys-op skills as there is unlikely to be dedicated staff to manage the solution.

3. Defined There is now some sharing of identity and organisational data between systems, and processes have been documented end-to-end, looking for inefficiencies that can be resolved. As integration increases, the risk of bad data or practises in one system “infecting” downstream systems increases. Testing becomes arduous and some people loudly recall how much they liked the good ‘ole cowboy days. Excellent logging which shows where data changes originated. Features like SailPoint’s after-the-fact approval of “native” changes made in target systems can help enforce procedure on those that might still be avoiding it.
4. Managed An identity data architecture exists and is kept up-to-date.

Identity interoperability is a key factor in product selection.

How best to leverage existing systems and well-managed organisational data to provide access that is appropriate, available straight away, and adaptive to risk metrics. Role-based and Adaptive access control, Federated authentication and Just in Time provisioning.

To reference Gartner again, the Magic Quandrant leaders are positively judged on these sorts of features, but without the maturity level the customer organisation won’t get much value from them.

5. Optimized Proactive stewardship and enhancement of data and processes in source systems that deliver efficiencies and improvements across the business, with genuine recognition of the value achieved. Congratulations, you have reached Nirvana!

Be careful however as back-sliding is possible so vigilance is required, particularly if management start talking about outsourcing HR.

At this stage of smooth operations you may be able to consider a less expensive, IdaaS option, having fewer special cases and idiosyncratic processes to work around.

2 Replies to “IAM Maturity and product selection”

  1. Carol,
    I hope all is ok with you…This doesn’t really have to do with this post, but…
    I haven’t heard anything regarding the User Group Meetings. Has the User Group been disbanded?

    I am looking for a way to document the Attribute flow through MIM. Do you know of any product out there that would provide this information for me. In a previous life I used the Novel IDM product and it had a very nice Data Flow feature built into the designer tool, but unfortunately, MIM doesn’t have that…looking for anything that would help me to document these flows

    Thanks in advance.

    Todd Farrow

  2. Hi Todd. The group kind of fell apart after I ran out of steam organising it every month in my spare time, and then I left that employer anyway so I reckon it’s well and truly finished. However my MIM documentation script is still publicly available on their github so may help: https://github.com/themimteam/WordDocumentation

Leave a Reply

Your email address will not be published. Required fields are marked *