Most organisations are approaching identity and access management (IAM) in the wrong way by working with production requirements first, according to Gartner, Inc.
"Between half and two-thirds of organisations attempting to establish a truly-effective IAM programme approach it in the wrong way," said Earl Perkins, research vice president at Gartner. "IAM process requirements should always precede organisation and technology decisions. But currently, most IAM planning is done around clusters of technologies, rather than by addressing specific IT or business processes."
"The 'build' experience of IAM projects has traditionally not been a good one," said Mr Perkins. "While some experiences have improved and technologies are evolving, major efforts to formally build an IAM system for an organisation overlook a key lesson - planning for IAM often starts from the wrong direction with the wrong people, or at least not everyone who should be involved."
IAM started out as a "fix the plumbing" concern. However, with the advent of risk, compliance, accountability and transparency, this has changed. Now, the basis for good IAM involves a very active role by the organisation as a whole, as only they can truly say what and how accountability and transparency of access should work for them. In an era where accountability and transparency are required and must be formalised, this means a more focused and structured approach for all parties affected, and not just IT.
"IAM should not be planned with operations in mind; rather, it should be based on the foundations of the organisation relative to policies, processes and people," said Mr Perkins. "Products are actually a relatively small focus of the decision process in an IAM programme."
Gartner said that looking at IAM as a process has several advantages. First, it removes the product-centric pattern the market has placed on IAM. "Instead of looking at IAM as a set of products to be purchased to fill technology gaps in an organisation, viewing IAM as a process attempts to identify where people and IAM technology can be most effectively 'inserted' to fulfil the practices and policies of the organisation," Mr Perkins said. "It also contributes in a significant way to how enterprise, and security, architecture is enriched with the addition of IAM-specific architecture."
IAM as a process also helps to identify the key questions that need to be asked during IAM product selection, (such as how those products fulfil specific process steps). Viewing IAM as a process helps an organisation articulate its requirements and target them through prioritisation of need. It helps map the IAM process on top of known business processes to determine the convergence or touchpoints for control and intelligence purposes. Process steps that are best performed manually or are people-intensive can be identified as can different IAM process flows for different organisations, applications or system environments.
"IAM as a process essentially serves as a lens for enterprise customers to permit a 'horizontal' view of the identity and access process across the vertical landscape of business and IT within an organisation," said Mr Perkins. "As such, it encourages customers to discover for themselves the current manual and automated processes supporting IAM, and to map them to this core process view to identify current problem areas in their process."
Mr Perkins added that the operational process view of IAM can also enable the customer to define organisational roles for managing IAM and developing an identity and access governance model that incorporates those operations. By linking operational IAM process to the policy model of the organisation, this part of IAM governance can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way to access and identity problems. IAM as a process can be effective in converging business and enterprise processes with IT processes and accelerating IAM program maturity for the long term.
Additional information is available in the Gartner report "A Process View of Identity and Access Management Is Essential". The report is available on Gartner's website at http://www.gartner.com/....
The Gartner Identity & Access Management Summit 2011 will take place 9-10 March at the Park Plaza Westminster Bridge hotel in London. For further information about the Summit, please visit europe.gartner.com/iam. Additional information from the event will be shared on Twitter at http://twitter.com/... using #GartnerIAM. Members of the media can register for the Summit by contacting Laurence Goasduff, Gartner PR, on + 44 (0) 1784 267 195 or at laurence.goasduff@gartner.com.
About Gartner Identity & Access Management Summit
Intelligence is one of the three pillars of IAM, but until recently it has had much less attention than administration or access. This must change. An improved identity and access intelligence quotient will deliver benefits, not just within the organisation’s IAM programme, but throughout the organisation itself. At the Summit, Gartner analysts will explore the trends that are changing business needs and the ways in which IAM can and must be delivered and examine the transition of IAM into a full business intelligence resource for the organisation.
"Between half and two-thirds of organisations attempting to establish a truly-effective IAM programme approach it in the wrong way," said Earl Perkins, research vice president at Gartner. "IAM process requirements should always precede organisation and technology decisions. But currently, most IAM planning is done around clusters of technologies, rather than by addressing specific IT or business processes."
"The 'build' experience of IAM projects has traditionally not been a good one," said Mr Perkins. "While some experiences have improved and technologies are evolving, major efforts to formally build an IAM system for an organisation overlook a key lesson - planning for IAM often starts from the wrong direction with the wrong people, or at least not everyone who should be involved."
IAM started out as a "fix the plumbing" concern. However, with the advent of risk, compliance, accountability and transparency, this has changed. Now, the basis for good IAM involves a very active role by the organisation as a whole, as only they can truly say what and how accountability and transparency of access should work for them. In an era where accountability and transparency are required and must be formalised, this means a more focused and structured approach for all parties affected, and not just IT.
"IAM should not be planned with operations in mind; rather, it should be based on the foundations of the organisation relative to policies, processes and people," said Mr Perkins. "Products are actually a relatively small focus of the decision process in an IAM programme."
Gartner said that looking at IAM as a process has several advantages. First, it removes the product-centric pattern the market has placed on IAM. "Instead of looking at IAM as a set of products to be purchased to fill technology gaps in an organisation, viewing IAM as a process attempts to identify where people and IAM technology can be most effectively 'inserted' to fulfil the practices and policies of the organisation," Mr Perkins said. "It also contributes in a significant way to how enterprise, and security, architecture is enriched with the addition of IAM-specific architecture."
IAM as a process also helps to identify the key questions that need to be asked during IAM product selection, (such as how those products fulfil specific process steps). Viewing IAM as a process helps an organisation articulate its requirements and target them through prioritisation of need. It helps map the IAM process on top of known business processes to determine the convergence or touchpoints for control and intelligence purposes. Process steps that are best performed manually or are people-intensive can be identified as can different IAM process flows for different organisations, applications or system environments.
"IAM as a process essentially serves as a lens for enterprise customers to permit a 'horizontal' view of the identity and access process across the vertical landscape of business and IT within an organisation," said Mr Perkins. "As such, it encourages customers to discover for themselves the current manual and automated processes supporting IAM, and to map them to this core process view to identify current problem areas in their process."
Mr Perkins added that the operational process view of IAM can also enable the customer to define organisational roles for managing IAM and developing an identity and access governance model that incorporates those operations. By linking operational IAM process to the policy model of the organisation, this part of IAM governance can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way to access and identity problems. IAM as a process can be effective in converging business and enterprise processes with IT processes and accelerating IAM program maturity for the long term.
Additional information is available in the Gartner report "A Process View of Identity and Access Management Is Essential". The report is available on Gartner's website at http://www.gartner.com/....
The Gartner Identity & Access Management Summit 2011 will take place 9-10 March at the Park Plaza Westminster Bridge hotel in London. For further information about the Summit, please visit europe.gartner.com/iam. Additional information from the event will be shared on Twitter at http://twitter.com/... using #GartnerIAM. Members of the media can register for the Summit by contacting Laurence Goasduff, Gartner PR, on + 44 (0) 1784 267 195 or at laurence.goasduff@gartner.com.
About Gartner Identity & Access Management Summit
Intelligence is one of the three pillars of IAM, but until recently it has had much less attention than administration or access. This must change. An improved identity and access intelligence quotient will deliver benefits, not just within the organisation’s IAM programme, but throughout the organisation itself. At the Summit, Gartner analysts will explore the trends that are changing business needs and the ways in which IAM can and must be delivered and examine the transition of IAM into a full business intelligence resource for the organisation.
