Identity management (IdM) has become a buzz phrase in the industry surrounded by more confusion than facts and experience. So what exactly is an identity and why do we need to manage it?
An identity consists of attributes describing a person — typically name, surname, ID number, email address, etc. IdM concerns itself with the management of these attributes of a person as it travels through a typical life cycle, in this example an employee in a company.
Consider the usual HR process when a person joins a new company. The person completes forms specifying his particulars, which will be captured into the HR system, which is typically not integrated with any other system. The form is then sent on to the PABX and Windows administrators to arrange the new employee’s phone, system account and email address — and so the process continues until the new employee can do their daily work activities.
This is the start of the identity life cycle, inevitably followed by change. People’s details change (e.g. surname changes) and typically employees are firstly oblivious of these multiple systems in which they exist, and secondly exactly which one of the weird IT guys to speak with to have their details updated. Given that these systems aren’t integrated, they have to repeat this process until they have finally updated all the systems.
In a company, most systems attach digital and physical access privileges to a person’s position and place in the company’s organisational structure. As people move around within a company and change position, there is an even bigger requirement to manage their access privileges – firstly by avoiding any security risks by removing the previous set of privileges that they no longer need, and secondly to assign their new access rights so that they experience no breaks in productivity.
Scaling up the above scenario to a company with thousands of employees and numerous stand–alone systems breeds a management and security nightmare with a complete lack of end–to–end traceability of the changes made to a person’s identity and security profile over time.
The end of this identity life cycle is when the employee resigns. All accounts, rights and privileges must be revoked immediately so as not to leave any dormant accounts in the systems which could potentially be used in a security breach. Data breaches are becoming more and more common and countries like the USA are moving to get legislation in place to hold the company accountable for these breaches.
The above example illustrates a very real scenario in most organisations today. IdM has never received the attention it requires to ensure the automated end–to–end management of these identities while providing full auditing and traceability required for numerous regulatory requirements, which is becoming a reality for almost all companies maintaining customer data.
In this article I’ve detailed a typical scenario that requires proper IdM focus. In my next article I will illustrate how IdM tools and technologies can address and successfully manage these everyday problems.