In my last post, I spent a considerable amount of time talking about the organization’s natural bias, and the importance of identifying and understanding that bias. I did that because in this post, I want to start focusing on where an organization can begin tackling an Identity and Access Management (IAM) project.
So if an organization has a natural bias towards Administration, then IAM projects tend to be easier for the organization to get its mind around as a whole. They are likely to be interested in what Gartner would generally classify in the Identity Intelligence or Identity Administration categories, which is clearly outlined by Perry Carpenter in Gartner's IAM Foundations, Part 1: So You’ve Been Handed an IAM Program…Now What?. Examples include:
If the organization has a monitoring bias then it tends to want to favor projects that do not directly impose “a will” on the System’s Administrator. It tends to follow a “trust, but verify” model in that it will trust its IT staff to know and do its job, to be properly skilled, and to address issues as it sees fit within communicated boundaries. However, it will verify the actions of its employees through monitoring. These organizations tend to have an easier time investing in projects like:
This is not in any way to say that a “monitoring” biased organization will not have investments in some of the Administration technologies, it’s that these projects will be somewhat “against the grain”. This is becoming increasingly the case because of a number of issues in IT today. The most notable are:
- Reduction in skilled workforce – There are now less skilled people who fit the organization’s trust model so they have to think outside the IT department
- Compliance Initiatives / Governance Frameworks - As more organizations have to come into line with various regulatory requirements, or they move toward frameworks like CoBIT, ISO27001, ITIL, etc. they are faced with having to establish front-end (administrative) controls – even if their only goal is to improve operational efficiencies.
For many of you, the question is “Why does any of this matter? I have real problems I have to address and I’m reading this looking for answers. Am I wasting my time?” One of the hardest lessons I ever had to learn was from one of my mentors sitting in a restaurant on a cold winter afternoon as I was preparing to make a presentation on implementing Windows NT 4.0 and certifying it for “non-workgroup” implementations. I was so angry that day, because I could not understand why the management folks, and even some of the technical folks couldn’t see the need for this and I kept trying to express it the only way I knew how – which was in strictly technical terms and issues. That’s when my mentor explained to me that “While I understood the technical issues as well as anyone, I still had a lot to learn about business and politics, and organizations gravitate to projects that its culture and thereby its politics comprehend and can quantify. Until I could express the issues as business issues within the constraints of the culture and politics I would not be successful.” He proved this to me by reminding me that two other individuals had both tried to do the same thing I was doing and one had been fired and the other quit out of frustration.
So what organization are you operating in? Is it Administration Biased or is it Monitoring Biased? Answer this question and then affirm your answer by looking at the projects and initiatives that management has put a focus on. Take a moment, and look at and try to identify the pains that they say will be addressed by these initiatives, and then ask yourself “Does the organization really see these pains or not?” If you answer “no” then you may have found a project that is likely doomed to failure because the organization will not embrace or internalize it.
Now let’s move on and discuss what to do now that “…I have concluded that my organization is “Administration” biased and we’ve had discussions around all of the project areas you listed above”. Then this is where it gets good. I want you to first rank them in priority order as to how you think they should be accomplished. There can be no ties. Next to that ranking I want you to do a second ranking that reflects in your mind where the element fits within the “obvious” pains of the organization and what it’s politics recognize. Then next to that column do a third column that ranks each initiative, based on your understanding of the level of difficulty, against the organization’s ability to execute. Remember that any operations team implementing an initiative is at the same time doing “it’s day job”. Few are the companies that have dedicated teams doing nothing else but a net new project, and if they do BEWARE because those groups often lose touch with the realities of the day-to-day which jeopardizes the project’s effectiveness. Average the values of the three columns and that will give you an initial ranking of priority. If you have a tie, then break the ties with your gut feel at the moment. This will be a living document that you’ll update several times through the course of our discussions.
So now you have your list. If you have concluded that your organization is more “monitoring” centric, then still do the same exercise. It is by no means a foregone conclusion that this still is not useful to the organization – it’s that you will likely have to position these types of IAM products within the context of how they improve monitoring and end-user efficiency which are slightly different arguments with efficiency being very subjective and it will spark a lot of discussion as we move through this process.
I look forward to your comments, and thank you for reading. Again, like last time, don’t forget to stay tuned for information from NetIQ about our upcoming webcast: "Control Access Rights: The Case for User Provisioning".
Posted
Feb 01 2011, 10:24 AM
by
Michael Mychalczuk
Filed under: Active Directory, user provisioning, Information Security, Gartner, Identity and Access Management, Perry Carpenter, IAM, Identity Intelligence, Identity Administration, Database Monitoring, SIEM, File Intregrity Management, FIM