ISAG PART 1: Can’t find an Identity and Access Management Cookbook? Check out this Recipe!
We will be posting excerpts from select Identity Strategy and Advisory Group (ISAG) briefings. Part 1 below is transcribed from a recent briefing that took place via conference call, which is why it takes a conversational tone.
Do it again
Andrew Ames, Vice President of Identity and Access Managment (IAM) Business Development
What does readiness of identity data, strategy and organization mean to an overall RAPID value approach?
Though we look at this from a readiness prospective, it’s really part of three different categories. It is a very relevant topic around data, which is the ability to not just focus on technology but readiness within the organization from a data standpoint. We’ve talked on seminars about how it really is an assessment of the data. No project is going to be successful without that recipe of the cookbook. All the projects that were discussed took that path.
No. 2 from the readiness prospective is setting the strategy, and this came from a pharmaceutical company that has multiple initiatives. So, the ability to set a strategy to enable the organization across the different business units is imperative. Establishing a strategy with the organization that is modular in approach is imperative as well. We need to set with the business the step-by-step prospective so that everybody is on the same page.
The third bucket that I would talk to you about from the readiness prospective is really around the organization. We’ve talked about people processing data and the initial point -- the last point is that there is really change in the organization. The ability for the organization to understand what they are doing. Certainly steering committees or governance committees are talked about to make sure there is oversight in this. The business stakeholders need to understand why we are doing this, and whether it is efficiency, regulatory compliance, user satisfaction or cost avoidance.
From an organizational change management, the buy in as well as the ongoing communication is key. So those three buckets are key.
Stoddard Manikin, CISM, CISSP, Regional Director-Southeast
How do you build on what Andrew has accomplished in step 1’s Readiness activity taking it to the next level during step 2’s Attestation activity?
Access attestation can also be referred to as periodic access reviews or recertifications, which are typically driven by compliance requirements aside from generally good security policy. Essentially you can leverage the data that was reviewed that was a part of the ready process that Andrew discussed.
Look through your data and you will have output from that assessment that tells you what accounts are actually attributed to individual users, where you have accounts that are orphaned or shared, and which accounts don’t have managers or supervisors to support them. What this does is allows you to do a cleanup of access. Doing a cleanup of existing access will take care of all of the various entitlements that have been accumulated over the lifetime of the employee and the relationship with the organization. This is really essential before you move on to the next stage because you want to have data that is as clean as possible.
You can also capture the account’s entitlements from your target application based on the information during the ready step where you analyze an application list. You can take that and go out and connect to those applications or gather extracts from those applications, pull those account’s entitlements into a central entitlements repository, and then execute your recertification campaign with managers and supervisors using a tool or using the old email and spread sheet method.
The managers and supervisors will have to know how to do the recertification, but really this shouldn’t take more than a few weeks. This allows you to get back which access is appropriate, and which access needs to be cleaned up, which is generally called remediation. You really want to remediate the results within the target application so you’ll be set up for the next step - Protection.
Buck Bell, Vice President, Identity Management Practice
Now that Attestation is complete, what are you doing with the Protection of assets?
One of the interesting of the protect assets stage of the rapid process is that this is an opportunity where they can begin introducing some formal concept of roles into the organization where there might not have been before. It’s a fair question to say, "If I’m going to vet entitlements that users own, against what standard am I going to vet them?"
You can approach that on an atomic level where you evaluate users on a one-by-one basis, but as you begin the cleanup process you have an opportunity to introduce the business roles context. Initially, that may be very high level to the employee contractor type of stuff, but you may begin to drill down to departmental type of level as well. This ends up being an enabler to the protect assets phase in the sense that now you are beginning to enable more than just the manager community to be a part of the work flow processes associated with access request. In this phase, you are really looking to extend the audit benefits that you set in the prior phase.
So you are allowing some users in the community to use the identity management tools themselves to make requests for access to certain assets. During this phase you are pushing it out a little more and making it more business friendly. And again, one way to do that is through a role context. You may allow more people to make more atomic requests for specific applications or assets. This does begin to empower more of the nontechnical user community to be able to use the systems that are in place.
Now typically in this phase you are introducing some of the identity management software components. And, as a consequence of that, you are going to begin reaching out a touching some of the systems internally. But, what we have found in these phases is you are well-served to really take advantage of what ends up being called a simulated or a manual provisioning approach for many systems. You may have core systems like an active directory that are well understand, and you may want to do some electronic integration at that point, but that's the best way to get the greatest value out of the work you have done.
In many cases you are more interested in having more consistent work flow processes than you are trying to work through the nuts and bolts of electronic integration for each of these applications. So again, you’ll insert a larger number of users in the process and allow them to make requests for access to resource and assets. Those will go through work flow approval process and at the end of the work flow process you’ll see that application custodians are still manually adding the accounts and then going back and attesting that they have done so to close the audit loop. Again, this is a way of getting a higher number of applications into the context of the identity system to realize quick value of the solution in a shorter amount of time.
Another aspect of this is, this may be a time to begin to introduce and authoritative linkage between a force like an HR system and the newly formed global identity that you’ve created for a user. So in order to do this, you have to set up the identity system and start pulling data in from the prior step to create a clean view of that user from the get-go so that you are not just replicating the orphan status that you’ve seen from the past. This protect-assets phase is really the one that begins to have a lot greater of visibility in the organization.
Brent Starnes, Regional Director - South/Central
How do you extend what Buck accomplished during the Protect phase to provide deeper electronic empowerment and lower administrative effort?
So you’ve been working on this for a few months and have a pretty good idea what your data looks like. If you have this job code, you know you should have these different access roles in our target system. So at this point we need to go ahead and set up electronic provisioning connectors into some limited systems so you can start creating and managing accounts in the system.
We are focusing on electronic provisioning, so what we want to do is keep this limited to small chunks and phases in 3 months or less. In order to keep this limited to 3 months, you have to decide which 3 applications are the priority. To do this, you do applications that are common... that everyone has done. We will also - depending on the business - do a point of sale system, or maybe an employee portal or something that is straight forward and still has high impact to the business. This will be something that administrators dedicate a lot of time creating or maintaining accounts so it has high value, but nothing that has a real complex back end where we have to write a custom connector. Occasionally we’ll see folks use Rack up into phase one but that’s fairly rare because rack up is a little bit complicated.
The last thing I want to talk about are the use cases. When you talk about provisioning there are about 21 different use cases that you can use, so you want to limit the use cases that you tackle in the first phase or you are never going to get it done in the 3 months. Typically the use cases that you 'll want to do are to manage the creation of employee accounts and the directory in the two other applications. We will usually not just create the account; there is work flow involved where you send notification to managers. You will also want to create some basic birthright roles maybe based on job code.
Determination is more important than that. Contractor management is normally done in this phase as well. Some companies will have contractor management system in place which will be one of the 3 apps that we tie into, but those who don’t will typically use the identity management system as the authoritative source for contractors. This involves standing up forms within the idea system that can be used to create contractors and terminate contractors extend their access and things of that nature.
We usually do some service account management in this first phase as well. It’s important that you differentiate your actual user objects from service accounts. Sometimes in the first phase we will also do automatic updates of user information. Simple things like attributes, phone numbers and addresses will go ahead and automatically push those through the end system. Things like last name changes you want to avoid pushing through the end phases because things are a little bit more complex. Department transfers are things you want to avoid in this first phase as well because it can be pretty complicated. Usually when someone transfers departments they need to keep access to what they already have for 30 days, and need to have access to additional things for 30 days, so defining all that and managing all that is a bit trickier and we typically push the use case off to another phase.
Employee to contractor conversions and rehires are along the same lines, and are very difficult to recode and maintain. And, any kind of advanced birthright provisioning, such as really detailed groups or entitlements of applications, usually takes a little more detail and time to define all the access that everyone needs we usually do that in later phases.
Phillip Lentz, Chief Technology Officer
What does D stand for in R.A.P.I.D.?
D stands for "DO IT AGAIN." "Do it again" means you have seen how to do the major use cases that makeup the identity management program in the previous four steps. So now you have more knowledge to do this. Our goal here is to empower you to "DO IT AGAIN." Repeat step A, the attestation where now you might bring additional compliance related application in to the "A" step of RAPID, and then you - the customer - takes more ownership of the protectingtion, step 3, and then integrations of more connectors, step 4.
So, do it again... reset... and go back to step 2, the attestation. You now have more ownership. We then become more of a source for guidance, assistance and issue management for you. It’s more cost effective for you to hire full time resources that we can teach, train and empower. Now we are simply assisting and you are leading, whereas in the first integration we were leading with your assistance. So DO IT AGAIN is key, and it lowers your costs.
The goal here in the DO IT AGAIN step is to determine your deliverables. Number one, it’s time to have incremental releases that are scheduled throughout the year, it’s as though you are a product development shop. Identity management needs to be treated that way. What this means is that in the "D" (Do it again) step, you need to schedule releases where you might have 2.1, 2.2, 2.3 and 2.4 each year where you have perhaps 4 minor releases and 1 major release.
Tis approach is key to keep things going. You have the knowledge. The user communities have been maturing. They understand how the product works; they have been trained through communication plans. You can add more functionality. They will demand more functionality. The more they see, the more they will want. They will like what you have done and they will ask why you haven’t done more. The reason why you haven’t done more is simply because if you did too much, your project would’ve more than likely failed. So with thatbeing said, do it again, start it over and continue to have four releases throughout the year.
If you are familiar to the Agile Approach to software development, you would see there are correlations to that. It’s all about low-risk, incremental successes building upon the momentum that was establish from the infrastructure, and maturity that was established as a relation to performance. Really, the change of the organization maturity that was established was due to slowly allowing the end user community to digest more and more usability and the user inter-phase type.