In part 1 of Best practices: Identity management, experts Kelly Manthey and Peter Gyurko discuss development, education, strategies, case studies and more.
- Getting there: Development (0:28)
- Educating stakeholders (1:18)
- Developing a strategy (5:17)
- Getting there: Established (7:38)
- I&AM technology maturity (9:27)
- User provisioning case study (9:52)
About the experts:
Kelly Manthey is the Vice President of Consulting Services at Solstice Consulting, a Chicago-based technology management consulting firm that helps companies be more successful through business process optimization and custom software development.
Peter Gyurko is a Senior Consultant with Solstice Consulting. His areas of expertise include custom application development, agile adoption with scrum, and Identity and Access Management.
Read the full transcript from this video below:
Best practices: Identity management - Part 1
Kelly Manthey: So, let's talk about developing a little bit. At this point, when
you're in the developing stage, identity management has become a priority.
It's on the radar for your company. It's something strategically that
you're getting management buy-in to do. So, how do you get it there? How do
you get it to become a priority? We'll talk about that in another few
From a technology perspective, there's the low-hanging fruit aspect I like
to talk about, like password self-management, password synchronization.
These are technical quick wins, that there's simpler ways to start
implementing these things. Also automating employee on-boarding and off-
boarding so your new hire processes, your terminate processes, could be for
employees, could also be for consultants or other types of identity types
or people types that you have within your organization.
What about customers, external customers? Is there something simple that
you can do, whether it involves technology automation or not? Is there
something that you can do to make it easier to give them what they need
quicker and sooner?
So how do we get there? First and foremost, educate your stakeholders.
Again, broken record here, the people impacted by this the most and the
people that usually are ponying up the money for this when you need to
bring folks in to help you deliver this, are business people and senior
management folks that aren't focused on the ones and zeros but they're
focused on the bottom line. They're focused on, "How is this going to make
my life easier, what does this mean to me?"
Start education early. I purposely call this education and not
communication because communication often becomes an email blast or a
message on our company portal that says, "We're doing an identity
management initiative. These are the benefits." Think about personal face-to-face time and education program. How are you going to get the word out
to the right people, and what do you need to say, and how do you tailor
your message to those people?
When you think about the stakeholders, think about the business that they
run, think about the work that they do day to day, and how identity
management can make their life easier.
I had the great pleasure this week of attending the Technology Executives
Club of Chicago luncheon and there were several C-level executives from
AON, from Boeing, from Sara Lee, they were all there. They weren't all
technology, so CFOs, some CIO, marketing officers, and the theme was,
"Innovation in technology." The one thing that they were talking about from
their perspective is game changing IT, and I think it applies to IS as
well, because IS is technical, very technical.
The one thing that they were talking about was, in order to be a game
changer, you need to, from an IT and IS perspective, know how your company
makes money, know how the business that you're in makes money, know the
business, know how to speak the business language of your company. From a
technology perspective, not just the ones and zeroes and the problem
solving and, "Let me dig into debugging something," which is what we love
to do. That's why we chose this field, because we love to solve problems
technically. We love gadgets. I love my iPhone. Learn the language that
your business uses and speak to them in that language because that's what
they're going to understand.
When you're talking about... These are the four areas that we've used to
help sell this concept to business people, risk mitigation. Again, it's a
soft benefit, it's a good thing not to be on the PrivacyRights.org list.
It's a good thing not to show up there, and it's a very good thing to put a
control structure in place. What does that mean to business people when
you're talking about identity management?
Accountability, placing accountability where it belongs. Having the right
people certify access for the right people on an annual, quarterly, weekly,
whatever basis makes sense. That's what accountability means. That's what
IBM's going to help bring to the organization. Efficiency, faster. You're
going to be able to get your access set up faster and it's going to be
easier, it's going to be less technical. Done. What business person
wouldn't agree with that, especially if you're in a position where maybe
your access request process is a little bit more technical. The information
there is a little more techie speak.
Consistency. Doing things the same way all the time, which is, what
approvals are required? Have a very consistent processes for the way that
access is set up, for the way that certification is set up, for the way
that provisioning is done. These things become repeatable and as they
become repeatable and as they're done over and over again, they become
faster. Things can get done a lot faster, and they're easier to transition
as you're bringing in new hires to your organization and your IS
Departments and IT Departments that are facilitating all of the setup of
access. Repeatability means that it's easier to cross train people on what
needs to be done.
Developing a strategy, just really quickly here. Again, we talked about
building your business case, so do it in business terms. It's great to have
the strategy for how we're going to implement this, the technical benefits
for doing this, evolving as an information security group, best of breed,
but speak to what is the business case internally for why this is so
important. Will it impact your bottom line in any way? How can you sell
that? How can you talk about that?
Getting leadership on board. Having your steering committee in place,
that's a cross section of areas across the organization, not just the IT or
IS organization, because you want the steering committee to actually work
for you. You want them to start selling the messages down through their
organizations about what's going on. Key decisions that they're helping to
make and the impact that it's going to have on their organizations.
The more people that you have on board early, the more people that you can
have help spread the message about what you're doing, which all means the
easier it will be for people to adopt these things. Then the phased
approach with quick visible wins. So again, this is where you have to look
at what makes sense for your organization. What is
that low-hanging fruit that you can start rolling out in an incremental
basis? Whether it's a technology enhancement, whether it's a process
What is it so that you can start showing progress and keeping the momentum
going? Because these projects are multiple phases, multiple years and
they're not free. They cost money, so you want to start showing progress so
that people see what they're getting, and they start seeing the benefits
early and stay engaged.
Our one cautionary note here again, is don't sacrifice buying the latest
and greatest technology for process. Know what your business processes are
that your technology purchases are going to support. It's great to have the
best-of-breed and the latest and the greatest, but if it doesn't map to how
your business operates, from an identity management perspective and the
rules that are very specific to your business, then is it the right choice
for you? Just a cautionary note to make sure that you keep process in the
forefront of your mind. Peter?
Peter Gyurko: As Kelly had mentioned, you've made IdM a priority, you've developed
a strategy and you have some quick wins, so how do you get to be
established? The model says that you need standard and repeatable processes
or capabilities that are also simplified and automated. So what we're
looking at here is really implementing those processes you defined, like
your access requests and your access reviews.
I need to point out here that this is a very iterative process. There's no
checklist necessarily for identity management. You can’t buy a product,
implement some workloads and think you're done. It's very iterative and in
this established phase, you're going to be here for a long time or for quite
some time. The goal here is to improve your operational efficiency, reduce
your risk, all the while delivering key features and functionality to the
organization, and that's going to take some time.
From a technical perspective, you need to be driving towards centralized,
access request and access review systems. That single point of entry for
users to request access and for managers to test and review that access on
a periodic basis.
What you should also be looking to do is expand your automated user
provision capabilities to additional systems and platforms. There's one key
thing that I want to point out here on this slide, and it's very critical.
You need to make sure you have the appropriate levels of oversight and
escalation built into your processes. What happens if you build this great
new access request system but your managers, they're not approving these
requests in a timely manner?
Have you helped to improve the operational efficiency of your organization?
No. On the certification side, if those certifications or those access
reviews are not getting done, have you helped to reduce the risk to the
organization? Again, the answer's no. So, you need to make sure you have
those appropriate levels of oversight and escalation in all of your
processes so you're making sure you're getting the desired results.
This is a quick slide from Gartner showing various identity access
management technologies and the relative maturity in the marketplace. As
you can see, user provisioning is a mature mainstream category, or you may
not be able to see it, but what we talked about is you can't just buy a
mature product and think you're going to have a mature program. Companies
are continually evolving their programs utilizing this technology.
Let's take a look at an example. This is a Solstice case study. It is a
real and proven example of how a Fortune 500 financial institution evolved
their program from green screen and pen and paper to one utilizing Web
technologies and leveraging automation. Their strategy consisted of the
need to address several immediate tactical issues. Number one, they already
had an access request system that was on a Legacy based platform that was
very difficult to use, very difficult for their newer generation of
employees to understand and was on a platform that was being sunset. So,
they needed a replacement solution.
No. 2, their approval processes throughout their identity life cycle
was very inconsistent, and their oversight in their certification process
just wasn't there, as we've talked about, which is really needed, which we
just talked about. Three, I think this is something that many organizations
face or have faced, is that the time it took to onboard a new employee or
contractor, get them the physical access they needed, a badge, a PC, phone,
etc., and the logical access to systems to do their jobs took entirely too
long. In this example, it was nearly two weeks to complete all of that.
Finally, they had a very paper-based certification process. By this I mean,
on a yearly basis a manager received a report basically with all of the
access for their direct reports. Sometimes, this arrived in an envelope,
sometimes in a box, depending on how many people they had reporting to
them. It was the manager's responsibility to mark up that report in pen and
send it back to a central administration group for processing. This is a
very costly error-prone and time consuming process. More often than not,
the managers were not completing their certifications on time or at all.
Obviously, posing a huge risk to the organization.
Their solution consisted of a multi-phased approach. Each phase delivered
key functionality for a specific user type. They tackled employees first,
then their contractor and contingent work force and finally their clients.
They also leveraged a user provisioning product to automate the creation
and termination of accounts, as well as to enforce and implement a standard
approval process across the identity life cycle. Finally, it replaced their
access request system and their access certification system with online,
simple to use interfaces that are users, managers and those key oversight
What were some of the results? No. 1, you're able to get rid of those
Legacy and paper-based access request and review systems and replace them
with Web applications. By replacing that Legacy access request system,
they're able to get substantial hard dollar cost savings to the
organization for getting rid of that platform.
No. 2 is they were able to implement standard and consistent approval
processes throughout their identity life cycle, making sure that the
appropriate levels of management were involved in every step of the way.
Three is that the time it took to bring on new employees and/or contractors
and give them that physical and logical access that they needed, they were
able to reduce that down from two weeks to less than a day. Obviously, a
huge cost savings if you're thinking about a high-priced contractor sitting
there idle not being able to do their job.
Finally, they're able to increase or improve their certification status by
reducing the amount of overdue certifications by 80%. This is a real
example of how a corporation evolved their program, not just because of
technology that they implemented, but because they had a strategy that was
well thought out, that they included the appropriate stakeholders along the
way, and they addressed those three main components -- people, process and
technology -- throughout the life cycle.