What is identity management?Date: Dec 27, 2010
Experts Kelly Manthey and Peter Gyurko explain the role of identity management, how to manage it
and how your enterprise can benefit from it.
- Organization Impact: A constant state of change (0:57)
- Identity management solution helps manage change (2:47)
- Three aspects to help manage change (3:58)
- Selling the benefits in dollars (6:02)
About the experts:
Kelly Manthey is the Vice President of Consulting Services at Solstice Consulting, a Chicago-based technology management consulting firm that helps companies be more successful through business process optimization and custom software development.
Peter Gyurko is a Senior Consultant with Solstice Consulting. His areas of expertise include custom application development, agile adoption with scrum, and Identity and Access Management.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
What is identity management?
Kelly Manthey: At today's presentation, our goal is really to
help you leave
with a couple of nuggets that you can take back to your organization and
start brainstorming. Start talking about how can we start doing these
things. So we are going to go through a couple of case studies, some actual
client case studies. Give you some information about what other companies
are doing. How they've structured projects. Challenges that they've faced.
Then we're going to, as I mentioned, go through an identity management
maturity model. So that you can kind of baseline where you're at and look
at different ways that you can evolve. So today's environment. Frankly, I
don't think I have to tell anyone this, but things are a little bit
turbulent right now. I'm sure a lot of these look familiar. If there's
anyone not being touched by any one of these, please raise your hand so we
can talk about it, a little bit more. All of those external environmental
factors really cause a lot of change within our organizations. Any of you
in the banking industry, you'll know that it is kind of notorious for
merging. A lot of mergers and acquisitions happening, and the fallout from
that is really a lot of enterprise reorgs are happening constantly. People
are changing job functions.
Along with job function change comes system access needs changes. So the
need to pretty rapidly provision and de provision access that people need to
do their job. And you want to do that in a quick manner so that people can
get back to business. Get back to servicing your clients. Security
breaches, I know Dave DeWalt gave a great presentation this morning on
what's happening, what the breaches are that are out there. I don't know if
any of you are familiar with the website privacyrights.org, but it's
frightening. This website basically chronicles since 2005, a whole laundry
list of security breaches all the way from I lost my laptop, which by the
way I've done at Newark Airport, and didn't have my laptop for a week and
was freaked out about it. But, internal threats, outsider threats, it's
really scary out there. And then again, those of you in regulated
industries. You've got regulatory bodies constantly throwing down new
requirements and internally its how are you going to adopt those
requirements? What's your risk tolerance inside for how you address those
concerns? So Peter, tell us a little bit about identity management and how
it helps address this.
Peter Gyurko: So what is identity management? Well, it's different to different
people. So I think a different question to be asked is, what does identity
management mean to you? Let me just see a quick show of hands here. How
many of you would consider yourselves to be technologists? OK, a few.
Alright, how many of you are in audit, compliance and risk? OK, thank you.
How many of you would consider yourselves to be end users of identity
management? OK. Based on your perspective the answer is going to be
slightly different. If you ask the audit, risk and compliance folks, you're
going to hear things like approval processes and audited events and access
station certification. If you ask the techies, they're going to say things
like user provisioning and automation. And if you ask the end users, well
number one, they might not know what you're talking about. Or two, they
might say, "well it's where I go and manage my accounts, or change my
passwords, or to request access to new systems." The thing is, identity
management is all of those things. From the initial request for access
through the audited approval processes, on to provisioning of accounts and
access and ultimately the review of that access. Identity management
programs and systems need to incorporate all of these things to be
So now that you know a little bit about what identity management is, what
do you do? Well, pretty much you go out, you buy an identity management
product, you install it and you're done. Right? No, of course not. You
can't have a successful identity management program without addressing
three critical aspects. People, process and technology. Identity management
programs and solutions are not just technical ones. You can't just take a
piece of technology, slap it in and think it's going to work for your
business. Solutions require the input and involvement by many areas of the
organization. From your audit, compliance and risk folks, to your
technology implementers and your end users. Your end users, they want to be
able to do their jobs by getting access to the systems they need, when they
need it. Your managers who are reviewing access, well they need to
understand the data they're looking at so that they're making correct
decisions about that access. Your auditors, well they want to see those
traceable events so that they can make sure that your organization is in
compliance. The goal of process is to build standardized and consistent
ways to grant and revoke access. Once you define these standard processes,
it's then that you can leverage technology to implement, enforce and
automate those processes so all three aspects, people, process and
technology are required to have a cohesive solution.
Kelly Manthey: So let's talk about, how you can talk about the benefits
within your company. This is kind of one of those things where if you're
going to write something down or take notes, this is something that you may
be able to use. This might be a nugget for you. And by the way, we've got
the presentations for everyone, so you don't have to take too good of
notes but telling the benefits of IBM in dollars. That's something that
we're asked all the time to help our clients with is from an information
security and from an IT perspective, the technologists get it. We
understand why this is so important. It seems obvious to us but when you
need to explain it to folks that frankly don't care about Tran codes and
don't care about granular entitlements. They just want to get the access
that they need. They don't want to think about this. It's a bit of a
nuisance to them. They're focused on serving your customers. You're
business is customers and generating revenue for the business.
So in order to speak to what the benefits are you need to kind of break it
down into dollars for people. There's a couple of different ways that you
can do this. One way is talking about efficiency. So if you look at, I know
Sarah mentioned this morning in her keynote presentation, she mentioned
getting to the billable loaded rate of your internal employees. There's a
time associated with coming up with manually producing compliance reports
and audit reports. There's time that you need to spend to come up with your
response to audit violations, to security violations, separation of duties
violations. It takes a lot of time to submit access requests when you have
a very ad hoc and disparate process for doing so, or if it's very manual.
You can start to show efficiency dollars if you start tracking how much
time do our current processes take? How much time does it currently take to
do the things that we do now, related to granting those within the business
access to what they need access to? You can start showing real dollar
figures there. And I have a couple. I'm going to read it for you because I
want to make sure that I get it correct.
Working with a client right now in the financial services sector that's
actually been able to do this quite well so they’ve been able to estimate, for
example, how long it used to take to submit an access request in the old
world. So the old world was a combination of an outdated legacy system and
manual processes for provisioning and so the time that would take business
users to go through the legacy system to figure out what's the access that
I need. Read through the very technical jargon to understand what the
access is that I need. Figure out what so and so has, because I need my
access to be just like that. So the time it takes for non-technical people
to do that, translate that into what it takes now using a newer, more
updated system and business process. They are able to realize a savings of
27,000 people hours. In just the access request process and provisioning.
So by implementing some automated provisioning, taking away some of that
manual work, they were able to save 27,000 hours. You can take those
numbers, add loaded business rates to that and you can come up with some
real numbers for your finance committees when you're asking for funding to
do these projects.
Another example is around certifications. This particular
client was also
looking to streamline the way that access is reviewed on an annual or
quarterly basis and again, by streamlining the process and making the
information more easily readable for those that need to do the
certifications, which are business people. It's not all IT and IS people.
We're a segment, but we're not the majority. So they were able to save
about 13,000 annual hours. And again, coming up with estimates for what did
it take today, and what is it taking tomorrow. To start driving at some
real numbers. Now, are they going to be bulletproof? Probably not but it's
probably going to be good enough to kind of get your point across in terms
of dollars and at the end of the day when the capital season rolls around and
when you're looking at what's our priorities for the next year to fund, these are
the numbers that you're going to have to come up with for your
finance committees and for senior management to say, this is the cost
savings that we're going to see.