Mycroft

Compliance and Identity Risk Management – What comes first, Compliance or Provisioning?

We're asked this question a lot – what do I do first? Do I implement User Provisioning and connect to as many systems as possible? Do I implement one of the newer tools for compliance reporting and risk management? Can I do them both at the same time?

Our answer is simple: IT DEPENDS! It depends upon what the real business drivers are. Our perspective is and has always been that business needs drive technology implementations – not trends, not auditors, not technology for technology's sake.

The real and early benefit of a user provisioning implementation is the SUSTAINABLE, MANAGEABLE automation of what is often an existing and complicated set of processes. This yields higher degrees efficiency and cost savings, reduces time to productivity of new staff and thereby increases productivity, and reduces likelihood of information breach by assuring provisioned access to applications.

In the compliance world, there’s a different spin. Vendors such as Aveksa, Sailpoint, Oracle, Novell, Sun and others are offering faster, easier ways to collect and then analyze data about users and privileges in applications that are tagged as "compliance-significant". These applications are not managing the full lifecycle of user accounts on these target applications/databases/assets; they are collecting and processing the data about those accounts such that managers can understand and interpret data relevant to attestation and recertification and other compliance activities. There’s actually no reason why this can't be addressed in parallel to your provisioning implementation – there are typically different stakeholders, and different applications in play.

So, if the primary business driver is to understand how to efficiently and accurately interpret data about users in regulatory-significant applications, then this family of products should be a primary consideration. If the driver is really to improve efficiencies relating to onboarding and offboarding users, and to understand that the more general entry points into your infrastructure are opened and closed correctly, then a provisioning implementation comes first. A primary goal of reducing help desk costs around password management or account requests might also drive you down the provisioning trail.

The net net is this: both provide real business value. In the User Provisioning world, you're managing the lifecycle of user accounts, and you’re impacting applications and automating processes. In the Compliance Reporting/Risk Management arena, you're facilitating a "reach" to more applications, without changing them, and enabling easier, more accurate execution of compliance tasks (recertification, attestation, management).

Role Management

A role management tool is often a component of an Identity Management environment today. Role Management is not a cure-all, but rather a useful tool in streamlining the identity management process.

Interestingly, the role management tools in the market today are offered by both Identity Management product companies, and by Identity Governance companies. The challenge in implementing roles often lies in a sound business understanding of how roles will be used, and how deep an organization needs to go in order to make them useful. The good news is that tools are readily available today, and can be implemented to ease the role mining, role engineering and role definition workloads.

The classic role project at Mycroft adheres to a "hybrid" philosophy of role engineering: the hybrid approach is a combination of "top down" and "bottom up" analysis. The "top down" view is achieved through business discussion and interaction with the organization’s business hierarchy. The "bottom up" analysis is best accomplished in an automated analysis of data sitting inside of systems of record. The tools are then used to align business needs and technology practices, such that proper roles can be defined, described, and leveraged across a community of systems. Roles must be understood not only by systems but also by business people who may have a requirement to authorize an individual or group to embody a particular role – hence, the need for a business level description of the role.

In Mycroft's experience, high-level identity management infrastructures can be implemented with a rather course grained set of roles. In fact, many first generation systems are implemented with a limited set of roles for purposes of scoping presented information in the system. As the notion of authorization services, and compliance services, become higher priorities in an organization, the granularity of roles needs to increase.

The most successful role projects are those that are tied to a clear set of end goals. The risk in role projects is that extensive mining and analysis can go on indefinitely, yielding very detailed data that has little practical value. Role projects can provide an annuity to analysts, but need to be anchored in business goals if they are to be deemed a success.

We work with our clients to understand requirements and benefits of role management. This includes business analysis of efficiencies and resulting cost eliminations, improvement in business processes and growth enablement, and affects on business and regulatory compliancy.

Would you like to learn more? Contact Us!