Friday, June 5, 2009

Identity Management: How to Get Started

We are in a constant state of change. Mergers and acquisitions, re-orgs, new hires, and terminations are creating a lot of change to keep track of. This is creating new opportunities for information security threats. It's difficult to control all the pieces. To further add to the complexity, the workforce is changing. Workers expect remote capabilities, are collaborating in virtual teams, and teams are made up of internal employees, external contract/temporary workers and strategic business partners. Physical walls don't exist anymore making it even more difficult to control things. Identity Management (IdM) solutions can help companies manage change and control the chaos.

In the simplest terms, Identity Management is the process by which user access is assigned to technology assets (hardware, software, services, files, collections of data etc..). This process can be done manually, automated, or some combination of both.

In environments where the people and technology assets are constantly changing it’s important to have the right controls in place for ensuring that the right people have access to the right information at the right time. So... are you ready to get started? Here are some guidelines to get the ball rolling:

Develop a Business Process Driven Solution
Good Identity Management solutions are business process driven, not IT driven. Meaning, the processes for creating and maintaining identities should align with the on-boarding and off-boarding processes already in place. Or the way you want the processes to work. It should also support the full scope of "people" within your organization i.e. employees, temporary workers, customers, business partners. Different types may require different processes. A well thought through IdM process considers how the following will be executed:

1. Identity creation and maintenance – the creation and assignment of an identity entity to an actual person.
2. Access Request – the information required to determine the access to grant an identity
3. Approvals –those required to approve requests for access to information
4. Provisioning – the actual granting of access to the identity
5. Certification - the periodic review and validation of access granted to an identity

Identify Your Data Sources
The only way to protect the information is to know where the information resides. Identify the critical information, determine ownership, and begin the process of cleaning the data. Start with the highest risk areas first to manage scope. It’s easier said than done but it’s a critical first step.

Secure the Right Support
Identity Management has to be a strategic priority to be successful. It’s going to require funding, at some point, and people’s time – outside their normal day-to-day responsibilities - to make IdM successful. You can’t get buy-in for something that’s not well understood. Educate people on what IdM is and speak in terms that are meaningful to them. How will this make their job easier? How will it make them get from point A to B faster? Don’t expect people to make the leap on their own to connect all the dots. Make sure executives and management understand the benefits and what’s involved. Give them the information they need to evangelize the solution.

Create an Oversight Function
IdM is not something that get's implemented and hums on it's own. Like most processes it takes care and feeding. It takes someone focusing on the big picture and periodically assessing how well all of subprocesses are working together and when changes are needed. This function maintains the requirements of the IdM solution and see that the solution evolves with the needs of the business.

Develop an Onboarding Process
Consider how you handle bringing new access permissions and applications into the process on an on-going basis. Define the work required to on-board a new application and the resources required to make it happen.

Evaluate Automation Tools
Based on the needs of your organization, consider the technologies that exisit to automate the access request process and automate the provisioning of access. Or is a custom built solution more fitting? More to come in a future blog on the IdM vendor landscape, how to pick the right tool, and determining buy vs. build.

Identity Management is a growing space that has become even more important in today's regulatory environment. Review these guidelines with your organization in mind. Take what seems appropriate and adapt it to your situation.

Tuesday, June 2, 2009

Win an iPod Touch!

Win an iPod Touch!!! Solstice Consulting is conducting a social media experiment and we want your participation. Our goal is to get 500 fans added to the Solstice Consulting Facebook fan page in the next 5 days. What's the hook?? Besides staying in the loop on all the latest and greatest Solstice news and being part of an elite fan club, all those that become a fan are eligible to win one of 3 iPod Touches! The winners will be announced on the Solstice Facebook Fan page on Monday June 8th. Click here to become a fan of Solstice Consulting:

Evolving Your Identity Management Program

Not able to attend my presentation at Financial Information Security Decisions on June 9th in NYC? Check out what I'll be talking about: