Five Ways to Make Identity Management Work Best Across Hybrid Computing Environments

Dana Gardner, Principal Analyst at Interarbor Solutions, has an article out at IT-Director.com about how to make Identity and Access Management work in hybrid computing environments, where you have SaaS, cloud, managed hosting, and on-premises systems coexisting within a single IT framework. Gardner interviewed Darran Rolls, CTO of SailPoint Technologies in order to tease out 5 principles for hybrid computing environment IAM. The interview appears lengthy, and rather than regurgitate it in different form, I’ve boiled down what the 5 principles are and added some description based on the article.

1. Focus on People, not the Account

Here is Rolls’ take on this principle:

Identities are people, not accounts in an on-line system. And something we learned early in the evolution of IAM was that in order to gain control, you have to understand the relationships between people—identities, and their accounts, and between those accounts and the entitlements and data they give access, too.

So this tenet really sits at the heart of the IAM value proposition—it’s all about understanding who has access to what, and what it really means to have that access. By focusing on the identity—and capturing all of the relationships it has to accounts, to systems, and to data—that helps map out the user security landscape and get a complete picture of how things are configured.

As Gardner later adds, this means having visibility into the people, and increasingly machines, that own the accounts requesting access. This naturally flows into principle 2.

2. Visibility is King, and Silos are Bad.

Roll’s:

The first part is the idea that visibility is king, and this comes from the realization that you have to be able to capture, model, and visualize identity data before you have any chance of managing it. It’s like the old saying that you can’t manage what you can’t measure.

The second part is around the idea that silos of identity management can be really, really bad. A silo here is a standalone IAM application or what one might think of as a domain-specific IAM solution. These are things like an IDaaS offering that only does cloud apps or an Active Directory-only management solution, basically any IAM tool that creates a silo of process and data. This isolation goes against the idea of visibility and control that we just covered in the first tenant.

The main issue with silos can be boiled down further: “You can’t see the data if its hidden in a siloed system.”

3. Manage the complete lifecycles of both identities and every account an identity has access to.

Rolls identifies Joiners, Movers and Leavers, or JMLs, people with identities and accounts whose just-described activities can create the sort of back doors and gaps that create trouble, according to Rolls:

As you might expect, when gaps appear in that JML lifecycle, really bad things start to happen. Users don’t get the system access they need to get their jobs done, the wrong people get access to the wrong data and critical things get left behind when people leave.

Add in temporary workers and the need to be able to quickly and accurately grant and remove access becomes apparent.

4. Consistency for all users, devices, and access to applications.

Rolls:

Consistency here means that you get the same basic user experience, and I use the term user experience here very deliberately, and the same level of identity service, wherever you are. It has become very, very important, particularly as we have introduced a variety of incoming devices, that we keep our IAM services consistent.

Gardner adds and Rolls agrees that consistency has to be “implemented and enforced” from your back end infrastructure and not on devices, because devices change too frequently.  The back end should include your cloud and SaaS systems in addition to your on-premises systems.

5. The end-user experience is everything in IAM.

Users today expect seamless access. Additionally, they “also expect identity management services, like password management, access request, and provisioning to be integrated, intuitive, and easy to use,” according to Rolls. Self service is one way to go about this, so long as the user interface and experience is “consistent, seamless, intuitive, and just easy to deal with.”

However you go about creating an excellent user experience, the end goal is user buy in. Otherwise, users will “opt out” and try to find easier ways to do things that circumvent your security set up and leave you vulnerable.

Rolls’ company, Sailpoint, is a leading provider of IAM solutions and is included in Solutions Review’s Solutions Directory as well as our Buyers Guide, which you can find here.

For Dana Gardner’s piece and his full interview with Darran Rolls at IT-Director.com, click here.