IDM: Reality Sets In

By David Mortman

As I have mentioned in previous posts, although in principle IDM isn’t that complicated, real world practicalities make it fairly challenging. To quote myself:

Businesses can have hundreds if not thousands of applications (GM purportedly had over 15,000 apps at one point) and each application itself can have hundreds or thousands of roles within it. Combine this with multiple methods of authentication and authorization, and you have a major problem on your hands which makes digging into the morass challenging to say the least.

I was chatting with Rich the other day, and he reminded me that there were several issues that I hadn’t brought up yet. By way of example, he sent me the following list:

  • Most organizations of even moderate size have already lost control of identities.
  • The challenge is to regain control, while instituting the processes you describe.
  • The average large enterprise has 1 custom application for every 100 employees
  • A surprising number of enterprise applications have more roles than users (especially ERP systems, as admins “cheat” and create new roles for different tasks of a user to deal with application restrictions).
  • Due to compliance, for in-scope applications you often need a full user/role analysis… 2 years ago.
  • Because of these factors, the IDM market is massive and has been one of the fastest growing in the security industry for years (I think it’s tapering off now, but it really isn’t my area so I could be wrong).
  • The IDM market itself is complex, with multiyear implementations, and customer satisfaction is often low until the pain of implementation is complete.
  • There are still a lot of issues integrating any kind of IDM into many custom applications.

As if that weren’t enough to make you want to go do something easier, the problem gets even worse when you realize that while compliance forces organizations to evaluate annually whether people should still have the roles they do, there is little to no compliance required around regularly adjusting the roles themselves within applications. As a result, the roles themselves only get reevaluated at major upgrade times (and often not even then) which means maybe every 18-24 months. The ugliness comes in because the business tends to change its needs much more quickly – this is why most major ERM, ERP, CRM, etc. rollouts fail: IT simply can’t keep up with the business. So it’s not enough to just solve the process problem, but in the long run, you will also need to deal with some fundamental business and IT cultural issues of how applications are handled. Essentially, IT will have to become a lot more agile in its ability to respond to changing business needs. While this is hardly limited to the IDM space, IDM nicely highlights the issue. After all, if the roles are meaningless, knowing who has what role may be helpful from an incident response or investigation standpoint, but cannot really help understand your risk or compliance profile.

No Related Posts

@Omie I’d say when you look under the covers of most organizations (by most I mean almost all), they really don’t have this issue truly solved. They might solve it on the surface, but underneath I think it’s just too much effort for most.

By LonerVamp

Interesting take.  I’ve been hearing too much about identity management recently and how the move to roles will solve our compliance problems.  And I’ve been wondering and asking how we plan to keep the roles maintained over time.  Of course I’ve also been under the impression that every other organization has figured that out except ours, but your post is making me rethink that assumption.  If there are some best practices/examples of how to approach role maintenance, I would love to learn about them.  Thanks.

By Omie

I’m starting to think that a data-centric approach may be a way forward.

Today, authorizations are generally enforced by applications. Now firstly this leads to high complexity (as you describe) as there is no unifying set of “policy decision points” and “policy enforcement points”. Secondly, it allows for authorization restrictions to be bypassed by other applications that have access to the same data.

I’d claim that, most of the time (*), we really want to implement a neat matrix of who is allowed to read or write various types of data, just like the simplistic pictures of access control. But are forced into a level of role-based complexity, as that’s the only place we have controls today. And that makes it difficult to understand “toxic combinations” of access, such as the ability to create a payment order AND the ability to change the bank account details it goes to.

The industry might have an opportunity to change this state of affairs. Data breaches (often due to bypassing authorization restrictions) may force the use of pervasive data encryption. If we use common crypto keys for each class of data, not only does it become more manageable, but also allows us to use data-centric authorization.  And maybe we won’t fall into that trap of more roles than people.

(*) Sometimes we still need authorization to a process rather than data. For example dual-control / separation of duties needs process-based authentication. Even then, it might be possible to emulate this by data-centric authorization to process-state data.

By Andrew Yeomans

I feel the same way. I hear about the nice happy world that IDM wants to make, but I’ve always wondered how the hell anyone could possibly finish such a project. Even a small shop has its hands tied when it comes to legacy apps (“legacy” maybe only because the people who built it have left!) or suites/portals that they have no real control over. That “learning portal” that employees go to track corporate training? Yeah, it’s on an external system built and maintained by someone who couldn’t give a rip that you want IDM!

And even if you get the authentication part down, very few apps that I’ve seen then tie back into whatever is in place for role management.

It seems like one of those feel-good topics, but no one ever gets it done.

By LonerVamp

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.