IDM: Reality Sets InBy David Mortman
As I have mentioned in previous posts, although in principle IDM isn’t that complicated, real world practicalities make it fairly challenging. To quote myself:
Businesses can have hundreds if not thousands of applications (GM purportedly had over 15,000 apps at one point) and each application itself can have hundreds or thousands of roles within it. Combine this with multiple methods of authentication and authorization, and you have a major problem on your hands which makes digging into the morass challenging to say the least.
I was chatting with Rich the other day, and he reminded me that there were several issues that I hadn’t brought up yet. By way of example, he sent me the following list:
- Most organizations of even moderate size have already lost control of identities.
- The challenge is to regain control, while instituting the processes you describe.
- The average large enterprise has 1 custom application for every 100 employees
- A surprising number of enterprise applications have more roles than users (especially ERP systems, as admins “cheat” and create new roles for different tasks of a user to deal with application restrictions).
- Due to compliance, for in-scope applications you often need a full user/role analysis… 2 years ago.
- Because of these factors, the IDM market is massive and has been one of the fastest growing in the security industry for years (I think it’s tapering off now, but it really isn’t my area so I could be wrong).
- The IDM market itself is complex, with multiyear implementations, and customer satisfaction is often low until the pain of implementation is complete.
- There are still a lot of issues integrating any kind of IDM into many custom applications.
As if that weren’t enough to make you want to go do something easier, the problem gets even worse when you realize that while compliance forces organizations to evaluate annually whether people should still have the roles they do, there is little to no compliance required around regularly adjusting the roles themselves within applications. As a result, the roles themselves only get reevaluated at major upgrade times (and often not even then) which means maybe every 18-24 months. The ugliness comes in because the business tends to change its needs much more quickly – this is why most major ERM, ERP, CRM, etc. rollouts fail: IT simply can’t keep up with the business. So it’s not enough to just solve the process problem, but in the long run, you will also need to deal with some fundamental business and IT cultural issues of how applications are handled. Essentially, IT will have to become a lot more agile in its ability to respond to changing business needs. While this is hardly limited to the IDM space, IDM nicely highlights the issue. After all, if the roles are meaningless, knowing who has what role may be helpful from an incident response or investigation standpoint, but cannot really help understand your risk or compliance profile.