As a security professional specialising in Identity Management, I have often been floored by the hierarchical and arcane construct within which Enterprise access entitlement data is used. Before we dig deeper into this, however, a couple of terms need explaining. First off, Identity data can be used to derive information about the individual whereas entitlement data can be used to derive information about what that individual, process or system has access to in terms of IT resources. Attributes, on the other hand, are sub-parameters that determine the types of identity the user utilises to assert their access to IT resources.
Extrapolate this to any large enterprise setting and for an organisation out there servicing 100,0000 plus employees and third parties and we are talking a few million plus assignments of such access entitlements. One could argue where the complexity comes in then. In data terms, a million objects of data is not exactly an imposing number, specifically if they are not randomised and are informed by strait jacket attribute sets. This is where the conundrum kicks in. Identity Management initiatives are always invested in re-inventing the wheel where data is concerned. The obsession is always to create a new flashy platform, data sets with bells and whistles instead of repurposing that which is already in place. As Identity Management practitioners, we do not often build on existing foundations, we create a new one each time at great cost to the business. The litany of expensive programmes that are being run with FTSE 100’s today are premised on assumptions that range from “data needs cleansing” to “existing data is worthless”. This is unlike other disciplines like Security Incident and Event Monitoring (SIEM) or for that matter Service Management where existing data and its usage is gold dust. In the Identity Management world, data repositories are closely and irretrievably coalesced with platforms that are built to carry them therefore identity and entitlement data models are not designed with portability in mind. If the platform becomes redundant, it is almost always assumed that the data is useless too.
As with everything else, there is a people angle to this conundrum. Data scientists have better problems to solve. Not for them the rudimentary function of Identity Management that has innovated so little as the world has changed around it. Identity Management programmes therefore are typically staffed by “business and process specialists” who understand the change imperatives of delivering complex programmes on the one hand and “technical specialists” who understand the nuts and bolts of deploying technology. Every Identity Management programme brings these two worlds together to create a new reality that involves expensive engagement with the business to understand “what good looks like” without appreciating that the so-called “business” of Identity Management was ticking over even before they got there. There is always a conversation to be had about how a new Identity Management solution will solve a problem or two, but very little deliberation of whether the legacy identity data, entitlement and attribute model can be re-purposed to accelerate the gains delivered. Identity Management programmes therefore pay lip service to data without understanding its true potential to deliver improved ways of access.
Times are changing though. Many of the challenges faced today in enabling cloud-based platforms such as AWS, Google Cloud, Azure or SaaS-based solutions centre around the critical component of the management and transition of identity data to enforce better controls and user experience. The happy days of out-of-the-box connectors – that easy shortcut that allowed us to create a new experience every time without considering whether the existing data or ways of access were fit for purpose were being dismantled. CI/CD pipelines have expanded the remit of identities from logical access to processes and infrastructure. We either manage these identities at a code or script execution level or we do not manage them at all. Identity Management as a discipline is moving across its self-set boundaries and frontiers. This will require a massive re-tooling of our existing skill sets. This will require us as an interest group to explore better ways of harnessing data, and usage analytics to drive efficient identity, access entitlement and attribute-based data models that are not hard coded into proprietary COTS solutions. I see the legacy approaches of Identity Management programme delivery changing fundamentally in design and character. At the coalface of one such programme, I happen to be on the receiving end of these challenges. Data, for me, is the new oil for Identity Management. Disclaimer: The opinions mentioned in this article are my own and do not represent those of my employer.