Identity Management success relies on a team effort
Best practices for identity management begin with the knowledge that this is as a business initiative, not an IT projectby Dave Kearns
The single most important "best practice" to achieving a successful, secure, efficient and effective identity management (IdM) solution within the enterprise is to make sure that the project is not led from the IT department.
A successful IdM project needs to involve the entire organization, and needs to be driven from a point high enough in the organization that the mandate is clear: this project will get done. (See "Getting boardroom buy-in.")
This is a tough hurdle to surmount, but once you have done so then the rest of the job will seem easy – provided, of course, you break it into small enough chunks, with successes shown at small enough intervals, to keep the business management buy-in that's so important to the project's success. You'll want to garner, and will strive for, the unqualified cooperation of all departments within the enterprise but you'll also find it's easier to obtain that cooperation if the senior management is backing you.
After that, you'll want to approach the implementation of a full identity management solution in a coordinated, integrated way. (See "The changing seasons of identity management.")
Think of building your IdM solution as a project not unlike building a large house or an automobile. The "solution" is made up of a number of independent systems which nevertheless all work together fairly seamlessly to deliver the concept in, seemingly, one single structure.
But just as you don't build a house by starting on the roof, nor build a car by first choosing the windshield wipers, it's important that you design and architect your solution properly. As I pointed out in the IdM newsletter recently:
A virtual directory is needed to get from the multifarious identity stores throughout the enterprise to a single one, at least as perceived by other applications and services. This then enables a provisioning system to normalize and standardize authentication systems throughout the organization – from account setup through single sign-on to automated password reset. …provisioning needs to be in place in order to successfully implement role management…roles plus rules … provide the fine grained access control that entitlement management promises. But we can now see that entitlement management isn't the end point; it's just another marker on the road to a fully implemented identity service.
Once the entitlement management, with its fine grained access control, is in place we can move on to the next major plateau – context-based access. That's even finer grained control, because it can vary by time-of-day, day-of-the-month, user-location, state-of-the-target and just about any other contextual condition we can measure: who, what, when, where, how and maybe why some user (in some role) wants to access some thing (in accordance with some rule). You might still be struggling to get your provisioning services fully deployed, but now there's even greater incentive because – down the road – that provisioning service will enable all sorts of better control, more efficient access, a more pleasant user experience and all within a more secure environment.(See:"The long road to identity services.")
And finally, learn from the problems others have encountered. (See "Survey: Half of compliance pros say their organizations are botching identity, access control.") Gather case studies from vendors interested in your business, listen to presentations by other IdM implementers at trade shows and conferences, and follow the always interesting Network World newsletters on these topics ("Security: Identity Management," "Security Strategies," ) as well as the many links in the Network World Identity Management Resource Center.