How to find IAM processes

Just recently I made an eye opening experience. While delivering experts advice to a customer in a large IAM project I was asked if I could confirm that the set of IAM process descriptions that was delivered by a colleague of mine was correct, complete and compelling.
Hmm, my colleague is an experienced practitioner. He did this job several times before. He knew what he did. I trust his expertise. So I asked him how he derived them.
"Well I just know that you need these processes. And taking into account the special situation at this customer's site this is the most reasonable result" he argued.
"But they couldn't have appeared from nowhere. There must be a convincing and compelling way to rigorously derive them from the situation we are in" my customer replied.
This was déjà vu. Here it was again - the demand for a generic set of processes for the Identity- & Access Management. So I felt we finally should come up with an answer. And I tried. It goes like that "
First step is getting some order into the seemingly unlimited number of possible IAM processes by grouping them. The Processes of the Identity Management " not surprisingly - may be grouped in several ways. Her I propose the following sequence:
  1. into Identity Management & Access Management
  2. into operational and managerial processes
  3. into essential and physical processes

1. Separating Identity Management from Access Management

Identity management has a justification sui generis. It needs not to be regarded as an appendix of security management or just the precondition for Access Management.
Access management - of course - can be and should be built on top of Identity management.
The key question however is where to draw the line between IM and AM.
The digital identity, i.e. the object "identity" clearly is in scope of IM. Out of scope of IM and of AM on the other hand are the objects "organisation", "contract type" and "contract". They should be modelled elsewhere in the enterprise model.
But what's about the business role? It defines the functions an identity is meant to perform in relation to the organisation.  And defining the relationship should be still considered as a part of the IM. To my opinion it is more safely located in the IM than in the AM.

2. Subdividing into operational and managerial processes

  • 1st rule: keep processes short: "the best way to manage workflow is to avoid it"
  • Operational processes tend to follow this rule.
  • However in the back office they tend to grow ever longer.
  • Regulation, compliance issues and security concerns are the drivers.
  • There are just a few operational AM processes: identify, authenticate and authorise
  • IM processes are purely managerial by their nature.
  • There will hardly be any strategic IAM processes found ever.
  • The bulk of the processes are managerial by their very nature.

3. Order by essential and physical processes

Follow the rule: essential system 1st − physical ring 2nd. Meaning you start with the stable essential core of processes. And only if this set is complete, they are followed by the more volatile physical ring.

Hereby essential processes …
  • represent the business' intended behaviour.
  • They can be identified assuming "perfect technology"
  • They need not to care for transport, translation or audit activities.
  • They are implementation independent.
  • They form a durable core of the business.
  • They only change if business changes
  • example: administer and use the essential business functionality
Whereas physical processes …
  • are introduced to deal with the imperfect outside world.
  • Here transport, translation & audit processes are introduced.
  • Physical processes are implementation dependent.
  • They are more volatile and subject to frequent change.
  • When re-implemented the physical ring will be different while the essential core may stay unchanged.
  • example: integrate, transport, transform and "provision" to deal with the "cruel dirty world" outside.
In my next post I will follow my own recipe by applying it to the Identity Management (IM) first. This should be the easy part - with harder parts to come.

No comments:

Post a Comment