Identity & Access Governance in the age of digital transformation

Identity & Access Governance obviously is a difficult task. Many major corporations struggle to meet their various compliance criteria, which could be expected as a natural by-product of good governance. But having hardly completed this job, the next one, innocently called “digital transformation” knocks at the door.

Will governance thus become even much harder by then: At least I was asked that question recently. Ok, let me quickly give an introduction to the total topic, go into a little more detail where it appears appropriate to me and eventually come up with a couple of brave conclusions.

You might have heard of the new esoteric trend “Declutter your life”. Some very similar recipe I would prescribe the majority of today's companies: “Declutter your infrastructure (before going to digitize it)!” So, with all right, you can expect a decluttered contribution too, dear reader. However, the text nevertheless has become slightly lengthy. I will therefore publish it in three parts - one per week:
  1. Governance and Identity & Access
  2. From ‘oversight’ to the algorithm driven company
  3. Challenges ahead for a digital transformation agenda

What is Governance after all?

The term Governance was coined and defined during the last years of the previous century. However before that time too some form of ’governance', i.e. oversight, strategic change & direction was always expected from high ranking positions like non-executive directors.

In the beginning it was all about corporate governance, as senior management first had to be convinced of the usefulness of handling this new discipline explicitly – before it was applied to sub categories, like e.g. Identity & Access. By now it is accepted that a governance layer should reside on top of each management layer.

In case you want to get an in-depth introduction into Corporate Governance, its Principles, Policies and Practices I recommend the voluminous authoritative guide by the 'father of corporate governance', Bob Tricker, surprisingly named, 'Corporate Governance'.

Identity & Access Governance

So, how did we discover Governance in the I&A world?

Historically we started with the attempt to manage Identity & Access – as it became time to do so. This task alone turned out not to be easy going. While by then I expected the corporate world to do their homework within a timeframe of 3 to 5 years, it isn't even achieved today to a sufficient degree. And more challenges are looming around the corner, not least the digital transformation.

But even when companies succeeded with the introduction of I&A Management, the questions arose: Are we doing the things right? Are we doing the right things? Therefore, and as any management layer needs a governance layer on top of it to stay healthy, I&A Governance appeared out of the dark.

But IAG itself turned out not to be an easy task. The sufficiently powerful equipment for data analytics was missing and, more often than not, is still missing today. I&A Intelligence was born - the application of data analytics to the domain of Identity & Access.


Separating into Identity and into Access

While working hard on making Identity & Access Management (IAM) become reality some fine structure was discovered in what had been reluctantly lumped together into one discipline. The equation hence became: IAM = Identity Management (IM) + Access Management (AM).

Identity Management being a genuine Management discipline on its own, is the necessary organisational foundation for many corporate necessities like business automation, fine grained cost controlling, classical disciplines like human resources management and – of course – access management. So access needs identity a solid foundation – but not the other way round.

Hence one can imagine 6 distinct disciplines, as for identity all 3 layers (operations, management and governance) have to be performed, as has it for the access part.

Direction – we need a strategy

Remembering the definition of Governance as ’direction & oversight' let me quickly have a look at the 1st half of the world: direction. Certainly you should have to follow a strategy while directing a whole business towards its future.

This insight is not entirely new and so the procedure of defining a strategy is pretty well understood by now. Strategy development is merely a high level planning process, leading from the current state to some assumed future state. To do this with sufficient rigour, some prerequisites need to be fulfilled.

First you need to have meaningful mission. As for a corporate mission “Earning tons of money” might not be a good enough driving mission, so “Securing the business” would not suffice for Identity & Access. Good news is that nearly every company has started with a clear mission. By the time it may however need some adjustment or even re-invention, enough in each case to keep top management busy for a while.

Second you should now your current “As is” status, as ”if you don't know where you are, every direction might be the right one”. As trivial as this “know thyself” sounds, given the complexity of today's major institutions, you can easily run into the “analysis paralysis”-trap.

And thirdly you should have an idea of what lurks around the corner, the future drivers, influences, trends, new technologies, which may have an impact on your business.

Hence “Strategy Development” can be understood in a narrow and abroad sense, depending on whether the necessary foundation is laid already, or the entire work lies ahead still.

Strategy development - a cyclic process

Strategies often bear the stigma of being fuzzy, general, overambitious or even outright unrealistic. At least they are blamed to talk about a distant future in abstract terms. This perception is not completely wrong and not entirely right. Strategy development follows a cyclic process. And as its goal is to transform an organization from a defined here-and-now state to a specific future state, during this process it deals with abstract and far-off future issues, just to come back to the here-and-now, the cruel dirty world, with change items to be implemented tomorrow.

Expressing it as guidance

Having been perhaps too generously spending 356 words on a well-known corporate discipline like strategy development, I cannot afford the luxury to do the same for the subsequently necessary change activities. Let's assume however, that one fine day the projects will have come to an end, yielding new corporate processes – and altered corporate guidance.
The pyramid of corporate regulatory documents traditionally looks like this:
  1. Strategic level: Policies & Guidelines


    Policies are binding corporate documents, usually issued by top management. They express goals, principles, focal areas and responsibilities. They represent the top level of the documentation pyramid.


    Guidelines like policies are of a high level of abstraction. However they don't come with a binding character.

  2. Managerial level: Procedures & Standards


    Procedures lay out all management controls for a defined problem domain on an essential level. They contain (static) functions & responsibilities and (dynamic) processes.


    They state requirements for generic minimum standards, a choice of good practice examples or a bandwidth of tolerable quality parameters.

  3. Operational level: Specification & work instructions


    The Implementation of controls on a physical level is specified in operational specifications, work flows, specifications, … Techniques, configurations of solutions and organisational processes are documented on this level.

    Work instructions:

    Based on the defining procedures work instructions specify the volatile details like configuration parameters or physical techniques.

Traditionally these documents on each level are written as some kind of narrative to be read and followed by its target group. This group evidently is meant to be made of humans. Automated processors usually are not in scope – however they increasingly need to be.

To let process definitions seamlessly translate into executable workflows, to automatically check human and automated activities against corporate policies, to authorise digital identities (human 'users' or automated processors) dynamically and aware of its context, expressed as rules and attributes (ABAC), much more rigour has to be applied to definition of regulatory documents.

As those documents become the central code, whose rules are executed in an unattended manner they need to be considered as the sensitive core of the entire organisation – and hence protected accordingly against failure, inadvertent or malicious alteration and creeping degradation.

Ok, that enough for now. Next week I will outline how to make policies & guidelines actionable. So please stay tuned.

No comments:

Post a Comment