Early Lessons of Identity Management Implementations

As more IT organizations deploy identity management solutions, some early lessons have been learned about the planning, implementation, and operations of those services.

META Trend: Identity management and security needs will cause an increase in enterprise directory services adoption through 2004, as existing federated directories drive more provisioning and directory integration tool use. Enterprise/extranet directory distinctions will blur through 2005 and beyond, as internal/external identity needs converge. Directory use for some application authorization roles will increase as directory functionality expands. XML will enable component databases (as next-generation directories) and better integration capability (2006-08).

Enterprises everywhere have fundamental concerns about the manner in which IT organizations can deliver an identity infrastructure that is both productive and efficient while also being secure. Compliance drivers (i.e., legal and regulatory) are also becoming increasingly important, as evidenced by recent legislation on all continents. These factors have combined to drive significant decision making among IT infrastructure planners regarding how best to manage the identity asset currently in use in the enterprise. Some early adopters of comprehensive identity management solutions have been operating for some time now and have learned some fundamental lessons about how to plan, build, and run identity management infrastructure.

Lessons Learned: Planning for Identity Management
1. Managing Expectations Increases the Likelihood of Successful Implementations
Many identity management services (e.g., password management, delegated administration) are not new at all. There are precedents for pragmatic plans, and an important tenet learned is never “over-promise” what can be delivered. Many identity management project failures can be traced back to the early days of requirements gathering and analysis, where eager proponents misrepresented capabilities. Complex identity management solutions have many moving parts. Understatement of potential results helps avoid embarrassment later on.

2. Executive Sponsorship Is Not Optional
Large-scale identity management implementations involving multiple phases and periods exceeding a year, with budgets of six digits or more, will not be successful without an executive champion - not from the IT organization, but from the business. This champion must not only understand the business value of such solutions but be able to articulate it effectively to his or her peers. The person in this role must also serve as a liaison between IT and the business, resolving major issues surrounding the planning phases and maintaining close contact with information security leadership and the top beneficiaries of the identity management effort (e.g., human resources, finance). Large identity management initiatives that do not meet this prerequisite consistently fail.

3. Identity Must Be Defined as a Strategic Asset and Used as the Basis for Planning
The key element of identity management is having a working definition of identity that incorporates business, application, and IT infrastrucure views of identity (see GNS Delta 883) and then formally establishes that definition for resuability in future discussions related to information security and asset management. One cause for the existing complexity in IT infrastructure is the different definitions of identity that have been created and are being used by different infrastructure providers (e.g., for operating systems, applications, and security systems), through no fault of their own, during the planning for such products. The identity infrastructure systems for directory, metadirectory, and related components have evolved to address these multple approaches in an attempt to alleviate some of this complexity. By having a comprehensive definition of identity going forward, enterprises are less likely to duplicate the problems of the past.

Lessons Learned: Implementing Identity Management Solutions
4. Identity Management Is Integration Management
Since identity management element solutions have been in IT infrastructure for many years, part of implementing a comprehensive solution will involve identifying those systems already in place and using the identity management tools provided to effectively integrate the old with the new. Of course, there will be times when formal evaluation of reuse or replacement will be necessary, but in general, the identity management market remains to a large degree a “best of breed” market. There are signs that major vendors are compiling or have compiled “stack” or framework solutions (e.g., IBM Tivoli Identity Manager, Computer Associates eTrust, Novell Nsure Resources), but these frameworks are still in the early stages of self-integration, and most large implementations will require customized integration to merge the old solutions with the new.

5. Nothing Is As Political As identity
Implementing identity management technology remains the easiest phase of such projects. Most existing identity repositories have owners that perceive identity management projects as a threat to responsibility in some cases, and a delicate diplomatic dance is required to ensure that the project is not jeopardized by this type of issue. An identity management initiative will also figure heavily into the centralized-versus-distributed debate. Fortunately, good solutions coupled with good process can provide effective infrastructure for either option. Identity management will also be directly tied to the politics of information security, trust, and risk management, and such ties will be reflected in the manner in which the solution is tailored to enable information security policy rather than hinder it.

6. A Sound Identity Infrastructure Is a Prerequisite to Effective Identity Management Deployment
Many IT organizations have spent the past few years developing an effective identity infrastructure for the enterprise, primarily by streamlining directory needs and establishing an effective directory integration strategy and a consolidated authentication strategy. Although such infrastructure is not a requirement for deploying identity management solutions, the more complex and unorganized such an infrastructure is, the more expensive identity management is likely to be. META Group views good identity infrastructure as a prerequisite for good identity management.

Lessons Learned: Operating Identity Management Services
7. It’s No Surprise That This Is About Process, Not Technology
“A fool with a tool is still a fool.” Identity management solutions can solve or prioritize some issues of provisioning, auditing, and administration of identity, but not without clear process and structured organization. This actually begins at the planning level, but is executed within operations to exploit identity management solutions. It is crucial that identity management not be attempted without a clear process and strucure, which should be used as a mechanism to build the requirements checklist for identity management products.

8. Don’t Expect to Operate Identity Management Without Organizational Changes
This does not mean increased headcount, but it does mean new or enhanced roles must be accommodated. Staffing of information security operations and systems management will be a dominant concern for organizations involved in delivering identity management.

Business Impact: There are occasions where compliance mandates as a business driver can actually be beneficial in reducing complexity and mitigating risk.

Bottom Line: Identity management has begun to appear in more enterprises, primarily as operations support elements but increasingly as a move to support information security policy and streamline application support services. Most IT organizations should be at least in the planning phases of defining identity as an asset and identifying the major "pain points" that such management services can address. IT organizations should focus on regulatory compliance and security as the factors driving prioritization and ensure that planning does not become too diffuse as a result of trying to solve too many issues at once.

META Group originally published this article on 1 December 2003.