Analysts to Discuss How to Improve IAM and Business Performance at Gartner Identity and Access Management Summit 2011, March 9-10, in London
Most organizations are approaching identity and access management (IAM) in the wrong way by working with production requirements first, according to Gartner, Inc.
“Between half and two-thirds of organizations attempting to establish a truly-effective IAM program approach it in the wrong way,” said Earl Perkins, research vice president at Gartner. ”IAM process requirements should always precede organization and technology decisions. But currently, most IAM planning is done around clusters of technologies, rather than by addressing specific IT or business processes.”
“The ‘build’ experience of IAM projects has traditionally not been a good one,” said Mr. Perkins. “While some experiences have improved and technologies are evolving, major efforts to formally build an IAM system for an organization overlook a key lesson — planning for IAM often starts from the wrong direction with the wrong people, or at least not everyone who should be involved.”
IAM started out as a “fix the plumbing” concern. However, with the advent of risk, compliance, accountability and transparency, this has changed. Now, the basis for good IAM involves a very active role by the organization as a whole, as only they can truly say what and how accountability and transparency of access should work for them. In an era where accountability and transparency are required and must be formalized, this means a more focused and structured approach for all parties affected, and not just IT.
“IAM should not be planned with operations in mind; rather, it should be based on the foundations of the organization relative to policies, processes and people,” said Mr. Perkins. “Products are actually a relatively small focus of the decision process in an IAM program.”
Gartner said that looking at IAM as a process has several advantages. First, it removes the product-centric pattern the market has placed on IAM. “Instead of looking at IAM as a set of products to be purchased to fill technology gaps in an organization, viewing IAM as a process attempts to identify where people and IAM technology can be most effectively ‘inserted’ to fulfill the practices and policies of the organization,” Mr. Perkins said. “It also contributes in a significant way to how enterprise, and security, architecture is enriched with the addition of IAM-specific architecture.”
IAM as a process also helps to identify the key questions that need to be asked during IAM product selection, (such as how those products fulfill specific process steps). Viewing IAM as a process helps an enterprise articulate its requirements and target them through prioritization of need. It helps map the IAM process on top of known business processes to determine the convergence or touchpoints for control and intelligence purposes. Process steps that are best performed manually or are people-intensive can be identified as can different IAM process flows for different organizations, applications or system environments.
“IAM as a process essentially serves as a lens for enterprise customers to permit a ‘horizontal’ view of the identity and access process across the vertical landscape of business and IT within an organization,” said Mr. Perkins. “As such, it encourages customers to discover for themselves the current manual and automated processes supporting IAM, and to map them to this core process view to identify current problem areas in their process.”
Mr. Perkins added that the operational process view of IAM can also enable the customer to define organizational roles for managing IAM and developing an identity and access governance model that incorporates those operations. By linking operational IAM process to the policy model of the organization, this part of IAM governance can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way to access and identity problems. IAM as a process can be effective in converging business and enterprise processes with IT processes and accelerating IAM program maturity for the long term.
Additional information is available in the Gartner report "A Process View of Identity and Access Management Is Essential". The report is available on Gartner's website athttp://www.gartner.com/resId=1529641.
The Gartner Identity & Access Management Summit 2011 will take place March 9-10 at the Park Plaza Westminster Bridge hotel in London. For further information about the Summit, please visit europe.gartner.com/iam. Additional information from the event will be shared on Twitter at http://twitter.com/Gartner_incusing #GartnerIAM. Members of the media can register for the Summit by contacting Laurence Goasduff, Gartner PR, on + 44 (0) 1784 267 195 or at firstname.lastname@example.org.
About Gartner Identity & Access Management Summit
Intelligence is one of the three pillars of IAM, but until recently it has had much less attention than administration or access. This must change. An improved identity and access intelligence quotient will deliver benefits, not just within the organization’s IAM program, but throughout the organization itself. At the Summit, Gartner analysts will explore the trends that are changing business needs and the ways in which IAM can and must be delivered and examine the transition of IAM into a full business intelligence resource for the organization.
Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit www.gartner.com.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.