In a recently published white paper called "The Age of Audit: The Crucial Role of the '4th A' of Identity and Access Management in Provisioning and Compliance," Consul Risk Management presents a new metaphor for identity and access management that could prove useful when you're talking to non-identity management-savvy corporate officers.
The metaphor is called "Seasons of Identity Management" and can be used to show the path you should take as well as identifying where in the IAM process your organization currently resides.
According to Consul, you are in IAM winter before you decide to adopt an IAM solution:
"You have little visibility into who is doing what. Access rights management is balkanized, potentially leaving gaps and inconsistencies. You are never completely certain if the right people have access to the right data. Worse, you are not certain if the wrong people have access to critical data. Additionally, you have several challenges selling management on the investment. Cost savings may be hard to quantify since the benefits may be reaped across many departments. IAM is a long-term investment with a break-even point more than a year out. Many companies are averse to taking on long payback projects. The benefits of improved security and administration processes may be undervalued, making costs difficult to justify." That does sound about as bleak as an arctic winter, doesn't it?
If you'll only make the decision to implement an IAM solution, and start the implementation, then you are entering IAM spring when: "You look forward to reaping all the benefits of IAM, and you have all of the hope, optimism and enthusiasm of springtime."
Sounds good, right? But then your enterprise is hit with the complexity of the installation - what Consul calls IAM summer.
"You may find IAM technologies difficult and expensive to integrate within your existing infrastructure. You realize that you need to understand your current workflows and data architecture. When you realize that you do not have a way to easily gather this information, you are overwhelmed. You start to feel the 'summer heat' and ask, 'Where do I start?'" I can just picture you, slogging through the slough of despond (from "Pilgrim's Progress" - see http://www.applesofgold.co.uk/The_Slough_of_despond.htm).
And just as day follows night, IAM autumn follows summer. This is, according to Consul: "When your IAM solution is in place and you are managing your operational IAM environment. The summer heat is gone and you are reaping the initial benefits. You begin to consider that IAM can help you improve your security and information protection mechanisms and accelerate compliance with internal policies and external regulations. You start to ask, 'Are the right controls in place?' and 'Are my controls effective?'"
Get the paper (it will be available soon on Consul's Web site: http://www.consul.com/Content.asp?id=13) and see if Consul's InSight security event audit and compliance suite is the right tool for you. But be aware that BMC Software just announced a partnership with Consul to make InSight available for its Control-SA customers as a monitoring device for identity. The winds of change are coming to identity management and IAM and as both Bob Dylan and Consul's Kris Lovejoy will tell you, you don't need a weatherman to tell which way the wind blows.
There'll be no second newsletter this week so we can all celebrate America's Thanksgiving with our families. If, between the football and the turkey, you feel a need to read about identity management, visit http://radio.weblogs.com/0141875/2004/11/08.html and see what Microsoft metadirectory guru Kim Cameron has been up to lately.