Managing digital identities and computer and network access rights is difficult at the best of times. But today’s rapidly changing organizational structures and technology dependencies make for even greater challenges. In this chapter, we review the various stages in the identity and access management (IAM) lifecycle from the particular perspective of organizations undergoing substantial change from mergers and acquisitions, business expansions and contractions, as well as internal structural and technological changes. We also look at the impact on IAM of incidents originating from outside organizations, such as natural disasters (earthquakes, hurricanes, volcanic eruptions, etc.) and manmade catastrophes (terrorist bombings, major oil spills, etc.). We address the question of how one might prepare for and respond to such events by managing and controlling identification and authorization in fast-moving, difficult-to-control situations.
TopIntroduction
“It’s very important that acquired companies are brought into the organization’s safety culture.” Colin Ive, Business Continuity Institute1
Change is on the short list of certainties (along with death and taxes).2 In boom times, organizational change results from mergers, acquisitions, new businesses, expansion of current businesses and the like. When going through tough economic times, change arises from bankruptcies, cutbacks, and similar negative events. Whether one is experiencing the former virtuous circle or the latter vicious circle, it is necessary for both to break apart, combine, discontinue, or otherwise modify business units and their processes, as well as supporting computer and network systems. Consequently, procedures for identifying, authenticating and authorizing access to system functions and data come under intense pressure to respond rapidly to organizational and system changes and absorb the impact of such changes with minimal effect on the overall operation.
In this chapter, we examine IAM processes and systems, what they do, why they are needed, why automating IAM is generally a good idea, and how IAM systems can and should be implemented. We raise some of the many issues that relate to IAM implementation in “normal” times and describe how these issues are magnified and exacerbated when there are dramatic changes within and between organizational units. We then review some examples of successful and failed IAM implementations drawn from the author’s extensive experience in this area and cull some lessons learned from them.
TopSome Issues And Definitions
One of the basic problems in complex areas, such as IAM, is that there is no generally-accepted commonality of definitions. We see the use of terms such as IAM (Identity and Access Management), IdM (Identity Management), user provisioning,3 entitlements4, registration, identification, one-factor and two-factor authentication, validation, verification, federated systems, credentials, biometrics, behavior monitoring, authorization, entitlements, and so on. What do they all mean? How do they differ? Are they misused?