The five fingers model for enterprise entitlements
It’s time for another one of those posts where the purpose is to save me from repeating myself, and also hopefully seed some ideas into the industry.
I take inspiration from my recent purchase of some Vibram Five Fingers, which I hope to review here another day. It boils down to this – I see five separate areas of functionality across the entitlements/provisioning space, and it seems kind of weird to me that nobody is pulling them together.
This is probably the opposable thumb rather than a finger, and it’s the core that other pieces build around. At their heart these tools are little more than workflow and a bunch of adaptors; but much value gets embedded into those adaptors when you want to reach in and do stuff to esoteric end points. Taking feeds from key upstream systems (e.g. HR) and pushing down into enterprise directories is the core capability; but most offerings (have to) offer more than that – typically profiles/templates based on ‘role’ so that new joiners can be cookie cut into the systems they need.
2. Self service portal
Provisioning systems tend to come with the assumption that they’re administrator driven, but there’s a trend towards self service. After all the end user usually knows best what they want, and most people would rather use an online tool than call a help desk. There’s a mini industry of next generation identity tools that build on top of provisioning that have appeared in the last five years or so, and they pretty much all bring self service to the table .
3. Audit and review
Most firms have requirements to regularly (in most cases annually) review certain types of entitlements. I remember a few years back seeing an application being built to get the process off spreadsheets, and it wasn’t long after that commercial off the shelf offerings came along.
4. Usage based reconciliation and recommendation
‘Use it or lose it’ goes the saying, and it’s a good way of ensuring that the principle of least rights sticks. If somebody has an entitlement that they’re not making use of then it’s reasonable to ask whether they should still have it. It’s not unusual for somebody to accumulate privilege as they move around an organisation, and it often makes sense to keep privileges for an old role for a little while just in case help is needed. But even with a decent review process (and more so without one) entitlements creep can easily happen. This class of tools examines who is using what, and how they got there, which can be useful for spotting inappropriate ACLs (the bad old everyone group) and making recommendations for entitlement removal (that can then go through an appropriate workflow in the same way as a self service request).
5. Break glass, highly privileged and technical account management
This is perhaps the area where I’m most shocked that the functionality hasn’t become mainstream, as every enterprise has needs in this area. Break glass processes, where an entitlement is given on a temporary basis, under strict controls and with a clear audit trail, is a great way to prevent too many people having entitlements they don’t need on a day to day basis. For those that do need routine access to high privilege such as systems administrators and DBAs there should be ways of managing their accounts and entitlements that are separate from what they use for reading email and surfing the web. Finally there are many cases where we need to manage the identity of non humans – the robots that do stuff on our behalf.
All of these cases have created a healthy niche for certain vendors and solutions; but which enterprise can truly live without all 5, and why hasn’t the industry done a better job of bringing things together? Maybe with some M&A we can get the equivalent of a glove to bring things together?
 Sadly this happened too late for one of my previous firms, who ended up building their own, but it was a worthwhile effort that appeared to genuinely improve the lot for end users. It was great to see it move past core identity stuff and into other areas of interaction such as ordering Blackberries. Any sort of user request that involves and approval workflow (and audit trail) is a good target for such tools.
Filed under: identity, security | 1 Comment
Tags: account, audit, break glass, entitlements, idm, portal, provisioning, review, self service, service, system, technical