Skip to main content

What's In a Name?

IT access and governance projects in recent years have tended to be technical in their nature.  This is not a particularly surprising, or indeed negative comment.  Many access related initiatives have been driven around provisioning (automating the C(reate) R(ead) U(pdate) D(elete) process for joiners and leavers) or focussing on S(ingle) S(ign) O(n) initiatives to help reduce password mis-management.

The procurement of such solutions normally involves a product component and the obligatory services component.  The product selection has generally been done using scoring matrices, technical comparisons, bench marking and functionality matching.  The services part is generally done on an agreed set of deliverables, man days, costings and project frameworks.  All fine and dandy.  In a technical land, a spade is a spade as the saying goes.  Can your product talk over LDAP?  Does it have an SPML API?  Can I connect to a database using JDBC?  Can it be load balanced?  Are passwords encrypted using a hash?  Etc etc.  All very black and white questions and answers once you overcome the sales patter!

However as the hype cycle increases (or dies down depending on your view point) an increasing number of solutions now require more focus on the business drivers and components of access governance.  Here we refer to items such as G(overnance), R(isk) and C(ompliance), Identity Compliance, Audit Controls and so on.  The business part of an organisation (any non-IT silo which actually makes money for the shareholders instead of spending it) is now driving the access governance initiatives.  They have the budget and the accountability to design projects that require a mixture of new technology and services to allow either compliance, process adoption or improved accountability for things like access control, access requests or access sign off.

With this comes several new consultancy and delivery challenges.  Not only the technology but also for a basic issue like naming standards!  Business personnel take a different view on technology.  Technical terms are used in a different context.  They mean different things.  Take a role as an example.  In standard I(dentity) & A(ccess) Management speak, this would be a grouping of entitlements.  But what about Business Roles?  Applications roles?  Enterprise Roles?   HR Roles?  Auxiliary Roles?  Exception Roles..... and on and on.  Each could arguably have a distinct definition of their own, but equally could be used interchangeably by both the business and IT departments.  What about attestation?  Is that different to certification?  And is certification different to workflow approval?  It must be it's the same people involved right?  Possibly not!  

Auditors, business managers and IT implementers will use the different terms interchangeably whilst referring to different objectives using the same terms.  Confused?!

A major component of any governance project is obviously the tools and services chosen, but time must also be spent on the basics, such as consistent naming.  This will allow better monitoring, transparency and ultimately better delivery of governance related objectives.

Popular posts from this blog

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.