Skip to main content

What's In a Name?

IT access and governance projects in recent years have tended to be technical in their nature.  This is not a particularly surprising, or indeed negative comment.  Many access related initiatives have been driven around provisioning (automating the C(reate) R(ead) U(pdate) D(elete) process for joiners and leavers) or focussing on S(ingle) S(ign) O(n) initiatives to help reduce password mis-management.

The procurement of such solutions normally involves a product component and the obligatory services component.  The product selection has generally been done using scoring matrices, technical comparisons, bench marking and functionality matching.  The services part is generally done on an agreed set of deliverables, man days, costings and project frameworks.  All fine and dandy.  In a technical land, a spade is a spade as the saying goes.  Can your product talk over LDAP?  Does it have an SPML API?  Can I connect to a database using JDBC?  Can it be load balanced?  Are passwords encrypted using a hash?  Etc etc.  All very black and white questions and answers once you overcome the sales patter!

However as the hype cycle increases (or dies down depending on your view point) an increasing number of solutions now require more focus on the business drivers and components of access governance.  Here we refer to items such as G(overnance), R(isk) and C(ompliance), Identity Compliance, Audit Controls and so on.  The business part of an organisation (any non-IT silo which actually makes money for the shareholders instead of spending it) is now driving the access governance initiatives.  They have the budget and the accountability to design projects that require a mixture of new technology and services to allow either compliance, process adoption or improved accountability for things like access control, access requests or access sign off.

With this comes several new consultancy and delivery challenges.  Not only the technology but also for a basic issue like naming standards!  Business personnel take a different view on technology.  Technical terms are used in a different context.  They mean different things.  Take a role as an example.  In standard I(dentity) & A(ccess) Management speak, this would be a grouping of entitlements.  But what about Business Roles?  Applications roles?  Enterprise Roles?   HR Roles?  Auxiliary Roles?  Exception Roles..... and on and on.  Each could arguably have a distinct definition of their own, but equally could be used interchangeably by both the business and IT departments.  What about attestation?  Is that different to certification?  And is certification different to workflow approval?  It must be it's the same people involved right?  Possibly not!  

Auditors, business managers and IT implementers will use the different terms interchangeably whilst referring to different objectives using the same terms.  Confused?!

A major component of any governance project is obviously the tools and services chosen, but time must also be spent on the basics, such as consistent naming.  This will allow better monitoring, transparency and ultimately better delivery of governance related objectives.

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…