In the second document from our series outlining KuppingerCole’s basic positions on key issues sur-rounding Digital Identity, Security and Infrastructure Management, we will explore the cornerstones of Identity & Access Management, which is mostly known by its abbreviation “IAM”, along with current trends and ramifications for corporate IT systems. IAM is primarily seen as a set of technologies which govern and regulate who is allowed access to which information stored or being processed within IT environments. Unfortunately, taking such a narrow technology-focused view deflects from the real value of IAM as a facilitator for creating business processes that are both more secure and more efficient than ever before. We see IAM as the key to unlocking IT’s true potential as a business enabler. In fact, in discussions within KuppingerCole, we often refer to “management by identity” instead of the classic “identity management”.
To really grasp the importance of IAM for a modern organization, it is necessary to take a holistic view, one that takes into account not only the technology itself, but also the business processes and the organizational structures it impacts. All of this ties into the Big Picture of Information Security, namely how to maintain the confidentiality, integrity and availability of data. It is about how to protect both the information and the information systems from attacks from without and within, for instance through unauthorized use, disclosure, modification, or destruction. It is also about being able to provide proof that none of these things have happened, either to internal auditors or to regulators or law enforcement authorities. Unlike such related fields as Computer Security and Information Assurance, Information Security is more about risk management, process control and business continuity and less about specific technical solutions. Information Security is about typing people, processes, and information. For this reason, we believe that IAM should be an important item of the agenda of top management within every organization since it affects strategy decisions. In short, leave the technical details to the experts, but make sure they know what is expected from them.
Which is not to say that technology is not an important issue; in fact reaching the goals set out in your IAM strategy will inevitably call for orchestrating a set of technologies, ranging from basic directories to specialized solutions for securing applications and databases. IT’s job is to bring all this together in a way that both protects and enables business.
IAM consists of building blocks, and in reality most organizations will not need all of them. In order to make informed decisions about which technologies are needed, KuppingerCole recommends following standard, tried-and-proven architectural approaches. Classically, this means either starting out by identifying use cases and taking a line from there, or alternatively asking the business units what they need and creating the appropriate business services, tweaking and fine-tuning them until they do the job they were requested for consistently, efficiently and at lowest possible cost.