This document presents best practices for deploying and operating an identity management infrastructure. It builds on Hitachi ID Systems's years of experience in deploying password management and user provisioning into some of the largest and most complex organizations in the world.
The document is organized as follows:
- Overview: Defining Identity Management:
Some basic definitions that help clarify the subsequent material.
- Long Term Commitment:
Identity management is more accurately described as a change in the IT organization and business processes than a finite project. Deployment can reasonably be expected to continue indefinitely, with more features and integrations are added over time.
- Focus on Business Drivers:
Given the long-term investment in identity management, it makes sense to identify and focus the highest priority business drivers first.
- Deliver Early and Often:
To minimize project risk and to ensure a positive return on investment, it is essential to deliver tangible results early in the project, and keep delivering new benefits regularly.
- Usability and Adoption:
Identity management is focused on the user -- a human being represented on multiple IT systems, by a combination of identity attributes and privileges. It follows that user adoption is a prerequisite to success.
- Critical Path and Common Interdependencies:
Some integrations and features depend on others. This section identifies major interdependencies, which impact project timelines.
- Project Management Methodology:
A typical methodology for delivering a given project milestone.
- Typical Timeline and Deliverables:
Pulling all of the above together, a sample project timeline is developed, step-by-step.
Overview: Defining Identity Management
IAM is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access.
Enterprise Identity and Access Management (IAM) is defined as a set of processes and technologies to effectively and consistently manage modest numbers of users and entitlements across multiple systems. In this definition, there are typically significantly fewer than a million users, but users typically have access to multiple systems and applications.
Typical enterprise identity and access management scenarios include:
- Password synchronization and self-service password reset.
- Management of other credentials, such as one-time password devices, security questions, smart phone apps, biometrics, smart cards, cryptographic certificates, etc.
- Identity and access management (IAM) which can create/delete identities and assign/revoke entitlements, in response to processes such as data synchronization, a request portal, approval flow, access reviews ("governance") and policy enforcement.
- Group management, to create, manage and delete security groups and mail distribution lists.
- Single sign-on -- which may consist of Kerberos, federated access (SAML or similar), web SSO (web form stuffing or server-side agents) and enterprise SSO (client-side form stuffing).
- Strong authentication, combining multiple credentials with contextual selection of suitable login mechanisms.
Adjacent problem areas to Identity and access management (IAM) include Privileged access management (PAM) and directories.