Multiple account repositories
Modern organizations run a complex mix of IT infrastructure, including:
- Directories, such as Active Directory or other LDAP implementations.
- Network operating systems, used to share files and printers.
- Customer relationship management (CRM) and enterprise resource planning (ERP) applications.
- A range of custom and vertical market applications.
- Various databases.
- Mainframe and midrange servers, typically hosting legacy applications.
- E-mail and other collaboration software.
- Human resources, payroll and contractor management systems.
Legacy systems and applications are hosted on-site but newer applications are increasingly hosted by third parties, in the cloud, often offering software-as-a-service (SaaS).
Many systems and applications rely on internal lists of accounts -- users who can sign in, along with credentials such a passwords and entitlements such as group memberships. Some systems are able to externalize this information to a directory (via LDAP or Kerberos) or to a federated access system (SAML, OAuth) but many systems and applications require that some or all of this data remain in their internal, proprietary storage.
Managing identities and entitlements across applications
Accounts, entitlements and credentials must be managed, when users are hired, when their jobs or contact information change, when they join or leave projects, when they relocate or take time off, when they leave the organization and if they return.
The intersection of many business processes and many systems that contain IAM data is shown in Figure [link].
Managing Each Application in its own Silo
Unfortunately, every system and application has its own schema, its own administration user interface, is managed by a distinct team of administrators and is subject to its own change processes. This variety creates complexity, which has business consequences:
- Cost: Complex processes that involve multiple systems and applications are expensive to operate, requiring teams of access administrators.
- Security: Users with no-longer-needed entitlements, orphan accounts, dormant accounts, inconsistent approvals and gaps in audit history weaken internal controls.
- Service: Users are faced with complex, hard to find and hard to populate access request forms. Access is only granted after lengthy approval and fulfillment delays.
Identity and access management automation is intended to address this complexity and thereby reduce access administration cost, strengthen security and improve the user experience.