Assessing IAM

My experience with formal technology planning spans over 20 years.  As an external consultant, I have the advantage of being objective, and can offer fresh insights as inputs to planning and strategy development. However, as an outsider, coming into an organization to perform planning can be difficult because I often lack an understanding of the infrastructure, software and procedures in place.

As a result, the planning methodologies I have used have always included an assessment phase — a set of tasks in the project that is primarily concerned with collecting information about the environment.  This has worked well when doing large project planning, IT strategy work and program development.

Assessments are also a vital part of Code Technology’s work in identity management.  An IAM Assessment can be delivered on its own, or as part of an identity strategy project.  The approach we have formulated for IAM Assessments is a little different than the generic IT information gathering.  Identity management assessments need to be structured to address key components that impact IAM design and delivery.

If you’ve followed this blog for any length of time, you’ll know that I regularly reference the Pan-Canadian Identity Management and Authentication (IdM&A) Framework.  This framework has provided an excellent structure for assessment and strategy development work.

My approach, then, is to leverage the framework in the development of an IAM assessment.  Without the structure and completeness of this framework it would be difficult to ensure everything was covered.

The heart of the assessment is information gathering: infrastructure, applications, identity stores, policies, processes, etc.  Analysis of the environment is then performed using  the seven Pan-Canadian IdM&A components:

  • Legal –Under what legal agreements and legislation does the organization operate?
  • Privacy – How well does the environment match to privacy obligations?
  • Security – Does the current environment meet or exceed information security standards?
  • Trust – What trust arrangements (if any) exist between federated organizations?
  • Assurance – What processes and technology exist to ensure information assets are protected to the appropriate level of assurance?
  • Identity – How are identities organized and managed?  What identity attributes are stored and utilized?
  • Service Management – How robust and flexible is the current environment?  How will it need to be supported?
An assessment is more than just information gathering — the analysis can help to immediately highlight strengths and weaknesses in the environment.  Follow on work can use this documented ‘snap shot’ of the identity management environment to plan and design improvements and new solutions.
Mike
Code Technology is now offering its standardized IAM assessment service across Canada.  Please contact us at info [at] codetechnology.ca for more information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: