Identity & Access Management (IAM) systems need to be reliable, perform well and have adequate end-user support. When assessing Service Management needs for an IAM environment, a number of factors need to be considered.
Wikipedia defines IT Service Management as ‘is a discipline for managing information technology (IT) systems, philosophically centered on the customer’s perspective of IT’s contribution to the business.’ Service Management for an IAM system needs to consider both the business area and end-user needs – and these may differ depending on perceptions, actual usage patterns and functions of the IAM system.
To this last point, IAM offers a wide range of functionality: authentication (login), authorization, account creation, provisioning, administration, reporting, etc. The service management profile for these functions can vary; for example, login and authorization services need to be highly available and well supported, while functions like reporting are less critical. Assessing service management for IAM, therefore, needs to look at each functional area of the system.
Data centre service management has swung wildly in the past 30 years, from centrally controlled and highly available mainframe environments to more lax client-server setups of the late 80s and early 90s. Today’s expectation for the quality of enterprise data centre services has returned to a more strict standard. Business sponsors and users expect the equipment, network and services to be highly available, with scheduled outages and evergreen plans (for future expansion).
Help desk services need to be assessed to ensure IAM services are properly supported. Help desk support can range from the basic email, ‘best-effort’ model to full 24/7 phone and remote take-over support. Understanding end-user requirements is critical to striking a balance between help desk costs and a quality support model.
I’ve had a number of clients identify 24/7 support for their infrastructure and help desks – and then balk when the cost of such a service is realized. The justification for the blanket support is that if the application is promoted as being online, it needs to always be available. Many clients want to respond to help requests when they occur. However, in my public sector experience anyway, these systems (and the IAM providing protection) are often used for non-critical purposes. Registering for a program, accessing document stores, even retrieving information needed for business purposes – these types of transactions are rarely critical in nature and tend not to deserve ’round the clock support.
In the private sector, the decision to provide this type of support is strictly a financial one. The cost of supporting users versus the revenue gained (and the long-term benefit to the brand) can be calculated to support extended hours for support.
IAM that supports medical systems are perhaps the one type of system that will always require extended support hours, highly available systems and responsive end-to-end architectures. This is particularly true for systems that support health workers (physicians and nurses) and their access to patient and reference information. Failing to implement an appropriate high level of service management for the IAM systems used in healthcare can be disastrous.
It will be interesting to see what the new breed of patient-oriented portals choose to provide in the way of redundancy, performance and support services. These emerging systems are geared to providing patients access to their own health information – data that they can use for education, self-diagnosis or treatment – but it isn’t clear that the portals will need to be highly available. If they do, the sponsors will need to dig deep to fund their operations.
Service management is key to a sustainable identity management solution and a proper assessment of technology, people and processes is an important part of any IAM review.