Data is the lifeblood of any Identity and Access Management (IAM) system. It can make or break an implementation. Complete and accurate data empowers your organization to provide users with an unbelievable set of tools that increase security, improve business processes, and reduce risk.
On the other hand, inaccurate, incomplete, or malformed data creates a number of challenges during the initial implementation and ongoing support/management phases of an IAM solution.
So, this three part series is all about data and why it is so critical to the successful implementation and ongoing operations of an IAM solution. Let’s start by examining how data interacts with your IAM system.
The Relationship Between Data and Your IAM System
IAM systems manage the authentication and access of users to organizational systems, applications, and resources. Each user has an account that’s used to log into different applications and systems. These user accounts are simply a collection of data points (attributes) about a user, such as First Name, Last Name, Email, Title, Department, and Location.
While this collection of attributes makes up a user account, these pieces of data typically reside and are maintained in an authoritative data system, like HRMS, Finance, and/or SIS. In order to create a user account (and updated it over time), an IAM system must constantly interact (e.g push, pull, sync, query) with all appropriate authoritative systems to make sure the data (attributes) are consistent between the sources and the IAM system.
Data and the Identity Lifecycle
Once a user account is created from the source data in the authoritative systems, the IAM system sends some of the data in the account out to the different applications and systems that the user intends to access. This process, known as provisioning, is how the IAM system creates accounts in the target systems that a user will access.
Provisioning enables organizations to give users a single account that can be used to access all their applications and systems instead of having different or separate accounts within each. The access a user should have within these downstream target systems is determined by policies and configurations within the IAM system that look at the data attributes in the user’s account.
As data in the authoritative systems changes, user accounts are updated, as well as all appropriate user data in downstream applications and systems. And as policies and rules change in the IAM system, a user's access also changes based on how the user’s data compares to those rules.
And finally, in a process known as deprovisioning, when a user leaves an organization, the IAM system detects that change in the source system and disables the account. The IAM system also disables, deletes, archives, suspends, etc. that account and the associated data in each target application and system as appropriate.
All of this is collectively known as automated lifecycle management, and it works like a charm as long as data is complete and accurate.
But Data Isn’t Always Good...
As you can see, data is found at every point in the process, and just about everything inside of the IAM system relies on that data. Good data is, therefore, crucial to any IAM implementation and ongoing operations, whereas inaccurate or incomplete data leads to issues that can have a serious impact across the entire enterprise.
Unfortunately, most organizations’ data falls into the latter category. We find that clean and accurate data is a universal challenge that crosses all organizations—regardless of the organization’s size, the IAM software or services used, or whether the solution is local or cloud-based.
In the next part of our series, we will take a closer look these challenges, as well as the impact they can have on your IAM implementation and operations.