Identity Management Success

The most successful Identity (IDMS) deployment projects, are completed by logical, concentric teams, which are formed specifically for the purpose. Resist the tendency to rehash existing internal models, or follow political boundaries. Identity deployments are inherently cross-functional, matrixed, multidisciplinary projects. Select the most appropriate resource, not the most “available” or “politically expedient.”

With the caveat that each organization, vertical market, and project has its own unique requirements, here are some general skill sets and project roles that can be leveraged for a highly effective internal Identity Deployment Team:

• Java Security Developer - Configuration, reporting, customization, deployment
• Infrastructure Specialist - Networking/Switching, Server Configuration, Storage, High Availability
• Application Developer - With ability to make changes to internally developed applications
• Compliance Officer / Legal Representative - Ensures that Identity infrastructure conforms to domestic and international privacy, encryption, and retention guidelines
• Project Architect - Designs the Identity infrastructure, in conjunction with any outside vendor(s)
• Identity Subject Matter Experts (SME) - Serves role as Project Technical Lead, and has the capacity to “tie it all together” from the Identity and Access Management perspective
• Program Manager - Manages the Identity and Access program, from a project or PMO perspective. Generally, there will also be one or more Project Managers working within the program to execute on various sub-projects.
• Business Process Manager - Captures current state workflows and business processes, designs future state workflows, and manages creation of workflows within the IDMS
• Role Modeler - Uses current and projected organizational charts and employee classification databases to model roles. Roles are used within the IDMS to provision accounts and manage access controls. Person in this role often comes from the HR department.
• Training Liaison - Creates and manages end-user and administrative training for the new IDMS and Identity Management processes.

The preceding guidelines may require modification for your organization, and are not intended to be comprehensive for all situations. However, referencing these guidelines during the Identity Team formation stage, will dramatically increase your chances of a successful and comprehensive IDMS deployment.

Identity Management Systems offer tremendous benefits and ROI potential to organizations of all types and sizes. However, the complexity of a typical deployment brings a tendency to continually redesign the Identity infrastructure. Continual redesign can introduce even more complexity, additional dollars, continual requoting, time and budget overruns, missed opportunities, and stakeholder frustration — which increases resistance to your deployment.

A few simple rules can help to minimize the redesign spiral:

• Start with small, clear, attainable objectives
• Factor user experience, training, and administration requirements early
• Get infrastructure people to the table early.
• Build software infrastructure from the inside out, then embrace and extend to legacy and “black box” applications
• Design for function first, and cost last. If cost is your overriding project concern, reconsider the entire Identity project.
• Design Identity as a set of services.
• Examine ways current operating systems and network infrastructure can be used
• Attain quotes for only what you need, and ensure the budget has at least a 15% growth contingency. You will never factor Identity deployment costs to the penny in a large organization. Index future costs directly to planned organizational growth, and other factors such as Federation (partner integration,) facility expansion and contraction, capacity planning, record retention, etc.
• Seek input from everyone, but do not expect consensus, or wait for it to achieve design approval. If the key people agree on the principle, and your internal and external Subject Matter Experts sanction the design, then move forward with a pilot.
• Set reasonable expectations with stakeholders, business users, and application owners. Understand and document how the deployment will affect each group, and answer objections early and before committing to a final Identity Management System design. In some organizations, it takes only one powerful business user to derail the entire project
• Carry each design iteration to its full completion, before scrapping it and starting over.
• Apply rigorous change control to your system design. Avoid ad hoc diagrams that are passed around and changed frequently. Remember that even small changes such as the placement of a cable, or addition of a server somewhere can completely alter the entire system deployment.
• And perhaps above all - expect the unexpected. Plan for contingencies, and custom applications that may require special solutions or retrofitting to integrate within your Identity System.

While not an exhaustive list, following the rules above can help keep your Identity Management System project running smoothly.

Adjust perception, eliminate disruption. A common stakeholder misnomer is that deployment of an IdMS must be disruptive to the IT landscape and the user community. Socialize IAM as a framework, a set of services, and a service envelope. The subscriber model works well - applications subscribe to the framework, one by one. As they are added, new capabilities are gained. IAM is an evolutionary benefit within an organization. More subscribers = more benefit = improved user experience.