These are organizations which work in a structure where there is a central corporate parent company and lot of subsudiaries running as individual companies. While a lot of infrastructure is shared between these entities, a lot of people and ragulations related disconnected can be observed in such places. I have been involved in a lot of infrastructure companies offlate. Some of my thoughts around it as as follows:
Typical challenges in a group-of-companies environment
The organizations which work in a group companies face the following typical identity related challenges. I am trying to list down some of the challenges it has seen in different customers which follow similar governance model.
•Lack of centralized risk framework: The risk framework is evolved as per individual needs of the companies contributing to the group.
•Disparate technology environment: The technology and products chosen by different groups are controlled by businesses rather than the corporate structure. This is more of a requirement than a challenge as the companies need independence in software and infrastructure selection due to the technology dependence on the businesses they carry out.
•Different regulatory adherences for different groups due to law of the land: When ISO 20007 is a requirement for some of the operations, some may mandate SOX compliance and some other business may need to adhere to other regional regulatory or compliance norms depending on the region of operation or line of business like JSOX for Japan or HIPAA for medical business.
•Need to quickly respond to identity related needs: The identity needs may vary from new organization creation and designation of a new company and bulk transfer of employees from one unit to another due to reorganizations.
An Identity Services Approach
Based on the above mentioned challenges and the trends of identity management products, Let us try to look at an approach in which the IDAM solution can be showcased as a service for all group companies. I am trying to explain the approach in 3 different angles, which are:
•Governance approach
•Operational approach
•Technology approach
IDAM Governance Approach - A framework structure to follow
The IDAM Governance approach calls for mandatory participation from Business level Auditors/Owners, Centralized IT Security / risk management team and corporate applications like HRMS applications. This aids the risk and governance structure by providing the right controls to the overall governance structure. It aids the Business owners and auditors to get better visibility to their environment by providing reports and attestation/certification of access levels on a scheduled basis. The IDAM system also provides corporate applications like HRMS with a single point of integration to accesses. The following governance structure relates to the above mentioned points.
IDAM Operational approach - A plan to capture your CAPEX and OPEX flow on IDAM
The IDAM Operational approach defines the different operational priorities that should be followed during implementation. The implementation should be service centric and IDAM should be first implemented for corporate and one business unit after which the base framework will be ready for showcasing the benefits of IDAM processes and policies. It also gives the comfort for new business to embark into integration with the corporate IDAM model. The centralized infrastructure can be reused for all the businesses or group companies with integration spanning from physical security to application privileges. Additionally IDAM aids in rolling out new and centralized initiatives like DRM, DLP and privileged user management or data centre security aspects like server access control and database security.
IDAM Technology approach – Basic Identity Framework
Ideally, from a technology perspective, IDAM as a deployment should have the following:
• Self Service for users like password resets, access requests etc
• Management capabilities to administrators
• Approval and workflow based user access provisioning for better ownership
• Reports and audit procedures for better visibility and control
• Access Management controls for web applications and non-web applications
The below diagram explains the different interfacing capabilities that should be present in a typical IDAM Technology stack.
A basic IDAM system should have authentication for all applications for control. It should have self service interfaces and SSO for user experience. It should have delegated administration for manageability and audit / attestation facilities for gaining visibility. The IDAM System should allow workflows and identity synchronization extensively. It should interface with different applications and should have a secure identity store and an accessible audit store.
No comments:
Post a Comment