Assessing IAM

My experience with formal technology planning spans over 20 years.  As an external consultant, I can offer fresh insights as inputs to planning and strategy development.

The planning approach I have used have always included an assessment phase — a set of tasks in the project that is primarily concerned with collecting information about the environment.  This works well when done prior to project planning, strategy work and program development.

Assessments are a vital part of Code Technology’s work in identity management. An IAM Assessment can be delivered on its own, or as part of an identity management strategy project.  The approach we have formulated for IAM Assessments is a little different than the generic IT information gathering. Identity management assessments need to be structured to address key components that impact IAM design and delivery.

If you’ve followed this blog for any length of time, you’ll know that I regularly reference the Pan-Canadian Identity Management and Authentication (IdM&A) Framework.  This framework has provided an excellent structure for assessment and strategy development work.

My approach, then, is to leverage the framework in the development of an IAM assessment.  Without the structure and completeness of this framework it would be difficult to ensure everything was covered.

The heart of the assessment is information gathering: infrastructure, applications, identity stores, policies, processes, etc.  Once these details are collected, analysis of the environment is performed using  the seven Pan-Canadian IdM&A components.

Key questions are used to drive the assessment analysis:

  • Legal –Under what legal agreements and legislation does the organization operate? How do these drive compliance for IAM?
  • Privacy – How well does the environment match to privacy obligations?
  • Security – Does the current environment meet or exceed information security standards? What key identity and access risks need to be considered?
  • Trust – What trust arrangements (if any) exist between federated organizations?
  • Assurance – What processes and technology exist to ensure information assets are protected to the appropriate level of assurance?
  • Identity – How are identities organized and managed?  What identity attributes are stored and utilized?
  • Service Management – How robust and flexible is the current environment? How will it need to be supported?
An assessment is more than just information gathering — the analysis can help to immediately highlight strengths and weaknesses in the environment.  Follow on work can use this documented ‘snap shot’ of the identity management environment to address security gaps, make improvements and plan for new solutions.
Mike

Author: code

Mike Waddingham is an identity management consultant with over 30 years of industry experience. He is the owner of Code Technology Corp.