Identity and access management (IAM) is a big concept. Google analytics tells me that there are 18,100 searches for this term each and every month. Gartner's definition is that "IAM ensures the right people have the right access to the right resources at the right time, enabling the right business outcomes." That is a big concept.
However, it is rare that an organization is trying to solve every single aspect of IAM in a single project. Some do and EmpowerID can do it. But most don't and they need a modular approach to solving the IAM problem.
To break down Gartner's definition:
- The right people: user provisioning into the metadirectory and all applications
- The right access: attribute and role based access control
- The right resources: inventorying of protected resources whether they be applications or files or anything
- The right time: workflow that ensures that all actors (people, roles, resources) are updated at all times
- The right business outcome: a workflow model that corresponds to your actual business process
The best and easiest example is a client who comes to us looking to solve its user provisioning problem (the right people). EmpowerID does this in its sleep (just kidding, EmpowerID doesn't sleep). The EmpowerID metadirectory constantly inventories all connected applications and identity stores, updating information and flowing it between any directory or database that needs the information.
A user is provisioned in HR, gets an EmpowerID person account which then creates application accounts based on the user's role. As soon as that user is changed in any connected application, that identity information flows througout the identity stores associated with that user. As their role changes, their permissions change and their access changes. Once the user leaves the organization, the user is de-provisioned.
As you can see, this quickly leaks beyond the right people to the right access. And the right resources. Yet not all products can accomplish this from a single platform, much less one with a single code base. EmpowerID can. And we haven't even gotten into what comes next.
User provisioning is a very common use case. Very common. What happens next is also common, we ask, "what about single sign on?" Invariably, the client says something along the lines that they are looking to solve that next fiscal year. Then we say, "what about your extranet, do you want to manage external identities?" Just as often the answer is something along the lines of another team has a concurrent project for that.
And this is where having an actual identity management platform comes into play. EmpowerID can solve the current project's business dilemma and future proof for the additional business problems. The integrated metadirectory, roles engine and visual workflow platform allow all of the modules to work idependently or in conjunction to solve additional problems.
In the first SSO example, once the users are provisioned and synchronized and you know your identities are accurate, it is simple to base the applications that they can access on the role of these users (remember, you already have that in place). Just adding a few single sign on workflows opens up the possibility for adaptive authentication based on resource or role.
You can easily incorporate partners and customers into the fold for the second example. EmpowerID is designed for multi-tenancy so you can even have different customers have different levels of access. Your roles are in place for your end users so it's easy to give permissions to employees to manage the customer's access and identities.
All of it works together without the need to buy everything at the time of the original project. One of our more recent customers, a large publishing house, took this exact approach. Their initial aim was user provisioning and access governance. Basically, get their own house in order. The next step is the customer portal, giving end users and book stores role based access to online ordering and account management. The third phase is getting internal user's access to this customer portal and all of the legacy systems.
Basically, they future proofed their Identity & Access Management on top of their initial project's requirements. This is an important ability to check when deciding on something as big as your IAM vendor, it's a lot more than just synchronizing some attributes back and forth; it's matching your business processes (now and in the future) to your IAM workflows.
Schedule a demonstration and see how we can map what you need to what we do and be prepared to think in the future when we ask you what's next.
Tags: User provisioning, Identity and Access Management (IAM)