Calculating IAM Complexity (or, How Do You Know If Intelligent IAM Is Right For You?)

Access Risk Management Blog | Courion

Doug Mow, CMOManaging an exploding number of users and identities as they match up to applications and resources can be a daunting task. It’s the traditional challenge of managing flexibility and performance against compliance and security. Sure we can do it quickly, but how many problems are we creating in the process?

One way to assess the value that intelligent IAM can provide to your organization is to understand the forces impacting IAM complexity and how that effects the organization. Consider this formula:

IAM Complexity = ((ID + Resources) * EC) ∆c

ID represents the number of identities managed by the organization and the anticipated growth of that identity pool over time. Does the community include identities outside of the organization, like supply chain participants? How quickly is the overall number increasing?

Resources are all the applications and data resources those user identities need to access at various times. This number is probably growing more slowly than the number of identities. But, the complexity rating goes up when you consider the confidentiality of those resources (ex: price list for the distributor network) and the reality that some of the applications being provisioned are being engaged without IT’s knowledge (SaaS applications). 

EC represents environmental complexity. This is a variable that takes into account a wide range of factors, including stringent and changing regulatory environments, the degree of brand damage caused by a breach (higher damage, higher security), the growing inter-dependence and inter-connectivity of individuals and departments inside and outside the organization, global distribution, and heterogeneous computing platforms.

∆c represents the rate of change. How fast are things changing within your world?  Are employees being hired and terminated on a regular basis? Do employees change roles or get promoted frequently? Are applications rolled out or retired on a regular basis? Does the regulatory environment change frequently or not at all?iStock JobRotation 350

Got it? Ok, how does the equation work? Identities are most likely growing the most quickly.  Second are the applications and resources. But, while they may be in constant flux, the environmental complexity is much worse than identities or resources in terms of impact.  However, the most debilitating variable is the rate of change. That’s the granddaddy of them all.  So, of the variables, which one keeps you up at night – more identities, more assets and resources, environmental issues, or what’s changing?

Here’s a fictitious scenario to illustrate the point. I work at a company where things run very smoothly. We’ve been in business for generations and things just don’t change. Our employees are loyal and we’ve been working in the same jobs with the same partners forever. All our applications run on the same servers they’ve been running on for decades and we haven’t rolled out anything new in years. Cloud, mobile, social? Nah, no need. The business hums along and nothing changes. Ever.

If that sounds like your company, don’t waste your time evaluating IAM. You don’t need it. Go on raking in the money and sleep well at night.

But, like I said, that’s fiction. This is 2013 and it’s more accurate to say that company is Fantasy Land. With all the opportunities in a global market, a company like that has been dis-intermediated, has been put out of business by a low cost manufacturer out of an Asian country, or has a target on it from some enterprising group.

What about the opposite scenario? Our company has over 50,000 employees. Tenure is getting shorter and there are constant changes in roles and jobs. Our application and resource base turns over regularly with new applications constantly being rolled out and others retired. Some are in the cloud, some are SaaS, some run in house. We perform access certification reviews and audits quarterly and they are always a big deal – very disruptive and people are always very nervous. Mobile is everywhere and the business is always asking for something new, something based on the latest technology. Things are always changing. We may be buying a company, introducing new products and services, partnering with new companies, or re-organizing our company and resources. It’s a nightmare.

Does this sound more like your reality? Maybe you should consider looking at intelligent IAM.

Leave a Reply