The messiest part of identity management REDUX

I am a regular reader of the informative Network World Identity Management Newsletter by Dave Kearns.

A long time ago, Dave was onto the problem of identity data quality. Back in June 2003 he wrote an excellent post E-provisioning’s dirty little secret subtitled: First rule of e-provisioning is to ‘cleanse’ your data. In it he makes a number of excellent observations and clearly was ahead of the curve on the necessity for data cleansing and matching prior to implementing identity management system. Rather than summarize it here I urge you to take a couple of minutes to read it.

Last fall, Kearns followed up with The messiest part of identity management. Subtitled: Cleaning up before depolying identity managment. He brings this important issue back to the fore which I applaud. He also talks about some very interesting findings of some in-depth analysis by Deloitte Canada – that large enterprises are unable to match 20%+ of their active credentials to a person.

However, I do take issue with a couple of Dave’s points. One minor and one major.

Read the rest of this entry »

DIDW Panel Underscores Identity Matching Problem

In my day to day efforts to solve enterprise identity matching problems, one of the biggest obstacles is getting people to realize they have a problem. One of the reasons that this issue is little known is that until you actually have to install a large identity management project, you can ignore the issue. Very few organizations have got to that stage. IE. very few organizations have actually implemented large, multi-system identity management solution where legacy credentials are involved.

Once you get to the stage of having to load in legacy credentials, the problem comes front and center. Recently I have been trying to find public examples to prove this point. In this post, I discussed how Frank Ma of Petro Canada urges all to plan on the difficult matching issue before you are too far into the project.

Since that post, I have listened to another panel discussion from Digital Identity World’s, Sept. 2006 conference. One Sept. 12th, 2006 panel was called Questions We Now Know We Should Have Asked: A Customer Panel. The participants were: Bob Blakely, Burton Group, Moderator; Heidi Kujawa, Sony Pictures Entertainment; Mike Ruman, Grant Thornton, LLP; and Ken Lobenstein, Continuum Health Partners. The presentation PDF can be found here and the full audio here.

I urge you to listen to the whole talk as it is always very instructive to hear what people who have actually done a project have to say. This is where the reality vs. theory gets heard.

Here are some highlights of the audio. I have indicated approximate minutes in the audio and have tried my best to transcribe the quotes with a semblance of context. Listen to it yourself to get the full impact.
Read the rest of this entry »

What is Enterprise Identity Matching

(This is a first pass definition. I will refine this over time and update the definition on this page)

The Problem

Within enterprises, people have multiple access credentials ( mostly user-name and password ). This is particularly true of organizations that have a number of legacy systems, which have been build over the past many years with no concern for the Internet or even working with each other. Each will have a separate credential.

Over time employees will accumulate many different credentials, some which they no longer need, or no longer should have given their current role with the company. Worse yet, when people leave the organizations, often their access remains. This is primarily due to the fact that many are the champion of provisioning new access but, no-one is the champion of de-provisioning.

The result is a large number of active credentials (about 20%) in most organizations are NOT traceable to a person. Simply, they cannot answer the question: “who does this credential belong to”. This fact undermines identity management and compliance activities in most large organizations and is a significant source of risk for organizations and those that they serve … which is about all of us.

The Solution: Enterprise Identity Matching

Enterprise Identity Management is the combination of tools and processes an organization uses to investigate and unambiguously match all their active access credentials to a person, group, or system.

It is my tenet that this problem is pervasive and significant in large organizations. The solution is non-trivial. I also believe that by better understanding the true nature of the problem and using purpose built tools and techniques, this problem can be overcome with a modest investment of time and money. This blog is focused on the exploration of this problem and possible solutions.

Petro Canada says fixing data is harder than implementing IDM itself

Usually anyone who actually has to complete an identity project learns learns two key truths:

1. There legacy identity data is a mess and many of the records are unmatchable.
2. Matching and scrubbing these records is much harder than they originally thought. In the end, it involves a lot of manual, costly, time-consuming effort.

Here is a great example of advice from someone who has lived the problem. From Digital Identity World May 2005 Conference there was a session called the Provisioning Customer Deployment Panel. If you listen to this MP3 and go to about 22 minutes in the podcast when the Q&A starts, you will hear that Frank Ma from Petro Canada says:
Read the rest of this entry »