User Access Certification and IAM

Some points to think about user access certification and IAM process -

Why it is required - The goal of User Access Certification is certifying and validating the user access privileges periodically.UAC process has many benefits like automation of certification process, better presentation of data, report generation of all access and data in the system , closed loop remediation, multiple level of approvals etc etc...

But the key requirements from client prospective is "Audit and compliance", because Certification process is directly related to their Audit. If the audit is good then the company is good.

IAM and User Access Certification - All the organizations need IAM implementation but they do not take it seriously because it is a very costly affair for them, and their main goals is audit which can be achieved by User Access Certification process. Every organization wants to implement User Access Certification first and if the things go well and if they are convinced to implement an IAM solution then they go for an IAM solution.

Why IAM is lagging - Implementing IAM solution simply means automation of the provisioning and de-provisioning of accounts from endpoints, every endpoint needs a connector or custom code to connect to Identity manager, though there are many good connectors are available in market and there are enough talented developers who can write custom connectors of every kind of endpoint, but it is still a complicated process to maintain reconciliation , password synchronization, active sync... all these requires lots of coding and good technical skills, and as the organization grows the IAM system also needs to be updated, a big organization means more IAM code and more code means more complexity and then maintain the solution for lifetime become very difficult.

New Options - Due to complexities in the traditional IAM solution implementations some vendors like CA and Sailpoint are now come up with new "Top-Down" approach for provisioning. In this approach the provisioning will be done on the basis of what data user access, and will give more control over how the information/access is accessed by the users. Though the complexities of using connectors,SAML,SPML will be there but IDM solutions will be more secure.

Implementation of User Access Certification -

1) Without IAM

Implementing User access certification directly over the raw and unfiltered data is a pain for developers. Without any IAM setup, filter the existing data and modify it according the certification tool requirement is long precess before starting the actual certification process.

Most important steps of implementation in this case are :-

a) Filter the data and remove duplicates and corrupt records - Using java code is the best option to this.

b) Convert the data in the format required by tool - Every tool has its own format and to import data into the tools again the best possible way is to write the java code. Some tools provide connectors but then connectors are only available for specific type of endpoints like AD, RACF etc only, for all other type of Enterprise application java code is the best option to automate the process.

2) With IAM -

With IAM the initial step of processing the data becomes very less complex and taken care by Identity Management system. With IAM in place the amount of corrupt data will be very less. Also if the IAM and certification tools are from same vendor the converting the data in to the certification tool format also becomes very simple.

P.S :- Feel free to write your comments on the process I have written.