Chapter 15. Identity Maturity Models and Process Architectures
In the last chapter, we set up governance for the identity management architecture (IMA) process and built a business model. As we’ve seen, the business model is really just a comprehensive documentation of the goals, people, and processes of the business units building the IMA. The next task is to determine where your organization’s current technology and practices stand with an eye to improving them. The tool we’ll use is called a digital identity maturity model .
Our objective in this chapter is to distinguish mature identity processes from immature processes, develop an identity process inventory, and plan for identity process improvement. We use the word “process” quite deliberately. Organizations that view internal activities as a series of isolated tasks cannot build a digital identity infrastructure that will accomplish the objectives set forth in this book. The reason is quite simple: viewing activities as isolated tasks does not allow the results to be consistently measured and that information to be fed back into the organization so that the activity can be improved.
In an organization with immature processes, projects are executed without many guidelines by teams that are free to proceed as best they can. Project success is dependent on the efforts of a few “virtuoso performers.” Predicting the success or failure of a project is difficult, and when the project is finished, it is often impossible to identify the factors that led to success or failure.
On the other hand, mature processes give project teams clear guidelines and have built-in metrics so that the result is not just repeatable, but also measurable. Metrics tell why the process produced the outcome it did and what needs to be done to improve it. Mature organizations review and update their processes as a matter of course and seek constant improvement.
Maturity Levels
The path to more mature identity management processes and infrastructure can be characterized by a series of steps that gives specific milestones. These milestones are called “maturity levels .” Each level is a reflection of certain capabilities in the organization’s processes and infrastructure. Higher maturity levels reflect greater capabilities and have more advanced characteristics. The maturity model defines the key elements at each level and thus represents a path that you can follow to guide your identity management processes to more mature levels. The path we’ve defined includes four levels and is shown in Figure 15-1. These levels are adapted from an identity management maturity model developed by Gary Daemer of Booz Allen Hamilton.
In level 1, the organization has very few processes and the infrastructure design is tactical and ad hoc. At the focused level (2), some projects in the organization have good processes and a designed identity infrastructure, but many do not. At the standardized level (3), the organization has created enterprise-wide policies, processes, and infrastructure. With enterprise-wide policies and processes, the organization can learn from various projects and use that knowledge to improve future projects. At the integrated level (4), policies and processes are very mature and processes have been automated. The infrastructure is complete.
The Maturity Model
The following sections characterize identity management practices at each level in the maturity model. The characteristics are organized into eight areas: business goals, policies, processes, identity management, identity storage, authentication, authorization, and federation. The characteristics given are illustrative; there are more characteristics than can be enumerated here. Nevertheless, these should be sufficient to give you a clear idea of what each level looks like.
Level 1: Ad Hoc
Level 1 is the furthest away from being a best practice. In level 1, no planning or structure is applied to identity management processes and systems. The statements in Table 15-1 characterize practices at this level.
|
Area |
Characteristics |
|
Business goals |
Business units see identity management as having negative value. That is, identity management gets in the way of getting work done. |
|
Policies |
The organization has no identifiable policies about identity. Any rules that do exist are simply part of the organizational folklore. |
|
Processes |
Identity management processes are not defined or documented. Processes are carried out in an ad hoc fashion with the desires and whims of the team or team leader being the primary driver. Any processes that do exist are informal. Team knowledge and talents are not leveraged in a consistent manner, because the process is different each time. The ad hoc nature of the processes denies opportunities for automation. The ad hoc nature of the processes does not allow them to be audited for effectiveness. No metrics are used to measure the processes, and any operational data that is collected is analyzed only in response to a problem. |
|
Identity management |
Identities are fragmented across the organization. Fragmented identities are inconsistent. Multiple administrators add accounts manually. |
|
Identity storage |
Identities are stored in multiple repositories. Users have multiple, disconnected entries in the store. Identities are stored in different kinds of stores and even when the stores are consistent, the schemas are not. |
|
Authentication |
Users have multiple usernames and passwords, including multiple identifiers on the same systems and applications. Identity credentials are chosen randomly without clear cost and benefit analysis. |
|
Authorization |
Authorization is inconsistently applied and used. Authorization policy is set without any evaluation of cost and risk. There is no formal notion of resource owners or custodians. |
|
Federation |
When identities are federated with partners or between business units, the technology, processes, and agreements are all ad hoc. |
Level 2: Focused
Level 2 practices presuppose a minimal amount of planning and documentation. The planning and documentation allow IT staff to carry out identity management tasks in a repeatable way, but there is little quality control, and so the results are not consistent. Practices and capabilities are fractured across projects. The statements in Table 15-2 characterize practices at this level.
|
Area |
Characteristics |
|
Business goals |
Business units see identity management as a tolerable requirement but perceive little value. The focus of the identity infrastructure is security and operational control. |
|
Policies |
Some policies are written down, but there is little buy-in, and policies are not effectively distributed. Policies are point specific or applicable to just one or two projects. Policies are not enforced. |
|
Processes |
Processes are partially documented, although different groups within the same organization may carry out the same task using different processes. Even when the same team is assigned to a task, the process definition is not sufficient to ensure that the application of a given process will have the same results each time. Processes and activities are not audited. |
|
Identity management |
Automation occurs minimally in support of security functions and other tactical operations such as password reset. Operational data for identity systems is inconsistently collected and analyzed. |
|
Identity storage |
Identities are stored in directories or other repositories built for a specific purpose. |
|
Authentication |
Users have multiple usernames and passwords. Identity credentials are chosen by different projects with only project goals in mind. |
|
Authorization |
Authorization is done on an application-by-application basis. Resource owners are assigned in high-visibility areas and make authorization policy for those resources. |
|
Federation |
Federation is still done using bilateral agreements, but standards are used to transfer identity information. Technology is implemented as needed. |
Level 3: Standardized
Level 3 identity management practices are consistently executed, but they are static and do not adapt to changing business requirements. The statements in Table 15-3 characterize practices at this level.
|
Area |
Characteristics |
|
Business goals |
Business units see identity management as providing generic value to the enterprise but do not understand how it can enable their business goals. |
|
Policies |
Policies are created through a well-understood governance process. All parties know and understand what is required. Little or no formal enforcement. Standard policies are used throughout the organization. |
|
Processes |
First-level operational metrics are recorded. By first-level, I mean direct, technology-defined measurements of operational parameters, such as “authentications performed per hour” or “authorization assertions delivered to partner X.” Service-level agreements (SLAs) are defined for first-level operational parameters. These SLA levels are largely self-defined and internal to the IT organization. Processes, roles, and workflows are defined. Processes and procedures for service are always followed, and consistent results are reached. |
|
Identity management |
Identity infrastructure automation is broad-based and chosen to meet strategic goals. Identity actions are audited occasionally. Extensive reports are produced, but feedback is rare. Innovation occurs as the result of missing service targets or as a result of outright service failures. |
|
Identity storage |
Identity data has been cleansed and normalized. The enterprise has established authoritative data sources. Enterprise standards help system designers choose technologies that are interoperable. |
|
Authentication |
Passwords are synchronized across the enterprise. Single sign-on is a reality, allowing users to move from application to application without reauthenticating. |
|
Authorization |
Access control is role based and driven by rules. Access-control policies for different systems and applications are disconnected and manually updated. Resource owners and custodians are formally assigned to all resources of value. |
|
Federation |
Federation processes are defined, and standard agreements are used as a basis for negotiation with partners. Federation infrastructure exists and is usable by a variety of interests. Federation is most likely to happen using a hub-and-spoke model. |
Level 4: Integrated
Level 4 practices are repeatable, consistent, and make use of feedback from the business to adapt to changing business needs. Feedback is used to optimize the identity management practices and is based on sophisticated metrics and tools. The statements in Table 15-4 characterize practices at this level.
|
Area |
Characteristics |
|
Business goals |
Business units perceive the value of identity to their activities. Business units are regularly consulted in determining the components of the identity infrastructure. Business unit expectations for return on investment on the identity infrastructure are regularly exceeded. |
|
Policies |
Policies and standards are approached in a holistic fashion, evaluating needs comprehensively and crafting policies that interoperate with and enforce each other. Identity policies are audited for effectiveness. Identity policies are usually followed and enforced when they are not. Policies are routinely reviewed and updated using a functioning governance process. |
|
Processes |
Processes are fully defined, documented, monitored, and measured. SLA metrics are defined in terms of business requirements rather than technology-based activities. Processes are regularly audited. Audit results are used to change the identity architecture. Processes that support identity policies are consistently applied across multiple platforms. Processes are automated. SLA metrics are based on business value. |
|
Identity management |
Identity management activities are regularly automated. Innovation occurs proactively, before service level failures. Identity management activities are self-healing, incorporating organic corrective actions and improvement methodologies. Operational results are monitored on an ongoing, perhaps even real-time basis and continuous improvement is the goal. |
|
Identity storage |
Identity data is consolidated using directory aggregation technologies such as metadirectories or virtual directories. Internal data stores routinely share data using standard protocols and common schemas. |
|
Authentication |
Authentication is done using standard credentials that work enterprise wide. The enterprise has a consistent approach to how credentials are used to authenticate against a standard set of security levels. |
|
Authorization |
Policy decision points base decisions on policies that are applied consistently and automatically across various devices and systems. The enterprise supports an integrated policy distribution mechanism to support consistent policy application. Resource owners and custodians are given a standard way to set and distribute authorization policy and understand how to do it. |
|
Federation |
Federation is networked. Adding new federation partners requires almost no effort. Federation partner provisioning may even be self-service in many instances. |
The Rights Steps at the Right Time
As you go through the process of building an IMA in your organization, don’t try to do too much too fast. For example, you might make the mistake of establishing policies that require activities and behaviors that aren’t yet supported by the infrastructure. The way to avoid this is to have a firm grasp of where your organization is in the maturity model that is presented in this chapter, and then set goals to move to the next level in specific areas.
One thing you should remember is that most organizations will be at different levels of the maturity model for any given process or infrastructure component. For example, it’s possible that a company could have a fully functioning self-service password reset functionality but not have enterprise-wide policies. The key is to assess your maturity in different areas and then set goals accordingly.
Finding Identity Processes
Evaluating the maturity level of your identity infrastructure involves evaluating business drivers, processes, systems, and user understanding for each component. As it turns out, evaluating the processes will cause you to evaluate the business drivers, systems, and user readiness, so that’s where we concentrate our efforts.
The first step is to perform an identity process inventory . Starting out, you may not have many of your processes documented, so you have to go search for them. This is where the business function matrix that we discussed in Chapter 14 comes into play. One or more processes support each business function. Depending on how fine-grained you got in your decomposition of functions, you may have to dig a little deeper or come up a few levels to get to the right level for finding processes.
Processes can usually be found by looking for tasks and then asking, “How does this task get done?” For example, asking that question about the task of resetting a user’s password will lead to the processes that use and update identities.
If you’re organization is operating at the ad hoc or focused levels in the maturity model, you’ll find the processes completely fractured according to business function, because they will have grown up independently. As your identity infrastructure matures, identity processes will cut across multiple business functions.
This discussion of processes may not seem to concentrate enough on identity. Be careful not to just pick out identity management processes, such as “password reset,” or you’ll miss other processes that also affect identity. For example, consider the “employee provisioning” process. On its face, this is not an identity management process, but as we’ll discover in the next chapter, it’s a process that is all about managing identities of various sorts.
Evaluating Processes
Once you’ve found the processes, the next step is to document and evaluate them. The following questions and ratings can form the basis for a process inventory:
- Process name and description
List the name of the process and describe it so you can recognize it later.
- Business drivers
What business functions depend on this process? What business goals are supported? Why is this process done?
- Tasks
List any tasks that make up the process.
- Documentation
Evaluate the documentation of workflows, roles, and systems and rank them on a scale from 1 to 10 (no documentation to stellar documentation).
- Repeatability
Rank the repeatability of this process on a scale from 1 to 10 (not repeatable to fully repeatable).
- Stability
Rank the stability of the process on a scale from 1 to 10 (unusable to rock solid).
- Required staff and skills
List the staff (by role), unique skills, and required proficiency in those skills to perform this process. Assess and rank on a scale of 1 to 10 the proficiency level of current staff.
- Systems and technology
List systems and technology that support this task.
- Integration
Evaluate the level of integration of these systems and technology on a scale from 1 to 10 (not integrated to fully integrated).
- Level of automation
Rank the automation level of this process on a scale from 1 to 10 (manual to fully automated).
- User understanding
Rank the level of understanding that users of this process have on a scale from 1 to 10 (no understanding to perfect understanding). Note that we’re not evaluating the people carrying out the process, but the people affected by it.
- Metrics
List any metrics used to measure the effectiveness and performance of the process.
- Feedback
Rank how the metrics listed above are used to evaluate and change the process over time on a scale from 1 to 10 (not at all to consistently).
The factors listed above are illustrative. You may find other factors that are important to you and your goals. You should customize this to suit your needs. Using the rankings that you arrived at in the evaluation should allow you to assign an overall maturity level to the process.
A team of people who are not involved in performing the process day to day should carry out the evaluation. The team can gather data through questionnaires, individual and group interviews, and reviewing documents. You will also need to create criteria that allow the team to make consistent judgments. The evaluation must be done in a way that is helpful rather than judgmental. One way to accomplish this is for the evaluation team to be transparent in its dealing with the process team, sharing data and insights freely, and thoughtfully considering feedback from the process team on the inventory.
Like everything else in the IMA, the process inventory is not a static document, but a tool that is used and updated as necessary. The inventory data is best stored in some kind of structured way (XML or a database), rather than as plaintext documents, so that it can be searched and evaluated. As you move through other activities in building your IMA, you’ll find more identity processes. Have a methodology for adding them to the process inventory and incorporating them into the plan.
A Practical Action Plan
As you contemplate building an identity process inventory for your organization, you may feel overwhelmed. Most organizations have no idea how many processes they perform and are often surprised at the size of the number. The good news is that you can often make progress on the maturity of your processes in a piecemeal fashion, making the task much easier to accomplish. In the last section, I said that tasks lead to processes. Tasks are also one of the keys to prioritizing your action plan.
As you look at tasks, try to identify those tasks that are causing the organization considerable pain, because they’re not performed well or those that are costing a lot to accomplish. The processes associated with these tasks are where you should start. As an example, consider that task we mentioned in the last section: resetting user passwords. Most organizations spend a lot of money on help desk-supported password resets, and there can be considerable benefit from automating the processes that support this task.
As you dive into the processes surrounding password reset, you’re likely to find that there’s not just one process, but many. Furthermore, they likely overlap and compete with one another. In an organization at the ad hoc or focused levels, there will be multiple password reset processes for each system and application. Furthermore, the administration of these passwords will likely be manual, requiring expensive intervention by multiple administrators.
After you’ve chosen the most critical processes to improve, envision the goal state for each of them. The goal state would likely include standardizing and documenting the process and replacing the manual processes on the various systems with an automated self-service system. Staffing may need to change, skills may need updating, and metrics developed. You may also move to integrate some or all of the many processes into a single process at the same time, or you may take that as a second step after the systems have been standardized.
The goal state can be documented in the same format as the process inventory given previously. Be wary of creating unrealistic goal states. For example, you may upgrade the technology platform significantly and move the automation ranking a great deal, but the stability ranking may not be able to move much until other process have been redone. Keep current skill sets, staffing levels, and budgets in mind when you’re planning. Its OK to move slowly if that’s all you can do. The important thing is having a process for continuous improvement.
Filling the Gaps with Best Practices
Once you have used the maturity model to assess your current state in any given area and selected a goal, the gap between these two is filled with what we can term “best practices .” The term best practice gets thrown around a lot. For our purposes, we use the term to define activities that have four characteristics:
- Best practices build on the experience of others.
Best practices are usually evolutions of practices already being performed in your organization or in another. You can find out what others are doing by reading, going to conferences, networking in local and national industry associations, and hiring consultants.
- Best practices are documented.
Your organization must have a methodology for documenting what it does in a way that others can follow. People should be trained in how practices are documented.
- Best practices are repeatable.
Once practices have been documented, other groups can duplicate them. If the documentation is not sufficient to allow the practice to be repeated, then the documentation should be improved.
- Best practices are measured.
Like any good recipe, practices that are repeated in the same way should give the same results. The only way to tell if you’re getting the same results is to have some way to measure the outcome of the practice. Metrics can be used to evaluate a practice, determine why the results are not adequate, and then change the practice.
As I stated earlier, there are many things you will change in your organization as part of building a functional digital identity infrastructure, but I believe the best approach is to build the process first. As part of building the process, tools will be bought and systems will be changed, but those technology pieces are done in response to a process need rather than the other way around. Using process creation to drive tool and system changes results in clearer requirements and systems that meet business needs.
This thinking is antithetical to how many IT organizations approach solving technical problems. When faced with a gap, many turn to a vendor and product to solve the problem. Once the product has been purchased, then the organization gets down to developing a process to use the tool.
Creating a process that leads to your goal state requires several steps:
Design a process and document it. Be sure to include workflows, any necessary automation, and metrics that can be used to evaluate the effectiveness of the process.
Put the process into action. This may include hardware and software changes and upgrades, training, new staffing, and other changes.
Measure the results. Don’t be afraid to change the measurements themselves if they’re not giving you data that can be used to improve the process.
Feed the data back into the process design, make changes, and start again. This fine-tunes the process until the goal state is achieved.
One of the most difficult tasks is to integrate similar processes across different systems. This can require significantly greater resources and much greater political skill, but is the key step in moving from the focused level to the standardized and onto the integrated levels.
Conclusion
Building a digital identity infrastructure that is responsive to business goals requires assessing where your organization is now and where it wants to go. The identity maturity model and the associated process inventories presented here are a tool for doing that. Once you know where you want to go, processes can be designed, implemented, and fine-tuned to put best practices into place.