Hybrid IT is disrupting many processes in IT organizations and contributing to organizational complexity. That complexity extends to identity management, which allows organizations to understand not only who has access to the environment, but what has access as we expand into the internet of things. So what impact does hybrid IT have on identity management? To answer that requires an understanding of how we arrived at our current position.
The waves of identity
The history of identity management can be described in three waves.
The first was driven by IT operations teams, who were reacting to disgruntled business users who were tired of waiting days or weeks to get access to IT services when they first joined a company. Operations had to become more efficient by automating the provisioning of entitlements, and revoking those entitlements quickly when employees left the company or no longer needed it.
The second wave hit in reaction to regulations that require the enforcement of least-privilege controls, such as , , and . Governance and compliance became the focus as “identity governance and administration” (IGA) became the preferred terminology. Requirements shifted to emphasize tools that could gather entitlement lists from systems or applications and make it convenient for business managers to certify that only the proper users have access, in an effort to satisfy demanding auditors. The wave of automating identity entitlements slipped backward into greater acceptance of manual provisioning and de-provisioning processes.
An identity-centric security approach to reducing risk demands automated fulfillment to keep up with the pace of change in today’s enterprise. Scanning systems and applications for credentials every two weeks or waiting days or weeks for manual fulfillment of an entitlement change, as we see in second wave systems, is wholly inadequate to address current risks that mutate with alarming agility.