Where’s the Authority in Identity?: Part I
Where and How Authoritative Sources Fall Short
Identity management programs are unique in that they rely heavily on data and processes that aren’t generally owned by an organization’s Identity, IT, or Security teams. Examples of these processes and the data that accompanies them include:
- Human Resource (HR) processes like recruiting, onboarding, and termination
- Procurement processes and its data (vendor info, contracts, work orders)
- Partner relations
- Line of business (hiring managers, project managers, etc.)
These processes can vary greatly even within the same organization, both with the individuals included in the process (vendors, employees, partners, interns, etc.) but also by the workflows that these processes utilize. The way the data is collected and disseminated within these processes can also vary greatly, depending on who’s involved and who needs to know what.
No matter who’s involved and what the workflow is, a lot of important data is collected for each process. The repository where this data is stored for consumption by reliant systems is generally referred to as a system of record or authoritative source, the latter term more commonly used by identity professionals.
HR systems are the most common authoritative source for people data, as organization’s HR teams centrally house and maintain employee data in these systems. There are other examples of authoritative sources, including student record systems, vendor management systems, and even home-grown databases or repositories where people and “identity” data is collected via manual processes or web forms, then used to inform identity and access decisions for those people. While all these systems are often categorized as authoritative sources, they generally fail to fulfill the duties expected of an authoritative source by identity solutions.
What identity solutions and processes actually require to perform properly is a trusted identity authority that delivers consistently reliable identity data. So, what’s required for an identity authority to be trusted? I’m glad you asked:
- Proactive collection and maintenance of complete data by responsible parties
- Constant validation of data to ensure it remains up-to-date and accurate
- Storage of data in an accessible and searchable repository
The absence of a trusted identity authority results in:
- Outdated and inaccurate information that misinforms identity and access decisions
- Serious consequences including audit findings, breaches, unnecessary costs associated with user licenses that could otherwise be reassigned, and more.
In short, identity processes are only reliable if they are driven by reliable identity data and consistent processes around the collection and maintenance of that data.
The identity industry has historically had a love-hate relationship with authoritative sources. We’ve become reliant on data from employee record systems… so reliant that when we must manage identities that don’t belong in HR systems, we end up shoe-horning that data into them anyway, regardless of the cost, the effort, and the liability of doing so.
HR systems have become a ‘catch-all’ for many organizations – a bit of a ‘junk drawer’ if you really think about it. Where can we put this list of contractors to make sure they get access? Where should we place these interns that’ll only be with us for the next two months? What about the construction crew that’ll be temporarily onsite to complete a project but needs access to the 3rd floor?
You can read Part 2 of this “Where’s the Authority in Identity?” blog series to discover what’s in the junk drawers of most organizations identity programs by clicking here. You can also take SecZetta’s self-guided product tour to learn how your organization can automate processes for all your third-party non-employees and establish zero trust, risk-based identity access throughout their entire lifecycle.