back to article I think therefore IAM: It's not cool, it's not sexy, but it's one of the most important and difficult areas in modern IT

A search on LinkedIn's UK job site just now (1 June 2021) returned 5,265 roles for a network manager; 2,204 for a system administrator; 4,964 for a web developer; and 10,776 for a business analyst. None of these are a particular surprise – they're popular, sought-after careers. Oh, and there were 1,522 results for "Identity …

  1. Anonymous Coward
    Anonymous Coward

    HR is the key

    HR has a database of employees. Accounts creation should be automated. Account termination should be automated. Both should be driven by HR data with no human intervention. This will prevent prevent usernames that look more like nicknames,

    1. Anonymous Coward
      Anonymous Coward

      Re: HR is the key

      In principle, yes.

      In practice, HR data is often wrong, and HR processes are convoluted, with HR wanting to stick to their way of working because "That's how we've always done it" despite the fact it hugely complicates the process.

      Add into it the crossover between powerhungry HR staff and their underlings who have a degree in mouthbreathing and problems keep on coming.

      Anon Coward because I make a lot of money from HR fuckwittery and want to keep on making money.

      1. Fred Daggy Silver badge

        Re: HR is the key

        Agreed. HR around here want to have NOTHING to do with authorisations.

        Despite the legal requirements and being told several times by the Board, HR never inform IT when someone leaves. Except to wield the scythe. No ticket, not email - just a quick phone call to someone with sufficient permission. Not even an official announcement when gardening leave is up. Of course, the fluffy bunny HR lets the said leaver go without so much as confiscating the phone and laptop - even when there is much scullduggery afoot. You know - evidence.

        Typically they also sit on hiring information until the friday before the hire starts and then demand new equipment (that during Covid has a lead time of a month - so they can blame IT).

        It would be generous to say they are good at protecting the company from the personnel. I don't even think ours do a good job of protecting themselves. At best one can say that they snakily do senior managements wishes in getting inconvenient people out of they way.

    2. Evil Auditor Silver badge

      Re: HR is the key

      I agree but...

      In practice it is hardly ever that simple. First, accounts are, even if crucial, only a small part of the problem - the larger and much more complicated one being user permissions. And second, many companies have consultants, staff from service providers and other external staff that is not contracted by HR and still need a user account.

      So far I've only come across two companies (less than 1%) that fully manage user accounts and permissions through the HR system: any user, incl. external, has to be registered and assigned a role in the HR system. And based on the users' organisational unit and role they automatically get their permissions - and also automatically revoked if no longer needed. In addition, external users need to be periodically confirmed by their internal person responsible or their access will be revoked as well.

      1. Anonymous Coward
        Boffin

        Re: HR is the key

        Inertia.

        With IDs, it's not just HR, although they are a big part of the problem. It's also every group that writes contracts or hires consultants who will require IDs. And then you add on user permissions and all groups or people who can grant or revoke them.

        Each of them was doing this before you showed up and none of them wants to change their process.

    3. Anonymous Coward
      Anonymous Coward

      Re: HR is the key

      I based my masters around identity management within HR departments of SME’s, a real page turner, so have given it a little bit of thought previously and in summary would go with no; HR is really not a good place to look.

      I remember there was a story some time ago about the person who got fired and ultimately escorted out of a building because no one could halt an automated process in spite of the managers wanting to retain the staff member (or something along those lines).

      In an ideal world HR data would be useful however the HR department is not the place to find experts in data management, the quality of data you have to work with is woeful. That is not to be insulting but to reflect the reality that human resources departments are primarily meant to be good at dealing with illogical and unpredictable humans and the equally sensible legislation that governs them rather than be master of religiously logical systems. “That’s how we’ve always done it” x110% - “We do that in a spreadsheet”- “Of course we keep records, when someone books a holiday I write it on this card”..... There are actually some really on the ball HR people out there as well.

      People get entered into an HR system when they apply for a job and will stay in it after they leave employment. In turn they should have access to an HR self-service system before they start (enter / update their details, read relevant policies etc. before they even enter the proverbial building or even have an interview) and after they leave (collect their P45, payslip, update their address, view their data that has been retained) which makes them difficult to deal with using an integrated SSO. There is also a lot of potential for people who lack technical knowledge or interest to mess things up simply by not understanding the scope of the consequence of not entering a date in a box.

      There should be a sensible role of ‘Data Manager’ (not a role of making graphs and presentations but a practical one) in most organisations and that should be a position of some power (before an organisation can be in a position to require an Identity and Access Manager). Currently that data management role (in my experience of SME’s) is split between payroll/accounts, HR and IT (who may be outsourced and so simply not really give a damn unless they can invoice for it) (there will also be CRM’s etc. extending beyond the scope of just staff management). As it is each employee ends up with multiple isolated identities (especially in Excel and Outlook) because there simply is not anyone who cares or is trusted to see into all these systems to understand that is what is happening (there is also no one of any authority to say that this is not what should be happening). There simply is not rational management of data (and identity) at any level, in consequence any notion that the DPA is actually adhered to in practice becomes a chuckle factory.

      Ideally HR / payroll account and IT need to have the ownership of the data taken away from them before you can rationalise it to then be able to consider using it towards such a practical purpose as identity management. Those departments are actually the consumers of the data and should be arranged as such.

    4. Anonymous Coward
      Anonymous Coward

      Re: HR is the key

      Nothing, absolutely nothing, should ever be driven by HR or anything under their control. Give them some round-tipped scissors, some plasticine and keep them away from actual people.

      1. low_resolution_foxxes

        Re: HR is the key

        I tend to agree.

        As with all trades, there are some gems. But HR draws a particular "non-techie" mindset. They may have years of experience on iOS interfaces, some may even vaguely understand GDPR, but will no concept of software, bad actors, information management, hardware provision etc.

        Over the last 15 years, all of mine seem to have been under-25 yr old fresh uni graduates, or far-left CRT philosophers.

  2. casperghst42

    Interesting read from a write which misses the most obvious about IAM and why it is so difficult do right. The tool of the trade is mostly something like NetIQ Identtity Manager (I do not work for the company) (or something else which can be changed to fit the organization), then this is connected to something like Okta for provisioning (and authorization) , Okta is then using the on Prem-AD (or Office 365) for Authentication.

    And as a previous comment said; all identities start from the HR system ... and nothing should be done manually - people make mistakes (often).

    RBAC can be done with online tools like NetIQ Identitty Application or Sailpoint - does not matter as long as it's online and that users can request access (roles/premissions) which are granted "now".

    Any organization who is using tools like Excel for RBAC administration will at some point end up in a management nightmare.

    The biggy, which no one talks about is "red button", if an employee is let go, then the identity needs to be locked down immediately, which only works with systems which act on events - which many of these systems do not.

    And lets not forget about Access Governance ... reporting, a tool which suck out all the information and will report if there are things (rights) which should not be there, and especially if they are assigned to people who should not have them.

    IAM is complicated, and require knowledge not only about the choosen tool, but also about all the systems which you connect it to (AD, LDAP, SQL, Unix, Cloud, REST, SOAP, etc, etc, etc.).

    But it's madly fun to do....

    1. Anonymous Coward
      Anonymous Coward

      Working in the space, the technology is the easy bit. Making the technology fit processes that don't make sense in an automated workflow is the hard part.

      1. Evil Auditor Silver badge

        Couldn't agree more with AC. Although, I wouldn't necessarily say that the processes don't make sense. Rather, they've grown historically, often undocumented, into some form of highly complex tumor. Implementing an IAM means deciphering the tumor.

        1. Anonymous Coward
          Anonymous Coward

          Or chopping it out

    2. tbridge

      I think you're describing a world that centers on Active Directory as the primary source of truth, and that's definitely not the case for a lot of newer organizations. Today, many orgs have taken the approach of using SaaS products for directory management, identity management, and authorization. They can stay in those SaaS products for a reasonably long growth cycle before needing to graduate to an AzureAD.

      I work for one of those cloud tools - JumpCloud - and that's the gap that we're seeking to fill. AD had its moment, and there are certain circumstances still where that makes sense, but it's not a hard and fast requirement anymore. It might be worth taking a look for mid-market orgs looking to separate from an on-premise model, especially as remote work is picking up.

      1. EnviableOne

        In some places, the problem is actually defining what the single source of truth is, and AD or Increasingly AzureAD make a really good case if you are operating a mainly windows / O365 /Azure house as it is the only system that everyone has to be in (contractors, staff, volunteers, temps, casual workers.)

        when your starting from scratch designing is easy, when you go into the brownfield site that is a multinational that has a penchant for M&A and none of them has a common directory structure or a common source of truth.

        This is where you have to create your own with a specific IAM solution that brings all the others into some sense of order, can pull the info from all of them and make the changes to them also. This tends to get pricey

  3. Anonymous Coward
    Anonymous Coward

    Centralised Access Control

    Around here, the HR process gets rid of the basics via Centralized Access Control - AD account, email etc, but what’s left behind is a myriad of local accounts - particularly for IT users that by definition have higher levels of access due to the nature of an IT administrators role.

  4. Anonymous Coward
    Anonymous Coward

    All too often the IAM systems I see are ridiculously convoluted - in one it was hundreds of possible permissions, without much in the way for even grouping them into vaguely logical groups. As a result I typically see one of three things happening. Either everyone is given a "superuser" permission when one exists, given all permissions or the too fine grained permissions are used as intended with endless support calls...

  5. Anonymous Coward
    Anonymous Coward

    80 kusers company

    I had the chance to be in the team deploying a fully automated HR based IAM.

    Every app would work on this.

    It is amazing the amount of effort you need to deploy to achieve this.

    So many times we had to explain the difference between login and display name !

  6. Anonymous Coward
    Anonymous Coward

    I'm curious to get your thoughts on SailPoint software - identity IIQ. Does this not address many of the arguments (valid) you have made?

  7. Anonymous Coward
    Anonymous Coward

    Ah-ha. So you're the people who require me to sign in approximately twice per hour, even when I am working on an RDP Virtual Desktop to which I only have access through a VPN with 2FA? Well done. Very secure.

  8. Jadith

    The tech side is the easy part...

    Scripts and queries and bundles of nice software and an understanding of least privlidge, etc certainly take care of one side.

    However, dealing with managers, HR, or even other IT staff is where the headache lies.

    Noone wants to take ownership of what they believe is something IT should handle.

    Then processes are ignored to 'jist get it done' because no matter how many audits, reports, or discussions are had, nobody knows how to request access until that new or even veteran employee cannot work on the super important thing that is one hundred percent the only point to their job.

    Then management wants to just give everyone access to everything their department uses cause they are all a family over there in sales and nobody every deletes the wrong file or rips off the company before giving notice or would even think of checking out that link sent by some poor Russian fellow just looking for some help.

    Honestly, it is bad enough when it is just part of a job because at least you can comfort yourself with other work, but as a sole position...it should come with a complimentary onsite therapist.

  9. Stork Silver badge

    How many UIDs have you had at the same time?

    I think I had about ten in the period after we had been bought by big blue. Wonder if they were all deactivated

  10. mikepren

    Wgzt about non staff identity

    There's a big discussion ti be had around consumer /customer identity management. In theory the number of roles is less, but the volumes are higher. And of course you may then get into federated identity between different components or even different companies.

  11. Anonymous Coward
    Anonymous Coward

    Contractors and Third parties

    Working in a large bank, 3rd parties used for a lot of development, testing, support (inc Production data).

    All those users have accounts, very little of it on SSO, across multiple systems, Wintel to Mainframe and God knows what else in between.

    The 3rd parties have the right of substituion, so people change in the teams all the time, typically 15% churn in any given month.

    Information Security insist on Attestation of users and their rights/roles every month - it's all manual, via spreadsheet.

    I know of managers in a medium sized dept who have to complete upwards of 500 line items to confirm RandomIndianDude3 is entitled to access system x with permission y.

    How much of it is truthfully completed to the best of their ability and how much is 'looks OK from here' - who the hell knows.

    But if you don't submit the Attestation, you find a support team suddenly can't support the bank.

  12. Anonymous Coward
    Anonymous Coward

    "Public Cloud", AAD, RBAC, Managed Identities, IAM, bla bla bla for the Millennials and Post Millennials! On-prem 'till death (err, retirement), sh*tty IT industry! : )

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like