Identity management (IdM)--an essential knowledge for IT project management
The transformation from the physical world to the virtual world of the Internet has dramatic implications on human interaction, business, entertainment, and other aspects of society. When it comes to enabling a truly virtual world that can accommodate the breadth and depth of human endeavors to be conceivable, nothing is more important than identity. On the Internet, movement is instantaneous; people, applications, transactions, and data can cross many types of borders via many different paths. At the same time, the security issues associated with a very public and virtual space have become painfully clear as spam, phishing attacks, fraud, and identity theft have become undesirable everyday life experiences.
Digital identity is the keystone that will ensure that the Internet infrastructure is strong enough to meet basic expectations for not just service and functionality, but also security, privacy, and reliability. Identity Management (IdM) is the set of business processes and a supporting infrastructure for the creation, maintenance, and use of digital identities within a legal and policy context.
There are clear and strong links between IdM and business objectives. Projects are temporary engagements, which produce services and/or products based on those business objectives. Therefore, it is important for project management professionals to have an understanding of IdM in order to make informed decision and manage projects more effectively.
What is Identity Management (IdM)?
Burton's categorical definition of IdM: Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities in online spaces.
Business processes refer to those of Management, Policy, Standards, Procedures, Documentation, Auditing, Testing, Technology, Personnel, Incidents, Legal, Physical, Knowledge, Awareness, and Organization.
Supporting infrastructure refers to those Platforms and Applications and Other resources, in concert with business processes, managing digital identities lifecycle. Exhibit 1 is a sample IdM Architecture Template.
Why IdM is important in the IT world?
Company executives are being driven to comply with business issues and regulatory requirements. IT manager are being driven to implement centralized services based on ever increasing business and regulatory requirements. Following IdM infrastructure benefits clearly demonstrate its importance in the IT world:
Improved user experiences
- Improved efficiency of employees
- Customer retention
- Minimization of errors
- Clear business processes
- Hard dollar savings
- Help desk password resets easily measured
- Duplicate administration responsibilities
- Eliminating redundant software and solutions
- Soft dollar savings
- User productivity
- Hidden administrative costs
Security: Lifecycle identity administration
- Fragmented identity management
- Dormant and orphan accounts
- Auditability and accountability
- Delegated and self-service account administration
Security: Policy enforcement
- Regulatory compliance
- Protect corporate information
- Protect intellectual property
- Support internal audits
- Provide stronger authorization based upon the value/sensitivity of information
- Provide risk and liability management
- Basis for corporate image and employee relationships
- Flexible IdM infrastructure
Exhibit 1 – Sample IdM Architecture Template
What is Digital Identity?
A digital identity contains data that uniquely describes a person or thing (called the subject or entity in the language of digital identity) but also contains information about the subject's relationships to other entities. Digital identity management is about creating, managing, using, and eventually destroying records. Exhibit 2 below is a sample lifecycle of a digital identity management.
Exhibit 2 – Digital identity management lifecycle
The IdM processes and life cycle
There are 4 major IdM processes: Registration and Creation, Propagation, Maintenance and Management, and Termination. Exhibit 3 depicts the IdM processes and lifecycle.
Exhibit 3 – The IdM Process and lifecycle
Registration and Creation
The first step in the identity lifecycle is to create the identity and the attributes that determine its privileges. In theory, enterprises should employ a registration function as part of their IdM process. That function should include a means of vetting registration information, which can range from taking someone's word to deep background checks for more sensitive and secure environments. It also includes issuing credentials and defining at least a baseline profile. In practice, registration processes vary widely, both within and across enterprises. They are also expensive and raise many privacy and policy issues.
Once an enterprise has created a unique identifier, issued credentials, and defined basic profiles, the next step is to propagate the digital identity to the IT systems the user will access. Often, there is an intermediate step in which an automated process takes the initial registration information (from an HR or customer database) and propagates it to a directory service, which serves as an authoritative identity source for a variety of applications and services. Once identity information is in the directory service, it can support ongoing authentication (proof of identity) for the user.
Maintenance and Management
Identity attributes change constantly, as do application capabilities and entitlements. Therefore, once an identity has been registered and propagated, ongoing maintenance and management processes are needed. The change management process uses many of the same automated mechanisms that support registration and propagation. For example, a change in a person's role can trigger creation of new accounts, deactivation of old accounts, or adjustments in the person's entitlements.
Enterprises must establish termination processes to end the identity information lifecycle for employees, contractors, customers, suppliers, partners, and other users. In most cases, termination processes are driven by security-conscious policies that determine a limit on the amount of time that passes after users are terminated and when all of their access to corporate systems is shut off. How much time is acceptable depends on a variety of factors, including the vertical industry in which the business operates, the class of employee, and basic security requirements.
Applying IdM to the project management Plan-Do-Check-Act cycle
The Plan-Do-Check-Act cycle and the Project Management Process Groups
The project management processes presented in PMBOK are as discrete elements with well-defined interfaces. However, in practice they are overlap and interact in ways that are not been completely detailed. Most experienced project management practitioners recognize there is more than one way to manage a project.
An underlying concept for the interaction among the project management processes is the plan-do-check-act cycle (see Exhibit 4). The integrative nature of the Process Groups is more complex than the basic plan-do-check-act cycle (see Exhibit 5). However, the enhanced cycle can be applied to the interrelationships within and among the Process Groups. The Planning Process Group corresponds to the “plan” component of the plan-do-check-act cycle. The Executing Process Group corresponds to the “do” component and the Monitoring and Controlling Process Group corresponds to the “check and act” components. In addition, since management of a project is a finite effort, the Initiating Process Group starts these cycles and the Closing Process Group ends them.
Exhibit 4 – The Plan-Do-Check-Act Cycle
Exhibit 5 – Project Management Process Groups Mapped to the Plan-Do-Check-Act Cycle
Applying IdM knowledge to project management's Plan-Do-Check-Act cycle
Now, we have basic understanding of what IdM is all about. Have you ever managed a project that had never “touched” IdM? The answer would be NO. Of course what we are talking about here is “real” IT project not your house-painting project.
Exhibit 6 is a component mapping of Plan-Do-Check-Act Cycle with PMBOK Process Groups with IdM. As PMI's project management methodology is a generic one that needs to be “customized” to your industry and your specific project needs and requirement. Therefore, the mapping shown below is also a general one that varies based on the industry you serve and your specific project needs and requirement.
Exhibit 6 – Component Mapping of Plan-Do-Check-Act with PMBOK Process Groups with IdM
IdM is here to stay! Some of you might have experienced it, painfully, through identity theft. Technology companies have placed huge bets and investment in this area and many companies have benefited from having a better IdM program.
Either you are with it or IdM will run over you.
Blum, D (2005. February). Vantage Point 2005-2006: Information Security Trends. [Electronic Version]. Retrieved from http://www.burtongroup.com/research_consulting/publicdoc.aspx?cid=858
Gebel, G (2005, June 15). Identity Lifecycle and Workflow: Building an Identity Program. Identity and Privacy Strategy - In-Depth Research Overview. [Electronic Version] Retrieved from http://www.burtongroup.com/research_consulting/doc.aspx?cid=670
PMI (2004). A Guide to the Project Management Body of Knowledge (PMBOK® Guide), Third Edition. Newtown Square, PA: Project Management Institute, Inc.
Neuenschwander, M & Lewis, J. (2005, June). Document Enterprise Identity Management: Moving from Theory to Practice [Electronic Version]. Retreived from http://www.burtongroup.com/research_consulting/doc.aspx?cid=277
Windley, P (2005, August). Digital Identity. Cambridge, MA: O'Reilly Media, Inc.
© 2006, Wei Lee
Originally published as a part of 2006 PMI Global Congress Proceedings – Santiago, Chile