Yin and Yang: Two Views on IAM – HR vs Identity Management
- April 21, 2017
By Steve Mowll and Chris Williams
POINT: NEWS FLASH identity management people, HR is not here to feed you with identity data!
Steve Mowll, Systems Engineer, RSA
Identity management teams may believe it is the human resource (HR) department’s responsibility to be an identity management provider. Unfortunately for IT, or fortunately for HR, it is not their job.
HR is a business function tasked with finding and retaining the top talent for a company. They guide new employees – orientating them, helping them achieve career goals and ensuring that payroll and benefits function correctly. For this, they interact a great deal with, and are aligned to the overall business. NEWS FLASH identity management people: HR has a view into employee data, but they are not here to spoon feed IT with the employees’ identity data!
If IT approaches HR in this mindset, the conversation will end poorly. Getting off on the right foot at the start of any project is key to a successful and productive relationship. That’s why we urge you to think differently if you want to use HR data for your identity management system. Here are a few tips:
Lastly, regardless how hard things get, I warn you, never mention Catbert, the evil HR manager!
COUNTERPOINT: HR data is a good resource, but combining highly-descriptive data about people inside and outside of the IT stack can create a more accurate person-record.
Chris Williams, Advisory Architect RSA
Catbert isn’t evil…he’s just misunderstood. Or, is he?
Years ago, before applications became capable of understanding who their authorized users were, most organizations managed a single repository containing “who a person is” and “what is their business function.” Of course, the repository owner was Human Resources. By its very nature, it’s a fantastic facility for all types of people-data: positions, managers, departments, salary, performance, and so on.
Today, many IT organizations are finding complementary, highly-descriptive data about the people inside and outside of their IT stack. Think of all the directories, databases, applications, and enterprise resource planning (ERP) software within your business. Now, add all the external partner, social, and hosted/SaaS services containing people-data. Combined, this data can be used to create a more accurate person-record, while reducing the impact against HR to attain, maintain, and provide that data. The trick is to not manage too much data.
If we apply a few rules about descriptive and relational data learned from infrastructure management projects (think configuration management databases used in an IT Service Management program), we know that we can select (federate) which “attributes” of a person we want to use, and then populate that within a unified person-record within an identity management solution. In this manner, the identity management solution becomes a living system of truth. With that said, there are a few things you should keep in mind when building a federated identity management record set:
Moreover, information security teams can rely on a current unification of the best attributes from the best descriptive data sources – whether they are from IT, HR or a combination of both – comprising the definitive answer to “Who are my users?” And, Catbert won’t be upset with us each time we need a new report.
Watch this video to see how RSA Identity Governance and Lifecycle is helping Ameritas to streamline access delivery and user lifecycle management for employees while improving audit performance. (NOTE: Via Access is now RSA Identity Governance and Lifecycle)