Yin and Yang: Two Views on IAM – HR vs Identity Management

By Steve Mowll and Chris Williams

POINT: NEWS FLASH identity management people, HR is not here to feed you with identity data!
Steve Mowll, Systems Engineer, RSA

Identity management teams may believe it is the human resource (HR) department’s responsibility to be an identity management provider. Unfortunately for IT, or fortunately for HR, it is not their job.

HR is a business function tasked with finding and retaining the top talent for a company. They guide new employees – orientating them, helping them achieve career goals and ensuring that payroll and benefits function correctly. For this, they interact a great deal with, and are aligned to the overall business. NEWS FLASH identity management people: HR has a view into employee data, but they are not here to spoon feed IT with the employees’ identity data!

If IT approaches HR in this mindset, the conversation will end poorly. Getting off on the right foot at the start of any project is key to a successful and productive relationship. That’s why we urge you to think differently if you want to use HR data for your identity management system. Here are a few tips:

  1. Involve HR colleagues at the beginning of an identity management project and identify an HR executive stakeholder.
  2. Understand the end-to-end HR processes and data, but make sure you also understand each process’ intention and purpose, not just the flow or process itself.
  3. HR works with the lines of business to define their processes and data. Get involved in the business conversations and relationships that your HR team has. You will have a very hard time making identity management relevant to the business if you don’t.
  4. Understand the value you can add to the HR team and their mission. This is not just about creating and securing access. It’s about getting employees productive from day one. And, it’s about making sure they have the ready and appropriate access to the systems and applications they need to do their jobs.

Lastly, regardless how hard things get, I warn you, never mention Catbert, the evil HR manager!

COUNTERPOINT: HR data is a good resource, but combining highly-descriptive data about people inside and outside of the IT stack can create a more accurate person-record.
Chris Williams, Advisory Architect RSA

Catbert isn’t evil…he’s just misunderstood. Or, is he?

Years ago, before applications became capable of understanding who their authorized users were, most organizations managed a single repository containing “who a person is” and “what is their business function.” Of course, the repository owner was Human Resources. By its very nature, it’s a fantastic facility for all types of people-data: positions, managers, departments, salary, performance, and so on.

Today, many IT organizations are finding complementary, highly-descriptive data about the people inside and outside of their IT stack. Think of all the directories, databases, applications, and enterprise resource planning (ERP) software within your business. Now, add all the external partner, social, and hosted/SaaS services containing people-data. Combined, this data can be used to create a more accurate person-record, while reducing the impact against HR to attain, maintain, and provide that data. The trick is to not manage too much data.

If we apply a few rules about descriptive and relational data learned from infrastructure management projects (think configuration management databases used in an IT Service Management program), we know that we can select (federate) which “attributes” of a person we want to use, and then populate that within a unified person-record within an identity management solution. In this manner, the identity management solution becomes a living system of truth. With that said, there are a few things you should keep in mind when building a federated identity management record set:

  1. Keep it simple – don’t over think how to collect the data and utilize a base data exchange model – but make sure you still protect the data in transit.
  2. Only take what you need – like most data warehouses, the collected information can easily become too large and too difficult to manage.
  3. Have a plan to utilize the data – think about how a person’s attributes will be used to describe who they are, what access they should have, how it helps build roles and rules, etc. Although it may better describe a nuance about a person, if it doesn’t drive a specific access requirement, then you don’t need it.
  4. Leverage what already exists – you will likely find the data you need without having to go to HR directly. Payroll, corporate directories, organization charts, etc. can all provide very rich data sources. If there are complete records, then grab as much as you can thus limiting how many unification sources are needed to build a “complete record.”

Moreover, information security teams can rely on a current unification of the best attributes from the best descriptive data sources – whether they are from IT, HR or a combination of both – comprising the definitive answer to “Who are my users?” And, Catbert won’t be upset with us each time we need a new report.

Watch this video to see how RSA Identity Governance and Lifecycle is helping Ameritas to streamline access delivery and user lifecycle management for employees while improving audit performance. (NOTE: Via Access is now RSA Identity Governance and Lifecycle)