“It’s not the technology leading the conversation, it’s the business process,” says Ian Glazer, senior analyst, IdPS, at Burton Group.
Still, few enterprises will get by with only one IAM system if only because of the existence of several different computing platforms. So, IT must understand how to reconcile them all beneath a common perspective.
“You have to understand how IAM is initiated in different technologies, but you need to have a common view of entitlements and identities to accommodate all that,” Kampman says.
This isn’t easy because several ways of viewing entitlements and identities must be reconciled. First, IT must reconstitute the entitlements of compliance applications, which often have been on the corporate mainframes for years. That’s no small task.
“Organizations I’ve talked to say cleaning up mainframe entitlements and getting out some of the dead wood added a year to their access certification process,” Glazer says.
To succeed, IT must tap the business side.
“The enterprise must involve business principals, usually managers or line of business operatives who are familiar with those applications or resources,” Kampman says. “The problem belongs primarily to the business side, and isn’t unilaterally owned by IT; it’s part of role management.”
Consolidating the various IAM applications in the enterprise so they work together is challenging, but necessary. “Getting different systems vendors’ products to work together is a big issue, although progress is being made,” says Kirk Willis, vice president of CA’s Mainframe Business Unit.
“Standards such as LDAP and SOAP help. The major vendors offering provisioning, role management, as well as identity and access governance all work well with the mainframe,” Glazer says. “Support for RACF and ACF2 is the minimum requirement; now you have a burgeoning LDAP presence in the mainframe environment, so you have a fairly accessible environment for identity management technology,” he says.
“It’s important these standards evolve, because that will lessen the burden of management and regulatory compliance,” Willis says.