By
Apryl Motley - Technical Writer & Communications Lead, Internet2 Trust and Identity/NET+ Service
Estimated reading time: 5 minutes
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, earlier this year we introduced a quarterly Q&A column, Catalyst to Catalyst, that we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address IAM pitfalls to avoid and strategies for staying on course with IAM projects.
What is a common IAM pitfall you try to help your clients avoid?
One of the main benefits of a properly implemented IAM is automation. Starting from simple tasks like creating all necessary accounts for new employees and removing them properly when they leave the organization. Eventually, more complex tasks are implemented to increase automation. Typical examples are complex lifecycles and transitions between various affiliations or roles within the organization. Implementing such complex features might bring complications in the future unless they are properly designed. It’s crucial to maintain the robustness of the whole IAM, including the ability to recover from errors and non-standard states.
The common pitfall here is thinking about events and reactions to them. For example, considering what should happen when a student becomes an employee. A better approach is designing invariant rules applied to the current state in IAM. For example, define what roles and accesses each employee should have. Such rules can be verified at any moment and reapplied if necessary. Moreover, this approach enables you to change the rules at any time and only recompute the system’s current state to get the new correct state. With the event-based approach, we depend on the history of events, and it’s hard to maintain the system in a consistent and auditable state because of the intrinsic dynamic of events.
Evolveum professionals are well aware of this pitfall. That’s why they are working with our customers to transform their requirements and already established processes to include invariant rules in the IAM system. For cases where such transformation is impossible, we can encapsulate the event processing in midPoint to eliminate external dependencies and combine it with other features like certification campaigns to increase robustness. Our engineers are experienced with such situations and use their knowledge to help our customers get a robust IAM solution to fully automate IAM processes within their organizations.
—Igor Farinic, CEO, Evolveum; academia@evolveum.com
How do you help clients stay on course with their projects? Have specific tools or strategies been particularly successful?
Every project that Unicon works on has an experienced project manager included to ensure the project stays on track, meets expectations, and is completed on time within budget. We employ PMs that are PMI Certified, which provides the understanding of the software development lifecycle (SDLC) and all the management phases that link the process together as one. Additionally, each PM is also a Certified Scrum Master, and for those projects where Agile is key, our project managers can lead the way. To be honest, what is used most often is what we refer to as “WaAgile,”this takes the best of both worlds (Waterfall and Agile) methodologies and provides the results that most institutions value.
We find tools are valuable, especially Jira and Google Drive, to help provide visibility but only when they are coupled with active collaboration and ongoing communication – we ensure there are no surprises, Unicon has proven success by listening to our clients and sharing our plan for next steps; we work as a team.
—Charise M. Arrowood, Executive Director, Business Development, Unicon Inc.; carrowood@unicon.net
Tempted to consider a “big bang” approach to your IAM deployment? Hoping to integrate everything that’s needed at once, right up front? Well, embarking on an IAM implementation project places its own demands on staff attention and resource availability. Attempting to address an overly large scope of objectives risks introducing unnecessary interactions that can negatively impact acceptance testing, timeframes, delivery quality, documentation, and user training.
Each institution should pare down its full scope of objectives into a first phase that includes the most impactful facets, one where leadership and users can experience and assess the improvements that a modern IAM system brings to the enterprise. Follow-on phases can then be planned to carry out remaining objectives, all while building on the successes of previously completed phases.
There are two broad categories of facets to consider when portioning objectives into multiple phases. One category is the populations of participants in your enterprise. For a school setting, populations could include alumni, students, parents, faculty, staff, contractors, or visiting/guest faculty. The second category is the set of systems to integrate with your IAM solution. These systems are the upstream, authoritative systems of record (SoR) where identity information originates and the downstream systems that are dependent on identity data provided by the other systems.
Limiting the quantity of populations to tackle in an early phase – even identifying smaller-sized populations or perhaps pilot populations – should ward against project completion delays. In the same vein, limiting which systems to integrate with your IAM solution tends to give your team the opportunity to be proactive in risk identification and the chance to make prudent design decisions. A phased approach supports a lasting, quality solution.
—Jim Lookabaugh, Customer Solutions Engineer, Provision IAM; jlookabaugh@provisioniam.com
If there’s a question you would like for us to address in a future installment of Catalyst to Catalyst, contact InCommon Communications Lead Apryl Motley.
About the Author(s)
Apryl Motley
amotley@internet2.edu
Technical Writer & Communications Lead, Internet2 Trust and Identity/NET+ Service
Apryl Motley, CAE, leads communications efforts for the Trust and Identity and NET+ teams at Internet2, including content development for their respective newsletters. Apryl has been working in the communications field for more than two decades.