Processes of Identity and Access Management

Our GenericIAM group offers a diploma thesis, which is sponsored by NIFIS e.V. and supported by impulsIT and the Chair of M-Business and Multilateral Security (Frankfurt University).

The topic is: “Prozessanalyse im Bereich der Enterprise Identity Management Systeme – Analyse, Ableitung und Entwicklung einer Prozesslandkarte.”

Detailes about conditions and objectives were descriped on the homepage (in German) .

Last Friday our volunteers group met again in Frankfurt for the 9th quarterly meeting.

After a short introduction and welcome to our new members, the working groups reported their progress.
As modelling is our key activity, the modelling approach was debated intensively.
From start it was the main intention to collect all existing models and implemented enterprise processes trying to factor out a generic process layer. This bottom-up approach turned out to be not easy and offered some pit-falls.
In order to complement this approach and to create a more general “birds eye” view the group started modelling following a top down method.
Each method has its merits and its disadvantage:

• While the bottom-up way always maintains a solid foothold on proven real-world implementations it can on the other hand lead to arbitrary results in terms of naming folklore and physical artefacts.
• The top-down path however starts from a clear conceptual set of definitions and derives its conceptual framework by stepwise simple but compelling refinements. Especially due to its use of coloured Petri Nets it is however blamed for its theoretical approach; virtually incomprehensible for practitioners.

Both approaches are in fact meant to meet at common ground somewhere in the middle – on the “generic layer”. We hence expect to take the best of both worlds.
And the result has to be shown to the world. We hope to be able to do so at the 2nd European Identity Conference, starting April 22nd in Munich. You are welcome to visit us at our both there. – See you in April.

Same as last year we have a nice and beautiful booth on the second European Identity Conference 2008, in Munich (Germany). The booth is thankfully sponsored by the German NIFIS and KuppingerCole.
For more information take a look at http://www.id-conf.com

The location will be:

Museumsinsel 1 • 80538 München, Germany
Phone: +49 (0)89211 25170
Fax: + 49 (0)89211 25165
http://www.forumamdeutschenmuseum.de

Our goal is to create a best practice modell from a real enterprise landscape like we see it in many cases. What do need first? The idea how to create easy understandable workflows. We decided modelling event driven processes. The well known approach is a straigt forward method which often is used for designing business processes.

For that purpose we created shapes for Visio 2000/2002/2003 and 2007. From the IAM-Wiki an following links you can download the shapes and find some useful information to use it.

• http://www.iam-wiki.org/EPK
• http://www.iam-wiki.org/EPK_Modellierung
• http://www.iam-wiki.org/Prozessorientiertes_Identity_Management
• http://blog.doubleslash.de/2007/10/12/visio-2007-shapes-zur-prozessmodellierung
• http://blog.doubleslash.de/2007/03/01/vorlage-und-shapes-zur-prozessmodellierung-mit-visio

On one of the experts panels on the 1^st European Identity conference in Munich this spring densely populated with high ranking and well respected experts I heard one of the experts mention in middle of a heated discussion: „What is the sense of a role model if when ever we complete an organisations role model and are about to implement it, the organisation has changed considerably meanwhile. “

Well “that’s real life” we are tempted to say … but wait a minute! Can this really be true? I remember a second quotation from the same event “Roles are the DNA of an organisation” stated Ron Rymon, the founder of the role engineering firm Eurekify.

O.k. if you consider any commercial endeavour as a mild form of sparsely ordered chaos, if you run a company merely ad hoc and a role model is considered as an unnecessarily rigid structure imposed on top of a fluid ecosystem, that reinvents itself at every very moment – ok, in this case forget about role models.

But what, when it comes to automation? Many, if not most, enterprises are now strained by global competition. A manufacturer in Pittsburgh or Gelsenkirchen may compete with one in Chongqing (重庆) or Poona where at least the labour cost are dramatically lower. One can imagine that besides dirty political tricks it may take some bit of innovation and automation to succeed in this battle field.

But what is automation? In order to automate an organisation you need to express it in a formal way so that it can be processed by machines or - more often - in a blended fashion by machines and humans. You need to formally document your policies & rules, processes and roles in a complete, consistent and machine readable way. Only then they can be repeatedly applied by those above mentioned processors.

Considering this scenario, how can the organisation have changed while the role model is still controversially discussed? No way! The roles are the organisation, or at least an important part of it.

The father of our group GenericIAM, Dr. Horst Walther starts a series of articles about digital identities in the famous german IT-Newspaper "Computerwoche".

This week (number 23, from june 8th) the first part was published on page 28/29 with the headline "No integration without digital identities". The next three articles will follow in the emerging editions.

Processes and future:

M. Neher: In which way do you develop your process models?

Dr. Walther: "The fundamental idea is to identify recurring similarities which we can arrange in consistent models. This is the only way we can get general, universal models.
We decided to take five steps:

1. Selection of processes
   The members decide itself which of their processes will be provided for the initiative.
2. Take-over
   Our task force “Modelling” takes over the models and documents them in a formal manner.
3. Modelling
   The aim of this step is to identify and isolate general aspects of the processes. These aspects are used for our own models.
4. Quality assurance
   GenericIAM authorises modelled processes after proving them. For this purpose special reviewer control all the models. If necessary we engage external experts.
5. Publication
   The results of the modelling activities will be published by GenericIAM annually."

M. Neher: Can you tell us something about concrete results?

Dr. Walther: "On the one hand we could gain very useful input from consumer companies like BMW Group, Dekra and the WestLB. On the other hand consultants and software integrators like doubleSlash, iC Consult and ism offered stuff from practice.
I’m very optimistic that we will present our first reference model in late 2007 to the public."

M. Neher: Is there any concrete timetable for your standardisation efforts?

Dr. Walther: "We depend on voluntary work. So we are not able to plan our activities in a very strict way. But we have the aim to go international and to publish our first reference model in 2007. "

M. Neher: Please tell us something about the next steps. Do you concentrate only on the German market?

Dr. Walther: "I gave some hints already. It doesn’t make sense to continue as a isolated German initiative. We started in the German region to hold the costs low, because every member has to come up for them on their own. The only way to be successful is to integrate international standardisation organisations. We have several promising contacts with members of the OASIS and ITU."

M. Neher: GenericIAM started with a new blog not long ago - contrary to the German webpage – completely in English. Why did you decided to do so?

Dr. Walther: "English is indeed the language for international communications and publications. We decided to manage the webpage in German and English. This is possible because of the static content on the webpage. The blog contains much more dynamic content. So we decided to keep the blog in English, only."

The Members:

M. Neher: If we have a look at the members of GenericIAM we find classical IT-companies like Novell, Oracle and Sun, but also companies from other industrial sectors like Dekra or the WestLB. What are the reasons to participate in GenericIAM?

Dr. Walther: "Identity Management and Access Management aren’t limited to IT-companies. Even if both disciplines weren’t termed like this, both are older than information technology. The new thing is that companies get a holistic view of the individual access to corporate resources. Thus IAM is part of every company’s management infrastructure. First of all we concentrated on consumer companies, whose implemented processes we would have analysed for similarities in order to get a general process model. To achieve this we appreciate every member which can help us. Accordingly our members are analysts, users, consultants, software integrators and vendors."

M. Neher: Won’t the participating companies loose their edge in knowledge?

Dr. Walther: "This is a question of all standardisation activities. It’s a matter of fact that there will always be leaders and other who follow. Consolidated everyone wins, if you can refer to an accepted standard. Consumer companies often see IAM as a needful task without any relevance for competition. Their aim is to implement IAM-functions in an easy and cheap way. However the more standardised processes we have the easier this can be achieved.
The most likely to have such an edge of knowledge – if there is one – are analysts, consultants and software integrators. But up to now we couldn’t find someone with any significant advance in this field. We take this as indication that this task cannot be managed by a single company but rather by joined efforts."

GenericIAM in general:

M. Neher: Dr. Walther, we would like to find out more about the GenericIAM initiative. What’s behind all this?

Dr. Walther: "As often, the starting point was anger about a disappointing situation: in a project for the implementation of a comprehensive IAM-system I had to design the underlying processes - once again. From experience of former projects I knew that the designing the processes could make up to 2/3 of the total costs. However subsequent to the projects, I realised that these processes often look similar. This fact is not astonishing. All the processes are about standardised IT-infrastructure. So why do we have to define the processes all the time from the outset? Why do we have to do that to our customers? Why isn’t it possible to get a set of reference processes?
That was the trigger for GenericIAM. Perhaps that wouldn’t have been enough. But the postulation of generic processes fits great in the context of current management trends. Consultants have preached the "industrialisation of services" for a long time. Today this is in fact a topic for companies. The times in which we had a lot of individual hand-made work are long gone because of rising cost pressure, security efforts and agility on the market. The answer is the standardisation of the relevant management processes. And ITIL is just the beginning of that.
So what we really need, are task related reference models. We intend to develop such a model for Identity & Access Management. That is what our brand "GenericIAM" stands for - generic processes for the Identity & Access Management."

M. Neher: You are talking about process definitions. Why is it so important to define the relevant processes before IAM-projects?

Dr. Walther: "Identity & Access Management – as the name already suggests – is an organisational management task with a strong link to technology. The main task is the interaction of identities (mostly individuals) with the company and its resources. Generally an interaction is being described by a process, if it should not occur undefined and ad hoc. Consequently processes are core of IAM and – by the way – the most expensive part when installing an IAM-system in a company. Well defined processes are the condition to achieve the addressed benefits like process automation and cost reduction."

M. Neher: Why did GenericIAM join the National Initiative for Internet Security NIFIS?

Dr. Walther: "As a consortium we need to have a formal organisation. Of course we could work in an informal manner together and present our results to the ITU, OASIS or other standardising consortiums. But on the other hand the affiliated companies making their process models available need the NIFIS to have a proper contact. The NIFIS as a self helping organisation of the economy provides this judicial context in a brilliant manner. I think there are very few security based topics which do not touch IAM. The fact that we don’t limit our activities to national efforts and security matters and their application in the internet, does not distort that picture. Recapitulating, the NIFIS with its flexible an pragmatic organisation is the right institution for us."

I asked Dr. Walther, the head of GenericIAM, to answer me a few questions. I’m going to post the questions and his answers step by step on this blog.

Here is the first one:

M. Neher: Dr. Walther, due to your acitivities as a business consult, you have a good overview of the IAM-market. Can you tell us where we can find more information about the Identity & Access Management?

Dr. Walther: "The appropriate analysts like the Burton Group, the Gartner Group and the German Kuppinger, Cole + Partner offer much information about IAM. Another great overview is provided by meetings and conferences like the European Identity Conference in Munich, May 2007. And of course the internet provides much information, too. There you find wikis like the IAM-Wiki (http://www.iam-wiki.org) or blogs like http://www.identityblog.com, http://blog.doubleSlash.de. 100 other blogs can be found at http://blog.doubleslash.de/2006/11/21/alle-blogs-rund-um-das-identity-access-management. Another way to keep up to date is to subscribe to mailing lists like http://openid.net/wiki/index.php/Mailing_lists or https://opends.dev.java.net/servlets/ProjectMailingListList. Last but not least I like to refer to the web pages of the big standardisation organisations Liberty-Alliance (http://www.projectliberty.org), OASIS (http://www.oasis-open.org/) and ITU (http://www.itu.int/ITU-T/index.phtml)".