A Haiku to Identity Governance – My Thanksgiving
Saviynt has saved
This floundering IGA
And my love of tech.
Now that we’re past the spooky season of Halloween, we’re on to the gastronomic joys of Thanksgiving (at least here in the USA)! I always appreciate how people start focusing on elements in their life for which they are grateful. You hear beautiful stories about how people are so glad for family, health, mentors in their lives, or other meaningful contributions. Quite uplifting, all told. But I’m not here to talk about my family, my dog, or my vacation. No, I want to tell you what I’m grateful for in the venue of IGA (Identity Governance and Administration). Because, believe me, there’s a lot of good tidings of great joy.
First and foremost let me tell you, HOLY HECK am I grateful we’re not writing XML or Java code anymore, trying to manually look at Excel spreadsheets to know if jsmith in HR is email@example.com is cn=jsmi123,ou=who,ou=what,o=why, and what the list of codes are to determine what the account status should be for any individual user. If you’re twitching right now, just a bit, I feel you. Do you remember it?
Yes, In the early days of identity it was a painful process of just trying to reconcile accounts between systems, write scripts to link identities, compile code to create “connectors”. We didn’t have best practices yet, we barely knew how to get data out once we’d gotten it in, and as a result there was an awful lot of shoot-from-the-hip. Departments weren’t used to what IDM even meant, and so it was a challenge to actually discuss all the possible actions and data transformations which would be necessary and get people to realize their environments were about to be a part of a connected system. Worse, people didn’t perceive what being part of a connected system actually meant.
Take the tragedy when all of an organization’s production Active Directory domain accounts were disabled because the PeopleSoft administrator didn’t realize that dropping and re-adding a table was going to send an unhandled signal which was interpreted as a terminate for all employees. Wait, what do you mean that globally employees can’t get into their Windows workstations and we can’t do business??? Whoops! True story, that.
Good times, good times.
In the end I’m thankful for all those experiences. Production outages. Political battles. Scope creep/explosion. Project overrun. They are like battle scars now, hard won, proudly cherished. I was there, man! I was in those trenches!
But even more than having stories we can tell over a round of holiday cheer (preferably at Gartner, which is just after Thanksgiving, buy me a round while you’re out there and I’ll divulge dark secrets of the IDM of the past), I’m glad for the experiences because they make me appreciate so very much the current capabilities we have in identity and governance— and particularly, the capabilities of the organization for which I now work!
No more do we have to ask HR what every code is or try to get a list of groups or entitlements from application owners. Now we just get logs or exports, ingest them into an extraordinarily elastic database, apply intelligence to them, and we can model what we believe identities and policies should be. We don’t have to be afraid of dirty data because we can do automated clean-up — what manager isn’t happy to get a list of people and the question, “Does this person work for you? Yes/No” or employee get, “Does this account belong to you? Claim it here.” We can bring the business into data cleanup and rule/process creation, rather than some poor intern who has to comb through 20,000 entries in three spreadsheets and propose rules on the whiteboard while only hanging on to sanity by a thread. Yes, I’ve seen that happen. Yes, I was glad it wasn’t me.
I’m grateful for innovation in this space. How many managers did I watch who were asked to approve one of their direct reports’ application request or attest to the employee’s need for access, and they just said yes to everything because of the sheer volume of things to approve that came before them? Nobody wants to keep someone from doing their job. We’re paying them for this! But now we can automatically grant the low risk requests and log them and present only high-risk transactions and activities to someone for inspection and approval. Less noise means better inspection and no rubber-stamping, so we can keep our eyes trained upon the employees who are like Stephen Falken in War Games who had god-like authority and a secret back door forever. (Seriously, was there no software checking for that?) Which was then exploited by David Lightman and we almost faced global thermonuclear war. Yes, we’re going back here.
I’m appreciative of our technology that makes what was impossible into the possible. I remember when we weren’t able to look at nested Active Directory Groups or Epic templates and sub-templates; deal with different personas for people who are a student and a staff member and an intern and a volunteer all at the same time; or even have visibility into access across infrastructure, applications, and data all in one centralized point rather than having to try to correlate in many different tools. None of these are barriers anymore, they’re areas we are disrupting the IGA space like Nirvana put grunge on the map with Smells Like Teen Spirit. Band, album, song and video, they went all the way. We miss you, Kurt Cobain! We love the disruptors.
I’m thankful for others who have done the hard work to unsnarl complicated regulatory compliance like HIPAA, NERC/CIP, SOX or PCI so that we can present a set of controls out of the box and cut down on the time, uncertainty and pain of implementation. I’ve seen so many organizations wrestle with what they have to do to meet compliance requirements, and so knowing we can give them a jump start OOTB is like being able to put the jumper cables onto their organization’s vehicle. BAM! Power!
Sure, I’m happy that I’m going to eat turkey and mashed potatoes with gravy until I feel like I can’t move, and I’m going to get a few days when I can forward my boss to voice-mail and later tell him, “Whoops, I was clearly out of a coverage area, on the lake.” Family, health, safety, all of those areas for which I’m glad are real.
But I’m especially appreciative that identity governance today is different from yesterday, and that Saviynt is leading the charge into the future. Now we focus upon what the business wants rather than the bits and bytes, and we can answer challenges which plagued us from the beginning.
If you’re caught in the past and identify more with the pains I’ve called out than the present I adore, reach out! Look here. I promise, we’re not in 2000 anymore, and you don’t have to wait for some misty future for things to be better.