When I was a junior engineer, I kept pestering my hiring manager with a plethora of questions. Finally, in exasperation, he responded, “Mark, I hired you to give me answers, not questions!”

Nonetheless, I have found throughout my career that posing probing questions to myself and others has been a valuable tool in discovering solutions to vexing challenges.

Are you considering an Identity and Access Management implementation? Have you defined your requirements? Here are a few questions that may help you organize your thoughts on the matter.

Administration (Managing Identities, Relationships and Identity Policies)

1. Who are the users (people and systems) that need access to resources within my sphere of responsibility?
2. What are the resources within my sphere of responsibility to which users will be granted access?
3. Who will be granted access to what?
4. What privileges will need to be granted?
5. What restrictions must be invoked?
6. Who can approve access rights, privileges and restrictions?
7. How will privileges be revoked?
8. How can we grant access in accordance with specialized regulatory requirements (e.g. Separation of Duties)
9. How can we define access policies in the context of the client’s organization?
10. Who will be responsible for Identity Administration (e.g. Human Resources, IT Administration, Help Desk, Self-Service)?

Control (Enforcing Identity Policy)

1. How will policies for access to resources within my sphere of responsibility be enforced?
2. How will users be authenticated?
3. When will strong authentication (e.g. UserID/password + token card) be required?
4. How will users be authorized to use specific application functions, systems or data sources?

Auditing (Proving Adherence to Identity Policy)

1. How can we prove that IAM policies are being followed?
2. Who has access to what resources over time?
3. Who has access to what resources right now?
4. When was that user granted access privileges?
5. Who approved that access?
6. What user privileges violate specialized regulatory requirements (e.g. Separation of Duties)?
7. When did users successfully gain access?
8. When were unauthorized accesses attempted?

This list of questions is not exhaustive. Hopefully these questions will help you craft more questions that will help you define requirements for your enterprise.

Technorati Tags: Identity,
Digital Identity,
Identity Management