We have written previously about how each identity is a little bit like a snowflake, in that they are unique and require individual attention in order to properly manage and secure. It is quite reasonable, then, to believe that each enterprise should be unique and have custom-built identity management solutions that are tailored to meet their exact specifications. Such thinking, however, leads to a conundrum that has stumped IAM teams for a long time and ends up rearing its ugly head in one way or another. But it also does not make sense to have identity management and governance policies and workflows that do not make sense for the business and are too rigid to meet the demands of a modern enterprise.
On one hand, if enterprises go down the road of building an identity governance solution that is custom fit to their exact specifications, a few negative consequences eventually rear their ugly head, namely in the vein of over-customization. On the other, identity governance solutions that are immovable can create confusion and a great deal of technical debt where practitioners and business users alike need to spend hours learning how to work around the tool. Therefore, it can seem a little like being stuck between a rock and a hard place for many.
Business, IT, and security leaders all face a growing pile of requirements that they need to adhere to in order to optimize business operations, while maintaining security rigor, and meeting an increasingly complex compliance landscape. As such, it can be tempting to think that every process needs to be customized to fit the exact needs, whether it’s assigning a unique workflow when someone needs access to an in-house application, or in how a business onboards a third-party contractor. While it is true that no two businesses are set up the same, with different applications, infrastructure, and data flows, an overly customized solution has clear downsides.
When building out a customized solution, many teams need to write huge amounts of custom scripts and code to process data, enable workflows, and initiate business operations. While certainly useful, custom code and scripts are time-consuming for developers to create, challenging to maintain, and can be quite confusing when personnel turns over. It is rare that such development is meticulously documented, and knowledge gaps can (and do) easily arise when a key developer leaves the organization. These workflows that can gather data from the various bespoke systems and applications are required for businesses to maintain efficiency but can also be challenging and insecure as time passes.
Now, the natural alternative is to rely on identity governance processes that come fully formed out of the box and plug them in. However, rigid solutions lack context that many business and security leaders rely on to gather buy-in from the workforce. If workflows are not intuitive, or complicated to learn, many people will fall back on human nature and revert to the ways that they are used to working. Further, the new system may be unable to accommodate a wide variety of heterogenous business systems and applications that live across cloud and on-premises environments.
What is clear is that both trains of thought have clear upsides and clear downsides. But what if there was a different way? By implementing solutions that are configurable, standards driven, and built on a flexible data model, organizations can deploy identity governance with confidence, implement processes that fit within the context of their business, and have holistic visibility to access and entitlements throughout the enterprise. Relying on configuration, rather than custom code and development can help reduce a lot of the downsides that come from building a custom solution from a specific point in time, while also providing the flexibility to adopt a solution that can meet the demands of the business. To that end, Omada has built a Configurable Connectivity Framework to enable dynamic establishment of connectivity to both existing and new IT systems and applications. Learn more here.
