How to Pick an IDM / IAM solution

One of the things that I am asked about most often is not about the implementation of an Identity Management product, but rather how to choose a solution in the first place. While my biases are well known, I do have a general framework to help organizations figure out what direction and products they should be considering in pursuit of a solution, since we know that choosing an Identity Management solution is not always so straight forward.

Before there can be a discussion of product selection, there must be a discussion of the identity related processes that exist within the organization. This needs to come from a business and process perspective. To do this you will need to work with the many parts of your enterprise IT organization to identify and break down the steps in the processes that will be involved in your eventual Identity Management solution.

From here you can begin to identify what technology components are related to these processes, GRC, SSO, User Provisioning, Virtual Directories, etc.

Note that I've suggested that the process must be defined before technology is chosen. Actually we haven't selected any specific technology brand or methodology, just identified what types we will need.

Once the processes are defined and they have been matched to types of technology the process of specific technology selection can begin.

Before we get into a discussion of how to choose the technology, let's talk for a moment which it needs to happen in this order.

Process is the human part of equation. It's the hardest to define as it can have so many variables. Not just on the part of the unique individuals in an enterprise organization, but of the organizations themselves. There are so many different combinations of business philosophies, government regulation and best practices that there are multiple ways of providing Identity Management services. So accurately mapping these out is a critical part of any IdM success.

Once this is done, it is a fairly straightforward exercise to identify what types of technology are required. In order to choose the proper technology it is important to consider the context that the enterprise works in. How is it organized?

• By database platform?
• By the ERP system
• By an enterprise directory?
• Some other criteria?

If the needs of the enterprise are applied to this list it begins to become clear what your direction should be. Of course, this is a pretty stripped down version of what needs to be done in the interest of space. The actual process will go into greater depth as criteria are weighted based on the needs of the organization and process requirements that we developed earlier in the planning process. From this point it is time to hand things over to project management and the implementation team. Good Luck!