The Maturity Model

The following sections characterize identity management practices at each level in the maturity model. The characteristics are organized into eight areas: business goals, policies, processes, identity management, identity storage, authentication, authorization, and federation. The characteristics given are illustrative; there are more characteristics than can be enumerated here. Nevertheless, these should be sufficient to give you a clear idea of what each level looks like.

Level 1 is the furthest away from being a best practice. In level 1, no planning or structure is applied to identity management processes and systems. The statements in Table 15-1 characterize practices at this level.

Table 15-1. Characteristics of level 1 identity management practices

Area

Characteristics

Business goals

Business units see identity management as having negative value. That is, identity management gets in the way of getting work done.

Policies

The organization has no identifiable policies about identity. Any rules that do exist are simply part of the organizational folklore.

Processes

Identity management processes are not defined or documented.

Processes are carried out in an ad hoc fashion with the desires and whims of the team or team leader being the primary driver. Any processes that do exist are informal.

Team knowledge and talents are not leveraged in a consistent manner, because the process is different each time.

The ad hoc nature of the processes denies opportunities for automation.

The ad hoc nature of the processes does not allow them to be audited for effectiveness.

No metrics are used to measure the processes, and any operational data that is collected is analyzed only in response to a problem.

Identity management

Identities are fragmented across the organization.

Fragmented identities are inconsistent.

Multiple administrators add accounts manually.

Identity storage

Identities are stored in multiple repositories.

Users have multiple, disconnected entries in the store.

Identities are stored in different kinds of stores and even when the stores are consistent, the schemas are not.

Authentication

Users have multiple usernames and passwords, including multiple identifiers on the same systems and applications.

Identity credentials are chosen randomly without clear cost and benefit analysis.

Authorization

Authorization is inconsistently applied and used.

Authorization policy is set without any evaluation of cost and risk.

There is no formal notion of resource owners or custodians.

Federation

When identities are federated with partners or between business units, the technology, processes, and agreements are all ad hoc.


Level 2 practices presuppose a minimal amount of planning and documentation. The planning and documentation allow IT staff to carry out identity management tasks in a repeatable way, but there is little quality control, and so the results are not consistent. Practices and capabilities are fractured across projects. The statements in Table 15-2 characterize practices at this level.

Table 15-2. Characteristics of level 2 identity management practices

Area

Characteristics

Business goals

Business units see identity management as a tolerable requirement but perceive little value.

The focus of the identity infrastructure is security and operational control.

Policies

Some policies are written down, but there is little buy-in, and policies are not effectively distributed.

Policies are point specific or applicable to just one or two projects.

Policies are not enforced.

Processes

Processes are partially documented, although different groups within the same organization may carry out the same task using different processes.

Even when the same team is assigned to a task, the process definition is not sufficient to ensure that the application of a given process will have the same results each time.

Processes and activities are not audited.

Identity management

Automation occurs minimally in support of security functions and other tactical operations such as password reset.

Operational data for identity systems is inconsistently collected and analyzed.

Identity storage

Identities are stored in directories or other repositories built for a specific purpose.

Authentication

Users have multiple usernames and passwords.

Identity credentials are chosen by different projects with only project goals in mind.

Authorization

Authorization is done on an application-by-application basis.

Resource owners are assigned in high-visibility areas and make authorization policy for those resources.

Federation

Federation is still done using bilateral agreements, but standards are used to transfer identity information. Technology is implemented as needed.


Level 3 identity management practices are consistently executed, but they are static and do not adapt to changing business requirements. The statements in Table 15-3 characterize practices at this level.

Table 15-3. Characteristics of level 3 identity management practices

Area

Characteristics

Business goals

Business units see identity management as providing generic value to the enterprise but do not understand how it can enable their business goals.

Policies

Policies are created through a well-understood governance process. All parties know and understand what is required. Little or no formal enforcement.

Standard policies are used throughout the organization.

Processes

First-level operational metrics are recorded. By first-level, I mean direct, technology-defined measurements of operational parameters, such as "authentications performed per hour" or "authorization assertions delivered to partner X."

Service-level agreements (SLAs) are defined for first-level operational parameters. These SLA levels are largely self-defined and internal to the IT organization.

Processes, roles, and workflows are defined.

Processes and procedures for service are always followed, and consistent results are reached.

Identity management

Identity infrastructure automation is broad-based and chosen to meet strategic goals.

Identity actions are audited occasionally.

Extensive reports are produced, but feedback is rare.

Innovation occurs as the result of missing service targets or as a result of outright service failures.

Identity storage

Identity data has been cleansed and normalized.

The enterprise has established authoritative data sources.

Enterprise standards help system designers choose technologies that are interoperable.

Authentication

Passwords are synchronized across the enterprise.

Single sign-on is a reality, allowing users to move from application to application without reauthenticating.

Authorization

Access control is role based and driven by rules.

Access-control policies for different systems and applications are disconnected and manually updated.

Resource owners and custodians are formally assigned to all resources of value.

Federation

Federation processes are defined, and standard agreements are used as a basis for negotiation with partners.

Federation infrastructure exists and is usable by a variety of interests.

Federation is most likely to happen using a hub-and-spoke model.


Level 4 practices are repeatable, consistent, and make use of feedback from the business to adapt to changing business needs. Feedback is used to optimize the identity management practices and is based on sophisticated metrics and tools. The statements in Table 15-4 characterize practices at this level.

Table 15-4. Characteristics of level 4 identity management practices

Area

Characteristics

Business goals

Business units perceive the value of identity to their activities.

Business units are regularly consulted in determining the components of the identity infrastructure.

Business unit expectations for return on investment on the identity infrastructure are regularly exceeded.

Policies

Policies and standards are approached in a holistic fashion, evaluating needs comprehensively and crafting policies that interoperate with and enforce each other.

Identity policies are audited for effectiveness.

Identity policies are usually followed and enforced when they are not.

Policies are routinely reviewed and updated using a functioning governance process.

Processes

Processes are fully defined, documented, monitored, and measured.

SLA metrics are defined in terms of business requirements rather than technology-based activities.

Processes are regularly audited. Audit results are used to change the identity architecture.

Processes that support identity policies are consistently applied across multiple platforms.

Processes are automated.

SLA metrics are based on business value.

Identity management

Identity management activities are regularly automated.

Innovation occurs proactively, before service level failures.

Identity management activities are self-healing, incorporating organic corrective actions and improvement methodologies.

Operational results are monitored on an ongoing, perhaps even real-time basis and continuous improvement is the goal.

Identity storage

Identity data is consolidated using directory aggregation technologies such as metadirectories or virtual directories.

Internal data stores routinely share data using standard protocols and common schemas.

Authentication

Authentication is done using standard credentials that work enterprise wide.

The enterprise has a consistent approach to how credentials are used to authenticate against a standard set of security levels.

Authorization

Policy decision points base decisions on policies that are applied consistently and automatically across various devices and systems.

The enterprise supports an integrated policy distribution mechanism to support consistent policy application.

Resource owners and custodians are given a standard way to set and distribute authorization policy and understand how to do it.

Federation

Federation is networked. Adding new federation partners requires almost no effort. Federation partner provisioning may even be self-service in many instances.