Chapter 15. Identity Maturity Models and Process Architectures

In the last chapter, we set up governance for the identity management architecture (IMA) process and built a business model. As we've seen, the business model is really just a comprehensive documentation of the goals, people, and processes of the business units building the IMA. The next task is to determine where your organization's current technology and practices stand with an eye to improving them. The tool we'll use is called a digital identity maturity model .

Our objective in this chapter is to distinguish mature identity processes from immature processes, develop an identity process inventory, and plan for identity process improvement. We use the word "process" quite deliberately. Organizations that view internal activities as a series of isolated tasks cannot build a digital identity infrastructure that will accomplish the objectives set forth in this book. The reason is quite simple: viewing activities as isolated tasks does not allow the results to be consistently measured and that information to be fed back into the organization so that the activity can be improved.

In an organization with immature processes, projects are executed without many guidelines by teams that are free to proceed as best they can. Project success is dependent on the efforts of a few "virtuoso performers." Predicting the success or failure of a project is difficult, and when the project is finished, it is often impossible to identify the factors that led to success or failure.

On the other hand, mature processes give project teams clear guidelines and have built-in metrics so that the result is not just repeatable, but also measurable. Metrics tell why the process produced the outcome it did and what needs to be done to improve it. Mature organizations review and update their processes as a matter of course and seek constant improvement.

The path to more mature identity management processes and infrastructure can be characterized by a series of steps that gives specific milestones. These milestones are called "maturity levels ." Each level is a reflection of certain capabilities in the organization's processes and infrastructure. Higher maturity levels reflect greater capabilities and have more advanced characteristics. The maturity model defines the key elements at each level and thus represents a path that you can follow to guide your identity management processes to more mature levels. The path we've defined includes four levels and is shown in Figure 15-1. These levels are adapted from an identity management maturity model developed by Gary Daemer of Booz Allen Hamilton.


In level 1, the organization has very few processes and the infrastructure design is tactical and ad hoc. At the focused level (2), some projects in the organization have good processes and a designed identity infrastructure, but many do not. At the standardized level (3), the organization has created enterprise-wide policies, processes, and infrastructure. With enterprise-wide policies and processes, the organization can learn from various projects and use that knowledge to improve future projects. At the integrated level (4), policies and processes are very mature and processes have been automated. The infrastructure is complete.