Reseach Director, Cybersecurity - Industry Analyst at IDC
Vendor
2021-07-26T15:52:28Z
Jul 26, 2021
It also depends upon what capabilities are required in your environment. Is the basic need for an access control product? This is what ITOps did back in the days before there were security teams.
Do you require advanced authentication capabilities or privileged user monitoring? If so, then you should either have a security team in-place or build one.
Are there compliance reporting requirements that might justify investing in a governance solution? Again, security FTEs would be the right people.
Smaller companies should consider outsourcing all of this to Managed Service Providers. Let a couple of experts do the driving for you.
Search for a product comparison in Identity Management (IM)
Identity Management is best managed by the group in a company most capable of getting the job done.
The group most likely to be successful tends to be the IT Security team. They tend to be the group most centrally involved with the implementation of security tools and are frequently called on to manage attestation processes. Audit teams and business operations teams may be able to provide support but they rarely have the technical skills to sustain the level of automation needed to be successful.
Another aspect to look at when deciding who should manage Identity is to understand the separation of duties. If you have an Operations or Business team managing Identity you will have conflicts of interest. It is better if a Security, Compliance, or Audit team takes up the role to avoid the issue.
This does not mean that other groups are not a good fit. The trick is to understand what group has the mandate within the business and make sure that they have the right technical support and oversight. Any group with the right motivation and support can do the job. Don't get locked into saying it has to be with one group or another. I have seen a lot of companies fight over the who and never get to the do.
What is identity management (IM)? Identity management (IM), also referred to as identity and access management (IAM), is an organizational process used to securely connect electronic or digital identities with the right levels of access.
It also depends upon what capabilities are required in your environment. Is the basic need for an access control product? This is what ITOps did back in the days before there were security teams.
Do you require advanced authentication capabilities or privileged user monitoring? If so, then you should either have a security team in-place or build one.
Are there compliance reporting requirements that might justify investing in a governance solution? Again, security FTEs would be the right people.
Smaller companies should consider outsourcing all of this to Managed Service Providers. Let a couple of experts do the driving for you.
Typically we see IDM products being managed by a system owner in the security team.
Depends on the Level of organizations. There are teams sometimes specifically deployed for the same or it goes to CIO or CSO's also.
Identity Management is best managed by the group in a company most capable of getting the job done.
The group most likely to be successful tends to be the IT Security team. They tend to be the group most centrally involved with the implementation of security tools and are frequently called on to manage attestation processes. Audit teams and business operations teams may be able to provide support but they rarely have the technical skills to sustain the level of automation needed to be successful.
Another aspect to look at when deciding who should manage Identity is to understand the separation of duties. If you have an Operations or Business team managing Identity you will have conflicts of interest. It is better if a Security, Compliance, or Audit team takes up the role to avoid the issue.
This does not mean that other groups are not a good fit. The trick is to understand what group has the mandate within the business and make sure that they have the right technical support and oversight. Any group with the right motivation and support can do the job. Don't get locked into saying it has to be with one group or another. I have seen a lot of companies fight over the who and never get to the do.
Its depending on the organization structure. Operational Security generally manages tools while Governance & Policies from Risk or CISO.