Methodology: First Steps With MidPoint
|Work in progress|
This is a description of simplified midPoint deployment methodology, guiding quick deployment of simple midPoint configurations.
This document is a guide to identity management deployment for small to mid-size organizations. It describes an iterative approach, providing value in small steps.
TODO: few more lines introducing the process, set expectations.
This guide is targeted at small and mid-size organizations that are starting with identity management.
Please see First Steps With MidPoint: Audience for more detailed information.
The idea is to start an iterative identity management program. The program allows you to reach your desired solution in a series of small steps. Each step bringing value, improving the solution.
Simply speaking, the program repeats three steps: Connect → Clean-up → Automate.
Each of the steps have a slightly different goal:
Connect step is aimed at connecting new systems to the solution. MidPoint platform will be able to read the data from the system and analyze them.
Clean-up step is aimed at improving data quality. Data in disconnected systems are often in quite a poor state. Accounts have to be correlated, orphaned accounts have to be disabled, data errors have to be corrected. MidPoint can help with that.
Automate step is aimed at speeding up the processes and improving efficiency. Manual work can be automated, making the process faster, cheaper and more reliable. On-boarding (joiners) and off-boarding (leavers) processes are the usual candidates for automation.
The steps are repeated as long as they bring tangible value.
When it comes to identity management, one size does not fit all. Some organizations need strict policies, perfect visibility or high degree of automation. Yet other organizations can be perfectly happy with just basic integration and automation, as long as the cost is reasonable. It is almost impossible to plan an ideal identity management project beforehand, in all its width and depth. Hence the iterative approach. Series of small steps is iterated, focusing on areas that need to be improved at that particular point. This is the way to satisfy the requirements, while keeping the costs reasonable.
The Connect → Clean-up → Automate approach outlined above is a useful abstraction. It illustrates the overall approach quite well. However, practical projects and programs are slightly more complex. They have to start somewhere, set up the team, there should be checkpoints, stop/go decisions and so on. Therefore, we propose a series of very practical steps to bootstrap the iterative approach.
We propose to proceed in following steps:
Kick-off: Start the project. Set goals. Identify crucial data sources and targets. Make a plan. Secure budget.
Assessment: Set up midPoint. Load data from the source. Compare the data with the target. Assess data quality. Decide next steps.
Automation: Automate management of identities (to a reasonable degree). Speed up on-boarding processes. Make off-boarding process more reliable, improving security. Keep data up to date.
These three steps start up a program, a never-ending process to maintain and expand the solution. The progress of the program may be as fast or as slow as you need. It is an endless iteration of several on-demand activities, executed as needed:
Connect new systems. Add more systems to your solution, much like you did in the assessment step before. This is increasing breadth (scope) of your solution.
Clean-up the data. Your data were created and maintained manually. They often do really match exactly between systems, the data are often out of date, there are inaccuracies and errors. Manual processes can often tolerate quite a high degree of data disorganization. However, increased automation heavily relies on accurate data. There is a constant need to monitor and improved data quality, correct errors, resolve inaccuracies and inconsistencies. This is increasing quality of your solution.
Automate. Add automated data mappings, processes and basic policies. Your processes will run faster, more reliably, with less manual steps. This is increasing depth of your solution.
The iterations can be repeated as many times as needed, with as big or as small scope as needed. The overall goal of the program is to bring convergence: convergence of the data, processes and policies.
There is no pre-determined number of iterations. The iterations should be executed as long as they bring sufficient value. However, as the business and IT environment is ever-changing, it is very likely that at least some part of the program will become part of ordinary operational routine.
Once the first steps are complete, data are reasonably reliable, important systems are covered and processes are automated to appropriate degree, it is time to move to the next steps. The next logical step is to focus on identity governance, managing entitlements, identity-related policies and business processes.
TODO: describe how the add-clean-automate iterations work.
TODO: know when to stop, perfection cannot be achieved (too expensive). This does not mean that the iterations would ever stop. New systems are added all the time, they have to be connected. Yet, not all systems have to be necessarily connected to identity management. Data are changing all the time, they have to cleaned up. Yet, the data quality does not need to be perfect. Most important of all, the amount of automation should be very reasonable. Automation may be expensive to set up, yet it is even more expensive to maintain.
Organizational complexity has its cost, cost that is reflected in all the systems and application. The combined cost of organizational complexity on the entire IT infrastructure is enormous. Try to reduce organizational complexity as much as you can. However, chances are that this not in your hands. Maybe all you can do is to handle the complexity … TODO
Why we think midPoint is the best tool for this kind of approach?
MidPoint is open source platform. There is a very little up-front investment. There are no licence costs that need to be paid before project starts.
MidPoint is completely open. All the software is publicly available as well as all the documentation. The very first steps (e.g. prototyping) can be done by internal staff, without a need for expensive consulting services.
Professional support. TODO.
Where does it lead? → IGA (Set up roles and policies, manage applications, entitlements, organizational structure, etc.) … once the solution is mature enough