Organizations need a strong model and the support of leadership for effective Identity and Access Management governance, according to Mark Cox, Director of Identity Service and Solutions at the University of Virginia.
“[You need] leadership and backing for your program,” Cox said. “Without those you will struggle, because identity, I always refer to it like an octopus, we have our tentacles everywhere, right?”
Cox joined Keith Brautigam, director of Identity and Access Management at Penn State University, for an hour-long panel discussion on Wednesday, Aug. 11 about IAM governance. View the recording.
Nearly webinar 40 attendees learned IAM governance can mean different things and cover different areas and audiences, depending on the organization. Moderated by Mike Corn, CISO of UC San Diego and Ann West, AVP of Trust and Identity for Internet2, the event was the third in a series of regular “InCommon IAM Mini-Series – Community Implementation Stories” discussions.
Governance Key to ‘Elevating the Whole Program‘
Brautigam said IAM governance at Penn State has been “a cornerstone of our successful efforts to modernize our identity and access management infrastructure and services.”
“By having governance in place, and at the business level, what it’s really done for me is elevate the whole program at Penn State, up to a more visible level and layer to the university administration,” he said.
The Penn State program — which was developed over the last four years — is critical because there are about 1.1 million active accounts during the “major semesters.” He said there are also 80 different IT units spread across 24 campus locations.
“To really modernize all these systems, governance is just absolutely key,” Brautigam said.
The governance program was created at the University of Virginia in 2017. Cox was hired and they created their governance program, which began with an Identity and Access Management implementation committee with between 50 and 75 members. The committee provided a sense of ownership and involved frequent meetings, sometimes requiring more than 5-10 hours a week, along with results measuring feedback and voting on top issues.
The committee also helped to identify critical pain points and develop solutions, he said. They identified a top 10 list of implementation goals, including simplified and streamlined account claiming and activation, near-time connectors between identity management and its source and target systems, and a user self-service portal.
“Having that buy-in from the governance (committee) and then reporting directly to executive leadership really helped us with our successes,” Cox said.
View past “InCommon IAM Mini-Series – Community Implementation Stories” highlights: