EIM Fundamental Concepts Part II: Identity Management Governance

As a continuation of our recent exploration of the Fundamental Concepts of EIM, Identity Management Governance is the third and final pillar of EIM. Let’s take a moment to examine how Identity Management Governance works as a concept in ultimately transforming the way our university conducts identity and access management in the future. 

For some, the term “governance” may come with various assumptions or biases. For others, it may be a largely unfamiliar concept. In the context of Identity Management, governance refers to who has decision making rights about institutional policy pertaining to the functions of identity management. These functions are primarily concerned with ensuring that access to university resources are in alignment with institutional goals (as well as policy and principles). Identity Governance is the process by which the university ensures that institutional needs and requirements guide, inform, and direct identity and access management policy. 

“In its most basic form, Identity Management Governance is a kind of radical transparency that surfaces a host of decisions that are often quite subtle but profoundly impactful to our community,” said Chief Information Security Officer Michael Corn. “From the mundane, such as your user name, to the life altering, such as the use of your lived name, Governance operates at the intersection of principle and practice.” 

Historically, UC San Diego lacked any formal identity management governance program and as such, institutional decisions were left to the operators of the identity systems to negotiate with a myriad of stakeholders. In this way, two departments could have two completely different applications of the same policy, creating internal conflict and complication with how the university as a whole manages a person’s identity. 

“What we've discovered is that the policies themselves are somewhat ambiguous in our current state,” said EIM Enterprise Architect David Hutches. “We are unable to consistently answer if people are getting what they need and also how they are getting what they need. This then means we can’t effectively implement what we don't know, we can’t easily uncover an underlying issue, let alone formulate a solution. In some sense, we've been able to move forward with ambiguous policies because until this project, we haven’t actually had a mechanism to uniformly apply a policy.” 

Take the example of removing access for a particular individual. Was the change prompted by leave, separation, retirement, or matriculation? Does this change alter when access should be revoked? Will this go into effect immediately or after an established grace period? Is this a permanent or temporary change in status?  To what are we revoking access? Is it E-mail, AD log-in, and/or more? Is this a consistent practice across the board or a specific case with a specific logic applied? 

This is one instance where a governing body, through transparency into  the decision making process, could help illuminate the disparities, consider the impacts, and establish a uniform path forward. And so it is that Identity Management Governance is concerned with building a partnership with leadership and various stakeholders to establish those unambiguous policies for IT to implement on their behalf. 

“A success criteria for the EIM project will be to bring consistency and repeatability to system or data access decisions. We must have the highest level of confidence that access decisions are both accurate and timely, yet reflect the varied needs of the small city we call UC San Diego,” said Corn. “And again, we can only achieve this through our ongoing engagement with stakeholders, service owners and campus leaders in managing identity at UC San Diego.”

Taken together, the pillars of the EIM project - Identity Management, Access Management and Identity Management Governance - set the foundation for consistently delivering the vital services to our ever-evolving campus community. In this first phase, the project strives to launch a new identity ecosystem supporting the current state operations, with a keen eye on how the project will mature to best serve the community. Once established, the future Identity Management Governance will be an entity dedicated to supporting the campus strategic plan of an agile, sustainable and supportive infrastructure. 

Curious to know more? 

Want to learn more about the underlying issues of identity management at university and the goals and benefits of the EIM project? Check out the following video, entitled "Identity Management in a Nutshell," was created based on a recent EIM TechTalk. 

Join the Conversation

The success of the project is dependent on the active participation of Subject Matter Experts (SME) from across campus to understand the process landscape surrounding EIM. 

If you are interested in engaging with the EIM project, SME opportunities are available for future business process landscape tracks in addition to openings for EIM Change Leads and Change Practitioners.