2021-02-17T04:31:00Z
JA
System Administrator at MOI
  • 4
  • 77

Who should manage the Identity Management product?

I am researching identity management solutions. Who in the team should be managing the IDM product?

5
PeerSpot user
5 Answers
Jay Bretzmann - PeerSpot reviewer
Reseach Director, Cybersecurity - Industry Analyst at IDC
Real User
Top 5
2021-07-26T15:52:28Z
Jul 26, 2021

It also depends upon what capabilities are required in your environment. Is the basic need for an access control product? This is what ITOps did back in the days before there were security teams. 


Do you require advanced authentication capabilities or privileged user monitoring? If so, then you should either have a security team in-place or build one. 


Are there compliance reporting requirements that might justify investing in a governance solution? Again, security FTEs would be the right people.


Smaller companies should consider outsourcing all of this to Managed Service Providers. Let a couple of experts do the driving for you.

Search for a product comparison in Identity Management (IM)
Joakim Thorén - PeerSpot reviewer
CEO, Founder at Versasec
Real User
Top 20
2021-03-12T15:57:10Z
Mar 12, 2021

Typically we see IDM products being managed by a system owner in the security team.

Hasan Zuberi ( HZ ) - PeerSpot reviewer
Product Manager Cyber Security at a tech services company with 11-50 employees
Real User
Top 5
2021-03-11T07:10:28Z
Mar 11, 2021

Depends on the Level of organizations. There are teams sometimes specifically deployed for the same or it goes to CIO or CSO's also. 

MichaelLindskov - PeerSpot reviewer
Chief Cloud Architect at Emergent Holdings
Real User
2021-07-26T13:44:08Z
Jul 26, 2021

Identity Management is best managed by the group in a company most capable of getting the job done. 


The group most likely to be successful tends to be the IT Security team. They tend to be the group most centrally involved with the implementation of security tools and are frequently called on to manage attestation processes.  Audit teams and business operations teams may be able to provide support but they rarely have the technical skills to sustain the level of automation needed to be successful.


Another aspect to look at when deciding who should manage Identity is to understand the separation of duties. If you have an Operations or Business team managing Identity you will have conflicts of interest. It is better if a Security, Compliance, or Audit team takes up the role to avoid the issue.


This does not mean that other groups are not a good fit. The trick is to understand what group has the mandate within the business and make sure that they have the right technical support and oversight.  Any group with the right motivation and support can do the job.  Don't get locked into saying it has to be with one group or another.  I have seen a lot of companies fight over the who and never get to the do.

Umair Akhlaque - PeerSpot reviewer
Enterprise Solutions & Services Head at Duroob Technologies
Real User
Top 10
2021-03-14T13:47:31Z
Mar 14, 2021

Its depending on the organization structure. Operational Security generally manages tools while Governance & Policies from Risk or CISO. 

Related Questions
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 10, 2022
Hi infosec professionals, Based on this article, a few days ago "Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials". What could be done better to prevent this from happening in the future? Which tools, techniques and solutions could help to a...
See 1 answer
Ladislav Nyiri - PeerSpot reviewer
IDM Engineer at a tech services company with 51-200 employees
Aug 10, 2022
In case of sophisticated social engineering attack designed to steal employee credentials there is a need to pay attention regarding education of employee first and if not already in place apply Zero Trust approach by implementing OTP and using it as mandatory for all employees. Any technical solution is not good enough to avoid willing leak of employee credentials by themself.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 13, 2022
Hi security professionals, Can you please clarify the definition of the Zero Trust vs Least Privileged model? How are they different? In which cases you'd use each of them? Please share an example. Thanks for sharing your knowledge!
2 out of 3 answers
OK
Consultant at Astra Graphia Information Technology
Jul 12, 2022
Least Privilege is about giving the least privilege (role and privilege) as required by the user, while Zero Trust completely eliminates trust at a whole level, whether internal or external.  Zero Trust sample is MFA, where you would need to validate your access credentials (e.g., through biometrics).
Adewale Oluwaseyi - PeerSpot reviewer
Technical Lead at Freelance Consultant
Jul 12, 2022
Least privilege access is used to provide access needed to perform a role or action, which is good, while Zero trust completely assumes every attempt as a possible compromise and treats it as such.  If something with the least privilege access tries to access any resource in an environment where Zero Trust is implemented, Zero trust will still take precedence.
Related Articles
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 16, 2021
Does access control terminology puzzle you? Many people often mistake PIM, PAM, and IAM – privileged identity management, privileged access management, and identity and access management. Oftentimes, they also believe that privileged access management (PAM) and privileged account management (also PAM) are interchangeable terms – which is not entirely true. To shed some light on this topic, in...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 11, 2021
                                What is Privileged Account Management (PAM)? Privileged account management can be defined as managing and auditing account and data access by privileged users. A privileged user is someone who has administrative access to critical systems. For instance, anyone who can set up and delete user accounts and roles on your Oracle database is a privileged user. Lik...
Abhirup Sarkar - PeerSpot reviewer
Director, Middle East, East India & SAARC at DMX Technologies
Dec 8, 2021
Zero Trust is a set of techniques to secure end-to-end IT network infrastructure. Given the complexity of today’s networks, Zero Trust security principles continue to evolve and adapt to current demands. As indicated by the history of Zero Trust, an evolving IT security landscape was what had eventually led to this concept. And right from the start, the end goal was to ensure a strong and resi...
Related Articles
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 16, 2021
Defining PIM, PAM and IAM
Does access control terminology puzzle you? Many people often mistake PIM, PAM, and IAM – privi...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Dec 11, 2021
What is Privileged Account Management (PAM) and How Does It Work?
                                What is Privileged Account Management (PAM)? Privileged accoun...
Related Categories
Download Free Report
Download our free Identity Management (IM) Report and find out what your peers are saying about SailPoint, One Identity, ForgeRock, and more! Updated: November 2022.
DOWNLOAD NOW
654,218 professionals have used our research since 2012.