Scaling Identity Management: Enterprise Lifecycle Standardization (Activity 1.5.2 “Enterprise Identity Life-Cycle Management Part 1”)   

We’ve spent time focusing on establishing strong identity fundamentals at the organizational level: getting a handle on all identities (1.1.1), implementing central authentication (1.8.1), layering in periodic checks (1.8.2), implementing initial PAM controls (1.4.1, 1.4.2), and standardizing our internal identity lifecycle processes (1.5.1). Now, for large, distributed enterprises (like the DoD and other agencies), the next step is to elevate these efforts to a unified, enterprise-wide approach. This is the focus for Zero Trust Activity 1.5.2: Enterprise Identity Life-Cycle Management Part 1. 

This activity recognizes that after individual organizations make progress on identity lifecycle management, true enterprise-level Zero Trust requires consistency and interoperability across the enterprise. Part 1 is the phase focused on reviewing and aligning existing Identity Lifecycle Processes, policies, and standards across the enterprise to develop a finalized, agreed-upon policy and supporting process that all organizations within the enterprise will follow. Leveraging centralized or federated Identity Provider (IdP) and Identity & Access Management (IdAM) solutions, the goal is to implement this Enterprise Lifecycle Management process for the maximum number of identities, groups, and permissions. As before, exceptions to this enterprise policy are to be managed through a risk-based approach. 

The immediate outcomes for Part 1 are significant:  

1. Automated Identity Lifecycle Processes operating according to the new enterprise standard, and  

2. These processes being Integrated with Enterprise ICAM process and tools. This means moving from potentially disparate organizational automation to a centrally defined and enforced automated lifecycle. 

Solutions for Achieving Enterprise Identity Life-Cycle Management Part 1 

This activity is as much about governance and process alignment as it is about technology implementation. Solutions require a multi-faceted approach: 

Enterprise Governance and Policy Alignment: 

• Review existing identity lifecycle processes and policies from different organizational units.  A cross-organization working group is likely effective. 

• Define a standardized, enterprise-wide identity lifecycle policy and set of procedures (joiner, mover, leaver, including privileged access considerations) that meets the needs of the overall enterprise and its various components. This requires consensus building and potentially mandates from central authority. 

• Document a process for managing exceptions to this enterprise policy, including risk assessment, approval workflows, and regular review. 

Leveraging Enterprise-Level ICAM/IdAM Solutions: 

Utilize existing or procure new centralized or federated IdP and IdAM solutions that can enforce the newly defined enterprise lifecycle policy across the maximum number of identities, groups, and permissions. This might involve extending the reach of a current central IdP or connecting multiple organizational IdPs/directories into a federated identity fabric managed at the enterprise level. 

The chosen solution must support automated provisioning, deprovisioning, and attribute synchronization based on the enterprise policy. 

Integration with Enterprise Data Sources and Applications: 

• Integrate the enterprise-level ICAM/IdAM solution with authoritative enterprise data sources (e.g., central HR systems, enterprise-wide asset inventories) to drive automated lifecycle processes for a broad range of identities and their associated attributes and permissions. 

• Connect the IdAM solution to a wide array of enterprise applications and services to automate the provisioning and deprovisioning of accounts and the management of group memberships based on the standardized lifecycle process. 

Okta and Activity 1.5.2 Part 1: A Strong Foundation for Enterprise-Scale Identity Management 

Okta, particularly within its Workforce Identity Cloud offering, which supports both centralized and federated deployment models, is a powerful platform for addressing the technical requirements of Enterprise Identity Life-Cycle Management Part 1. 

How Okta Satisfies These Needs: 

Centralized or Federated IdP/IdAM: Okta can be deployed as a centralized IdP for an entire enterprise or used in a federated model to connect identities from different organizational directories. This flexibility directly supports the activity’s requirement to utilize “centralized or federated Identity Provider (IdP) and Identity & Access Management (IdAM) solutions.” 

Automated Identity Lifecycle Processes: Okta’s Identity Lifecycle Management features, including its robust provisioning engine and workflow capabilities (Okta Workflows), are designed to automate joiner, mover, and leaver processes at scale. This directly contributes to achieving “Automated Identity Lifecycle Processes” according to the newly defined enterprise policy. 

Managing Identities, Groups, and Permissions: Okta Universal Directory can serve as a central repository for managing a large number of identities, organizing them into groups, and managing application assignments, which represent permissions. Its provisioning capabilities ensure these are updated based on lifecycle events for the “maximum number of identities, groups, and permissions.” 

Integration with Enterprise ICAM Process and Tools: Okta provides APIs and connectors that allow it to integrate with other enterprise ICAM components and processes. It can pull data from HR systems, synchronize with directories, and push updates to various applications, facilitating integration with the broader “Enterprise ICAM process and tools.” 

Nuances: 

Activity 1.5.2 heavily emphasizes the governance aspect – the review, alignment, and finalization of the enterprise identity lifecycle policy and processes across potentially diverse organizational units. This requires significant human effort, negotiation, and decision-making by enterprise stakeholders. While Okta—or any similar technology—provides the platform to implement the resulting policy, it doesn’t automate the creation or agreement upon that policy among different organizational components. 

Enterprise-Level Risk-Based Exception Framework Definition: Similar to the policy definition, establishing the formal, enterprise-wide risk-based framework for managing exceptions is a governance activity. Okta can help manage and track exceptions for users within its system and potentially trigger workflows for approval, but the definition of what constitutes an acceptable risk and the overall exception management policy are outside of Okta’s technical functionality. 

Building Towards Parts 2 and 3: 

Activity 1.5.2 Part 1 is the critical step of standardizing the identity lifecycle at the enterprise level and laying the technical groundwork with your IdP/IdAM solution.  

Parts 2 and 3 of the Enterprise Identity Life-Cycle Management are in the “Advanced” phase. Even though they are for a later phase, it is important to understand Parts 2 and 3 to make an informed decision for Part 1.  Below is a brief explanation: 

Part 2 will build on this by focusing on further integrating critical automation functions and specifically integrating primary lifecycle processes into a cloud-based Enterprise ICAM solution, increasing the level of automation and enabling enterprise-wide analytics.  

Part 3 will then aim to integrate the remaining Identity Lifecycle Management processes, including those in more challenging “Enclave/DDIL environments,” often requiring local connectors to connect these disparate systems to the enterprise ICAM solution in the cloud. Part 1’s success in defining the standard and achieving initial broad implementation is essential for the subsequent phases to fully automate and extend coverage to the edges of the enterprise. 

The Technical Buyer Takeaway: 

Enterprise Identity Lifecycle Management is about bringing coherence, security, and efficiency to how identities are managed across a large organization. Activity 1.5.2 Part 1 is the starting point for defining that unified approach and beginning implementation with your core IdP/IdAM platform.  

Leveraging a solution like Okta provides the scalability, automation features, and integration capabilities necessary to implement the standardized enterprise lifecycle for the majority of your identities, groups, and permissions.  

For technical buyers in large enterprises, success here means overcoming organizational silos to agree on a common process and then powerfully automating it with your chosen platform, creating a strong, consistent identity foundation that will be progressively built upon in the subsequent phases to achieve full enterprise-wide lifecycle management in your Zero Trust architecture. 

Pillar: User 

Capability: 1.5 Identity Federation & User Credentialing 

Activity: 1.5.2 Enterprise Identity Life-Cycle Management Part 1 

Phase: Target Level  

Predecessor(s): 1.5.1 Organizational Identity Life-Cycle Management 

Successor(s): 1.5.3 Enterprise Identity Life-Cycle Management Part 2