Ian Yip has an excellent post about outsourcing IdM:
To summarise that post for those that don’t want to read the whole thing:
- Outsourcing IDM is like giving away the front door key to your house and letting someone else decide who to let in and what they can do. Something I didn’t say at the time was that this implies you are relying on them to tell you what happened while you were out and they can also give out your back door keys without you knowing.
- IDM is not about technology. It’s about people and business processes. Outsourcing works best when trying to solve technology pains. Not only that, IDM lies at the core of your organisation. Because of this, your organisation NEEDS to own it.
- The day when you can comfortably outsource ALL of your IDM-related functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service while being automated and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.
Ian has some excellent observations about the reluctance on enterprises to let such sensitive data out of their direct control:
“Giving the keys away” aside, if the decision’s been made to outsource IDM somewhat, the next question is going to be the location. Do you feel comfortable not owning the infrastructure and more importantly, are you comfortable knowing that all your sensitive information is sitting in an environment owned and controlled by another company? Many organisations would not be. That’s why it’s a hard sell.
Hmmm. Having sensitive data sitting in an environment controlled by another company? Isn’t that was every customer of SalesForce.com does? And every customer of any HR outsourcing service such as found at HR-XML.org? I mean if your enterprise is going to let another company handle its CRM, Sales database, and HR data, is IdM data really that controversial?