Monday, September 10

Identity Audit != Identity Management Audit

I've posted a few times now on identity audit and I've noticed that some other smart folks in the industry have used the term identity audit (IdA) when speaking about what I call identity management audit (IdM-A). The Identity Management software vendors are especially (and understandably) guilty of this. So, I'm taking this opportunity to point out that identity audit is NOT the same thing as identity management audit. I realize that I probably won't eliminate the confusion across the entire industry, but at least you'll be aware of the distinction and will be able to educate those around you.

IdM = Identity Management
IdM-A = Identity Management Audit
IdA = Identity Audit

Identity Management Audit

IdM-A is usually provided by the IdM software vendor. It's an IdM system's internal audit of IdM activities. It can tell you about the identities that flow through the IdM system. It generally relies on the logs generated by the components of the identity management system. If it's one of the better IdM-A solutions, it may even report on what it sees in its connected data repositories. IdM-A is typically limited to an audit of the IdM system itself and is somewhat myopic in that sense. Any reports that it provides are based on its own view of the environment and may be less reliable than an independent audit mechanism.

Identity Audit

Identity Audit solutions provide a more external view of identity information. It can provide independent reports on the data within identity data stores to verify whether the IdM system is doing its job correctly. It can also identify and take action on activity that happens outside of the IdM solution. For example, if an administrator subverts policy by manually adding a friend to the domain admins group, IdA can capture that event, throw alerts and potentially provide remediation as well -- perhaps through an existing IdM system. IdA solutions are equally if not more useful in environments without IdM systems. For example, in a smaller Microsoft Windows environment where users are managed in Active Directory with no or limited automation, an IdA solution can provide a useful tool set for auditing the power of identities within the environment -- without the requirement for an identity management system.


Identity management systems along with other information security mechanisms are controls put in place to enforce organizational policies. Identity Audit provides an independent and wide-angled view of identity controls, identity behavior and identity power to ensure that policies are being enforced. IdA solutions are complementary to IdM systems and continue to provide value in environments where IdM systems aren't available (or required).

No comments: