Here's tenet #2 from my whitepaper "Tenets of Identity Management". Part #1 of the "Tenets of Identity Management" podcast is posted on the Quest web site.
#2 - KISS—Simpler is Always Better
The main reason most companies get involved in an identity management project is that their environment has gotten complex beyond their ability to control it either by manual or automated processes. You need to avoid the easy way out: simply automating what you currently have. While this may temporarily solve your problem, the end result will be an inefficient, but automated set of identity processes. Because they’re inefficient, these processes will probably break down at the most inopportune times. Or, when they break down, the effect will be noticed by senior executives at your company.
It is crucial to put all aspects of your identity management project and associated business processes under a magnifying glass. Always ask whether it is possible to simplify a process or to re-use a particular process in another part of your project.
An easy way to illustrate this is to examine where provisioning actually begins in your company. In most cases, once a decision to hire or retire an employee is made, it is typically the human resources department that begins the process. How does your provisioning software find out about the event? Hopefully, it is notified in real time. If not, it probably finds out by some sort of file transfer to a specific network directory where it then polls the directory looking for the file, and then acts on it. While both methods achieve the same result, the simpler method is for the provisioning software to be notified in real time of the event. A real-time update means faster provisioning (increased productivity) and de-provisioning (increased security) of the employee data occurs without additional moving parts. Provisioning via a file transfer makes you rely on the success of the transfer, the availability of the network location and your ability to handle all the errors to ensure that everything works properly. I can’t count the number of times a piece of code has failed and the result was that hundreds of accounts were accidentally deleted. Of course, Murphy’s Law will always ensure that a number of high-level executives are included in those deleted accounts.
Keep it as simple as possible. You’ll receive fewer late-night and weekend phone calls.
identity management, Quest Software