Is Your IAM Program Healthy?

Barry Gordon, IAM Practice Team Lead, SecureITsource, Inc.

Five “Smells” that may indicate problems

In Scrum, there is a concept of “smells”. They are simple signs that something may be wrong. They are not definitive or explicit identifiers, but rather a prompt to investigate potential problems further. However, the idea of smells is not only effective for Scrum. An IAM program can have smells too. Check your IAM program for the smells below. If any of these stink at your organization, it may be time to looks for bigger problems.

1.   Who has access to what?

Answering this question is the entire purpose of IAM. Can you answer this question immediately? Can you do it for a population of people in the organization? If not, it is time to evaluate the weaknesses in your IAM program. Is the data organized and easily accessible? Is the access easily identifiable or are the roles and groups ambiguous? Whatever the root cause of the smell, it is significantly hindering the performance of your IAM program.

2.   It takes a while to get access

In an Ideal world, access would be granted automatically and instantaneously. However, this level of automation isn’t practical for many organizations. That does not mean that granting access itself should take a while though. What is your average time to complete an access request? An hour? A day? If it takes more than a day to grant the type of access that virtually everyone else in your organization has, there are likely some serious bottlenecks in your delivery process.

For things like directory access and email that a bulk of the organization uses, automation usually has a pretty good ROI. Does the process for granting access itself make sense? Low-risk requests should require simple approvals, if any. Any approvers need to be accountable to completing requests in a timely manner. For manually fulfilled requests, there should be sufficient staff to handle the volume. These staff members should be well trained, and the processes should have as few bottlenecks as possible.

3.   Changes take forever

If a simple change to your IAM system or processes takes a while, there may be a problem. [DM1] Are you trying to fulfil unrealistic/unachievable requests? Often, others in the business will ask a lot from IAM. It is important to stay focused on the business value you and others in the business are trying to add. Avoid the low-impact fluff that is difficult to add – forget requests that are simply unrealistic. Additionally, you should validate that your organization’s change management process can keep up with the changes. If not, you may need to work with the owners of that process to fix the bottleneck. Regardless of the reason, being unable to keep up with change is a sign of 2an unhealthy IAM program.

4.   Changes always break something

Are there problems in configuring your IAM software? If so, perhaps you suffer from Software Fragility. Introducing something new should not break something that already exists. If this happens often, it should be a strong smell that something is wrong. Fragility happens when corners are cut. This could be due to overly aggressive timelines, overburdened staff, or inexperienced software engineers or administrators. Regardless of the reason, these cut corners create serious technical debt, and you are paying interest on that debt every time something breaks on a change. Refactoring and redesign can be an expensive and time-consuming proposition, but if the downtime and lost productivity with every change are high, it can make for a strong business case. The health of your IAM program will most certainly benefit.

5.   Supporting new applications is difficult

Supporting new applications can be time consuming, especially for legacy or complex applications. However, it shouldn’t be overly difficult in the majority of cases. A number of factors can contribute to the difficulty in onboarding new applications. Is your IAM software or processes fragile, as mentioned above? Does the business have unreasonable requirements? Are application owners too busy or too stubborn to properly support the IAM onboarding process? Getting new applications introduced is a collaboration between all 3 parties: IAM, the application owners, and the business. If they’re all doing their part, the hardest part of onboarding should be the technical challenges. If not, it will definitely smell, and should be addressed.

Of course, no IAM program is perfect. Very few get to an ideal state, but that does not mean that yours can’t be healthy and consistently delivering business value. These are just a few of the major problems that can plague an IAM program. However, diligence and focus in treating the ailments can bring even the most sickly IAM programs back to life.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of consultants help our clients to reach their IAM goals by providing strategy, design, and engineering expertise.