Barry Gordon – Senior IAM Consultant, SecureITsource, Inc.
The realm of Identity & Access Management (IAM) can be overwhelming at times. An organization may have thousands of accounts spread across hundreds of applications. Little chunks of key identity information spread between dozens of sources. Not to mention, the various privileges and permissions scattered throughout various stores of data. In an ideal world, all this data is secured, linked, and managed. Accessing these applications and data is seamless.
However, the real world is often the quite opposite. Perhaps your organization has set a goal to improve your IAM program, and you’re not sure where to start. Perhaps you simply shoulder the burdens of a chaotic environment daily, and spend most of your time just keeping up. Either way, if you have been putting off Identity Management: Stop. It’s easier than you might think.
Determine which key focus will you benefit the most
The first, and easiest step, is to determine in which area you will get the most bang for your buck. Identity Management has three main benefits:
- Reduces Risk
- Reduces Cost
- Improves User Experience.
Focusing on one of these aspects will help narrow down where to start. This is where your in-depth knowledge of your organization comes into play.
Perhaps managing risk is a major concern. Your organization may have regulations to comply with SOX, HIPAA, PCI, etc. Or security is of utmost concern due to the nature of your work.
Alternatively, your organization may be primarily looking to reduce costs. According to Forrester research, manually managing access and accounts is the worst option from an ROI perspective (Cser). Likewise, manually collecting data for audits can be very costly, especially in industries like Healthcare and Finance. Also, don’t discount the savings on lost productivity. The cost of dozens of employees unable to work while waiting on access can add up quickly.
Finally, in the modern marketplace, ease of use has become essential. Self-service has become an expected part of any application. Perhaps single sign-on or social media logins would make things more seamless. Customers will be quick to go elsewhere if they must jump through hoops to get access to your products. Employee morale will be higher and partnerships will be stronger if response time is quick when dealing with access.
Once you have determined which of these bests describes your situation, you can move on to the next step: Defining your specific goal.
Set a specific Goal
One of the top killers of IAM projects is scope creep. Too many projects fail while trying to boil the ocean. If you are unsure of where to head from here, now is a great time to bring in an expert. A good consultant can help guide you through determining which areas are prime for improvement and which are rife with unexpected challenges.
Your specific goal should be exactly that, specific. It should also align with your key focus area from above. Dieter Rams philosophy of “Less but better” is key here. You can always grow a small healthy IAM program, but it is massively more difficult to recover from a failed one. Which one thing would bring the most benefit with simplest needs?
Good example: Reduce costs by automating password resets on mission critical applications.
Bad example: Reduce risk by managing identity data
In the first example, you have a clear specific goal. You can form a list of mission critical applications to set a specific scope. Resources can be put into a solution that is robust and offers auxiliary benefits or risk reduction and a pleasant user experience.
The second example is asking for trouble. How much identity data? From how many sources? Which risks are reduced? It offers way too many open-ended questions for extra scope to creep in and strangle your project.
Build A Toolset
If you had a clear grasp on your specific goal, and haven’t consulted an expert. Now is the time to do it. The decisions made when building your toolset will make or break your IAM program.
The first step is to narrow down your options. Along with your consultant, sources like Gartner and Forrester research can help give you a clear picture of the marketplace. Your shortlist of tools should be based on a combination of your key focus and your specific goal. Support of your key focus should be your primary concern.
Using the password reset example above: it is far better to have a robust Identity Management system that supports password resets than to have a best-in-class password reset tool that leaves no room for growth and does not offer features to help solve your other IAM concerns.
Once you have your shortlist, it is time to look which tool is best for you. Your consultant can help to guide you through the nuances of the tools. If you have a strong candidate, but are still unsure, a Proof-of-Concept is a great way to see if a particular tool will meet your needs.
During this step is usually when you will need to make your case to the business, if you haven’t already done so. Utilize data to develop both your key focus and specific goal. After the PoC, you should have a good idea of the capabilities of your tool of choice and its advantages over similar tools. All of this should give you a strong business case.
Build the team
During or after the implementation of your selected tool, you will need to build a team to support and grow your IAM program after the initial project. The size and make-up of the team can vary based on an organization’s needs. However, one common mistake you want to avoid is not having people with specifically IAM expertise on your team.
All too often after an IAM project, maintenance and support will fall on a random administration team, or a team of developers, since the tool was written in a programming language that they know. This is a recipe for trouble. Your consultant can help to guide you in building a capable team, even if you are looking to leverage existing staff.
Things to assess when building a team:
- How big will the team need to be?
- How much work will be done in-house vs leveraging trusted partners?
- How will the work be divided? Support & Maintenance vs. New Features
Closing the Loop
If you’ve made it this far, you have probably successfully achieved your specific goal. Inevitably along the way several other goals have appeared on your “to-do list”. You may have others in the business lined up asking you solve their IAM struggles as well. Now is time to close the loop. Transform your “to-do list” into specific goals by priority, and repeat the steps you took to get here. With each iteration re-evaluate. Has your key focus changed? Is your toolset sufficient or do you need to expand? Is your team operating effectively or are they overburdened?
With every iteration, Identity Management adds more business value with less risk. One success will lead to another. With time, it will become easier and an integral part of your organization.
SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced engineers help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.