Top 5 Ways To Succeed With IAM
Most organizations invest in Identity and Access Management (IAM) solutions to establish comprehensive visibility and control of Identities and Access. Control and management of identities is critical to operations, particularly for regulated industries like financial services and healthcare. Regardless of industry, IAM is a core business and cyber security function. Establishing and managing the identity lifecycle of employees, customers and third parties (everyone else) is table stakes for any organization. Most mid to large organizations can have hundreds or thousands of applications that IAM needs to integrate with. This doesn’t happen in the initial rollout. It takes multiple scheduled rollouts over a period. IAM projects are often lengthy spanning years.
The more the identities and access, the more demanding IAM becomes. Managing credentials like passwords and multi-factor authentication enables single-sign-on (SSO) and password resets. This alone can fund an IAM project when you consider the number of password and access related help desk calls. Another business goal of IAM is to automate all the manual effort associated with access change activities as they are numerous and error prone. Access remains disparate for enterprise applications, APIs, services, assets, and data. The explosion of public cloud applications and infrastructure have compounded access requirements and widened the attack vector. Third party applications and services are more widespread often requiring access to sensitive information. IAM, along with Identity Governance enables the business to manage, automate and respond to business, security, and compliance requirements. The reuse value in centralizing identities and access information yields more value overtime as more and more applications and assets are under management. IAM promises scalable value.
Strategizing, Planning, Executing and Managing IAM can be an overwhelming and ultimately disappointing if not aligned with executive level support. Executive level support for IAM is critical for adoption and true value realization. IAM touches almost every aspect of the business. From HR to the Lines of Business, IAM capabilities are required to execute effectively, efficiently, and most important securely. IAM enables the business to support unique processes and changing requirements for various identity types. The commitment to manage all identities (employees, customers and third parties) across the enterprise requires a long-term strategy. Executive buy in empowers security leaders to define the appropriate roadmap. Executing on the roadmap in short bursts is the most successful method of rolling out an IAM initiative. Learn fast. Succeed fast. Scale.
Most often when tackling such a complex effort like IAM, executive support alone will not dictate success. Focusing on a handful of guiding principles can result in both short and long-term success. Establishing an operating rhythm will vary for each organization regardless of industry. Understanding people and process are key factors for IAM success.
1) Start small. Identify the high value assets that have business and compliance sensitivity. Scale assets under management over time. Pick a handful of applications to start with, then identify the average number of applications and data sources that can be onboarded each month. Results will vary as the complexity of legacy and custom applications will require more time, than standards-based applications and services.
2) Establish a methodology for engaging business and technical stakeholders. Proper planning and strategizing with stakeholders, application owners and data stewards, administrators and security personnel is critical for adoption. Define auditing and reporting requirements early.
3) Identifying the users in scope and how the identity maps to access. For example, employees, customers and third parties are created, stored, and managed in very disparate ways. Identify exactly how these identities originate in the enterprise. What’s the business process associated with creating identities. Where’s the authority for each identity type? Where are the accounts? How do they map to identities?
4) Identify what applications, infrastructure, data (structured and unstructured), APIs, or services are in scope. Access types are vast. Cloud applications, infrastructure and data need to be encompassed. Anything with business and compliance relevance becomes a target asset that needs to be prioritized based level of effort and integration complexity. Lay a foundation for “IAM Services” such as access visibility, request and approval (as required), automated provisioning, attestation, and reporting for each asset under management. Again, results will vary depending on the asset.
5) Perhaps more complex than the technical integration, defining the business process and policies can be challenging. When implementing IAM workflows to implement business logic related to access changes, there is often many opportunities to modernize. For each Identity type and asset, define and redefine the business processes associated with creating and managing identities and access. Streamlining and obliterating steps becomes possible when automating. This requires significant collaboration and cooperation from multiple business and technical owners and administrators.
