Five Tips to Get Identity and Access Management Right – the First Time

As businesses look to move to the cloud and add value through digital transformation, data has moved beyond the perimeter. Organisations now need to offer secure anytime, anywhere access to customer and corporate data to deliver the best products and highest service levels. Additionally, for compliance purposes, they need to understand who has access to what data. IAM technology can help achieve all of that.

Many IAM projects fail without the right support. In a survey by Computing¹, more than a third of respondents (38%) had been involved in or affected by an IAM project that was never fully completed, took much longer than planned or failed to meet expectations. The reasons for these unfulfilled plans included the complexity of the customisation to manage access to legacy applications and platforms; a lack of specialist IT skills to manage the solution; to project plans that were driven by IT and security considerations than by business needs.

The origins of IAM is rooted in big-budget security implementation in the banking and finance sector to lock down their IAM in response to regulatory and compliance requirements. Now, organisations of all types and sizes and in sectors ranging from retail to healthcare, energy and manufacturing, are looking at IAM technology to secure flexible access to cloud-based resources and support agile working environments. Increasingly, these organisations must comply with a growing number of regulations around data privacy and security. As a result, they face a range of intertwined and complex business, regulatory and technology issues.

Organisations confronted by the need for enhanced IAM may have justifiable concerns around bringing in an IAM project on time and in budget. Rightly so, these projects are complex. But I may have an answer to help alleviate those concerns. While there is no silver bullet, here are five simple recommendations, borne from our experience, that will help to guide organisations on their journey to a successful IAM project:

1. Assess your organisation’s IAM maturity. How well defined is the organisation's governance structure? How optimised and integrated are current business processes? Where are the data assets on which the success of the organisation rests? Is your IAM providing business value and if not, do you have a vision or strategy for achieving that? It is important to choose the right solution provider partner appropriate to your organisation’s level of maturity across all these measures.

2. Identify business needs before translating that into technology requirements. Getting IAM right is a business issue first – technology comes second. IAM projects go wrong when there is a disconnect between the business and IT. Start by building a clear picture of IAM processes, both business and technical. How do you grant access to systems in your organisation, how do you make password changes, what happens when an employee leaves or changes roles? As businesses change, respond to M&As, and as competition and business processes evolve, IAM needs to reflect current business processes and play a role in optimising them. Too many organisations make the mistake of securing a broken process and then wonder why their IAM projects fail.

3. Identify key stakeholders. These range from internal line of business managers to key individuals at your IAM supplier. It is imperative to bring all these people together right at the beginning to hash out any strategic and practical issues. Board-level sponsorship will underline the fact that IAM is not an IT project. It is a good idea to identify an individual on your board who understands and supports the need for more effective IAM and can champion your project.

4. Leverage all available resources and expertise. Organisations that already work with a cyber security supplier may look to extend that relationship to strengthen IAM. Yet, generic security providers do not always have the depth of expertise required to embed IAM successfully. The expertise you need for your project could well be a mix of internal skills and supplier capability, plus ad hoc expertise from external consultants, such as project managers. The right solution provider can put you in touch with the necessary skill set, either from their own resources or through third-party connections.

5. Establish authoritative data sources, such as payroll and HR or customer relationship management (CRM) systems. These will provide the identity information that helps drive the IAM automation needed for governance. Many IAM projects fall at the first hurdle by assuming that data is accurate and clean.

IAM: the paving stones on the road to full governance

IAM technology is highly sophisticated, yet it is only a part of journey towards full governance. Wherever the organisation is on that journey, the key is to get the right support to help you get to where you want to be. Technology alone cannot do that. Ensuring that you have the right partner who can deliver the consulting, pre-sales and deployment services that you need is vital. Only after IAM is integrated across the organisation will it be possible to realise ambitions for flexible working, agility and improved responsiveness, or business growth.

Reference

1 Why IAM projects fail – Understanding and avoiding common pitfalls on the route to effective identity and access management. August 2015. Computing research paper.

About the Author

Rogier Egberink is One Identity’s Regional Sales Director for Benelux, Italy and France