• Careers | Call Us: +1 315 215 3290

Blog

  • identity-access-management-success

    Let’s make your Identity and Access Management (IAM) Program a Success – A Strategic Roadmap

    Let me start by listing few scenarios:


    iam-roadmap-success

    • I bought one of the best products in the IAM space by looking at a prominent research agency document but find that the product does not meet my business objectives.

    • The IAM solution does not support straight integration with many of the applications in my environment though the Sales guy promised me Out-of-box integration.

    • The IAM product is not able to implement many of my business processes related to On-boarding and termination of Users.

    • Any integration with newer applications leads to Vendor stating that it needs a custom connector to integrate those applications with the deployed IAM solution.

    • I was promised that the entire digital lifecycle management will be automated when the IAM product is deployed and I still have multiple manual process existing and makes the entire process more troublesome than before.

    • My Top Management looks at our IAM program as a money pit and a failure. This product sucks. God, can you please send me to the old days when internet was not there!

     

    Do these scenarios look familiar to you?
    I bet it would for a good number of people.

    As per a study, majority of the IAM programs do not end up meeting the Business objectives.

     

    For those who are looking to roll-out IAM program, you can very much make IAM program a success provided you learn from the mistakes committed in executing the IAM program. For those with existing IAM solution, you can still take many of the inputs from this article to ensure that you have a greater chance of meeting your business objectives.

     

    Let me explore a few common mistakes (at both thinking and execution level) that are made during an IAM solution roll-out:

     

    mistakes-iam-program

    • Measurable Business objectives and scope of IAM program not defined –

      While the high-level business objectives are well-known and well understood, what is often missed is putting a more detailed measurable metrics for these business objectives. Also, the scope defined is so overly broad and without an associated timeline, that the IAM program end up as a program that runs for multiple years without any tangible benefits. When you don’t know what exactly you are trying to achieve in what timeframe, the journey is painful and directionless.

     

    • Lack of understanding and documentation of the current business processes and future state –

      This would look unusual for many because the expectations will be that you know and understand your business processes very well. But, in my experience in multiple IAM solution roll-outs, this is definitely not the case. One of the primary reasons for this is that over the years the company grows and that leads to a complex, heterogeneous, and multi geography environment. At times, there are so many departments and systems in various geographies and the company itself does not have track of those. You need to have a clear understanding of the current business processes and the future state of those processes you are targeting.

     

    • Lack of Top Management support –

      IAM programs typically run over multiple years and it needs an understanding and strong commitment from your Top Management to ensure that you have the funding flowing and the IAM program indeed achieves the objectives for which it set out for. Typically, the IAM programs operate out of IT office and the Top management may not be involved during initial discussions and decisions. It’s very important for you to have your Top management on-boarded with the idea of the value which is generated by IAM program.

     

    • Treat IAM program as an IT Project –

      This is a classic mistake made both in thinking and execution. IAM program is most closely associated with Business processes and Business owners. When IAM gets executed as an IT project, the involvement and commitment of Business unit owners and other management layer does not happen to the extent it is required. IAM is then looked as IT problem and initiative whereas IAM is the solution for business.

     

    • Thinking that buying the well-known (and possibly most expensive) IAM product will ensure success –

      You would have seen this myth envisioned and practiced in full force. One of the popular ways of selecting a Security product is to have a look at the leaders defined in that category in various reports coming various prominent Research firms and making a decision to buy those security products. Once the best known security products are deployed, a sense of accomplishment follows. While there is nothing wrong at looking at the reports to identify the leading security products in a given space, you should not get carried away with those. Security products have their own set of pros and cons and you need to perform your due diligence to ensure that the final selected product maps to your business requirements, processes and long term strategy. With the technology advancement happening at a breath-taking pace, your products should be able to address your immediate and future requirements. Put a process in place for evaluation and selection of the products. You will find more details thoughts on Myths associated with Security space and the Roadmap for CXOs in my article that can be accessed at: 6 Myths about IT Security, Busted!

     

    • Big Bang roll-out approach –

      You will be eager to have your IAM solution increase your organization efficiency quickly and would like to have a grand launch of your IAM solution. Don’t do that. There are few issues w.r.t a Big bang approach roll-out :

      • The time for a Big bang roll-out will lead to a longer time to implement and the stakeholders will get restless when they don’t see a tangible output coming out from the proposed IAM solution.

      • You would like to get feedback from real users to optimize your solution implementation such that it aligns closely to the actual business processes and their lives. You will not get this in Big bang approach where your assumption is that the deployed IAM solution is what users will like, and is aligned to the business processes. You are building a solution for your users and it should meet their requirements.

      A Phased approach is recommended so that it’s an iterative process and you have more chances to make appropriate corrections as needed.

     

    • Expectation that the entire digital lifecycle should be automated using an IAM solution –

      Such an expectation leads to lot of heartburns and disappointments. You need to be realistic in your expectations of the solution. No single product may ever have an Out-of-box integration with all your applications. Also you may not want to automate each process associated with digital life cycle. This could be due to various factors such as the business requirements, compliance requirements, product limitations etc.

    Now that we have seen the typical mistakes to avoid, let me layout a Strategic Roadmap for your IAM program:

    1) Define the measurable business objectives & Scope of your IAM program – Typical Business objectives for any IAM Program will be:

    • Improve User experience

    • Reduce on-going administration cost (User self-service functionalities for password reset and other requirements)

    • Help in achieving compliance such as SOX, HIPAA

    • Reduce the employee on-boarding time so that they are productive as soon as possible

    • Reduce the risk by immediate removal of user access from all relevant applications upon User termination

    While these high-level business objectives are well-known and pretty understood, what is missed is to put a more detailed measurable metrics for these business objectives.

     

    E.g. –
    Reduce the Employee on-boarding time from 2 weeks to 3 days by 1st year and from 3 days to 1 day by 2nd year.
    Reduce the administration cost from the current annual cost of $800k to $300k by 1st year.

    Putting measurable business objectives will help you devise a focused well-defined scope of your IAM program as well as help you layout your execution plan accordingly.

     

    Defining the scope of your IAM program with the geography and timelines associated is an extremely important step. Don’t define an overly broad scope. Your scope of your IAM program should be clearly covering what you plan to achieve over a given time.

     

    An example of scope can be –

     

    • The first phase of IAM solution deployment will cover be implemented in 18 months and cover –

      • The North America region

      • Applications in the HR, IT and Sales department

      • Only the company employees and contractors

      • Governance will be applied for Roles from HR, IT and Sales department

      • Process of User on-boarding and termination will be covered

      • User self-service functionality will be developed

       

    • The second phase of IAM solution deployment will cover be implemented in 10 months and cover:

      • The Europe region

      • Applications in the HR, IT and Sales department

      • Only the company employees and contractors

      • Process of User on-boarding and termination will be covered

      • User self-service functionality will be developed

      • North America

      • SSO and strong authentication solution will be deployed

       

    You will have a greater chance of success of your IAM program as you will be able to define and measure your IAM program success and show tangible benefits to your management.

     

    2) Assess your environment & business processes and define the future state – Based on your measurable business objectives and the defined scope, you have a list of departments and applications that will be integrated with your IAM solution. Get a thorough understanding and documentation of the business processes, birth right policies, and workflows by talking to the business units’ owners (don’t guess that a business process applied for one business unit will apply to others as well!). I have seen that even the well-known organizations miss on a very important step of understanding and documenting the business processes.

    roadmap_article_img1

     

    This is the step where you would decide on which business process you can and will automate. Please note a very important point that “You cannot automate every business process”. This could be due to various factors such as the business requirements, compliance requirements, product limitations etc.

     

    Also this is the step where you assess the bad processes (existing ones) that you would like to discard and devise a new one. This assessment and decision need to be done by the Business unit owner. There is no point in using your IAM solution to implement bad business processes.

     

    3) Layout an execution roadmap with clearly defined & measurable milestones – Now is the time to layout an Execution Roadmap based on outputs coming from Step 1 and 2 and define what you will effectively do from Step 4 to Step 10.The execution plan should avoid Big-Bang approach and take a phased approach. Keep the following points while laying out your execution plan:

    • Go for quick wins – Take up initiatives that will show tangible outputs to your top management (e.g.: reduce on-boarding time of employees of the most critical department). Very critical to have the momentum and support on your side

    • Be realistic – Have sufficient buffer. You are deploying a solution which would touch the everyday life of your members and hence need time for due-diligence and people factors during solution development. Also be sensitive to your organization dynamics and plan accordingly.

    • Keep future requirements in mind – With Mobility transforming our lives and IoT poised to make our lives even better, we are leading to a more connected world with newer security challenges. Identity and access management approach will be much different than conventional one.

     

    4) Assess and Select the IAM product – Time do some Googling and shopping! Search for IAM product companies list and review their product data sheet to perform an initial assessment. Next is to create a RFI (Request for Information) and send to various IAM product OEMs. The RFI should be based on your outputs coming from Step 1 to 3. Once you get the responses, you should map it to your requirements, business objectives and processes and execution roadmap. Next is to call for demo/POC of these products from the OEMs and evaluate. Once the assessment is done, you should select the IAM product OEM based on merits of product for your requirements. Get the commercial details from the selected OEM.

     

    5) Prepare Business case for IAM program and Get Top management sponsorship – Prepare a strong business case based on your output coming from Step 1 to Step 4. You will have to sell the value that will be brought by the IAM solution to your Top Management and Business unit owners. Your business case should not only include the Product license cost but the Total Cost of ownership for your IAM solution. As I mentioned earlier, IAM program is one of the security domains that is most closely associated with Business processes and Business owners. IAM programs typically run over multiple years and it needs an understanding and strong commitment from your Top Management to ensure that you have the funding flowing and the IAM program indeed achieves the objectives for which it set out for.


    roadmap_article_img2
    Top Management sponsorship will bring the seriousness and commitment from various Business unit owners and management layer. Without the support and involvement of your Business unit owners and other management layer, you will never be able to make IAM program successful because IAM program success ultimately ties to the fact that how closely it is aligned to the business processes and no one will understand the business processes better than Business unit owners.

     

    6) Consolidate user identities into a centralized authoritative repository – Time for execution to start! Your IAM solution will need an Authoritative Identity repository to refer to. You need to perform an assessment of the User attributes to enrich your centralized Identity repository from various other repositories. This would ensure that central Identity repository will provide the current and correct Identity data to your Identity Management solution to propagate it to end points or applications.

     

    7) Apply Governance through Role Modelling – Next is to get the aggregate view of access privileges. Over a period of time, roles are created at end points and assigned to Users as needed. As the organization evolves and the structure and processes changes, many of these roles become irrelevant or a need arises to define new roles to match with the current state. Also Users go through different stages of Identity life cycle which leads to the scenario of orphan account or assignment of extra privileges.


    roadmap_article_img3

     

    As part of the Role Modelling exercise, you need to get the roles and access data from the end points you are looking to integrate with your IAM solution. Once you get the roles and access data, you can assess and identify any orphan or rogue accounts. You can then initiate an Entitlement certification process where the Business unit owners can review the User’s access (roles assigned) and approve or deny or update the User’s role.

     

    8) Configuration and Customization – Time for configuration and customization. Many configuration activities are performed in the product such as attribute mapping, creating the provisioning roles, Birth right policies, workflows, notifications etc. This is also the time where you will develop custom connectors to integrate your Identity management solution with different end points for which the Out-of-box integration may not be provided by the product. Test your solution well for all business scope in scope of that phase.

     

    9) Roll-out different use cases – With all the ground work done, you are ready to roll-out different use cases (On-boarding, termination, user self-service, Role change etc.). But don’t rush to roll-out the solution to all. Run a pilot program by rolling out solution for a few targeted users and departments. Get feedback from Business unit users, employees, contractors etc. on the usage and effectiveness of the solution. Incorporate the feedback after mutual agreement with Business unit owners. Once you have stabilized the solution with various use cases, you can then plan to roll-out the solution to slightly bigger group or the organization level as you defined in your Execution plan.

     

    10) Measure and Report – Your IAM program success will depend on you to measure the program success based on the metrics and milestones you defined in Step No. 1. You should be taking regular feedback from Business unit owners and end users to understand how well the solution is meeting the requirements. Also the results and the associated metric need to be presented to Top Management at defined and regular intervals. Try to showcase the tangible business benefits as much as possible.

     

    11) Repeat Step 6 to 10 for newer end points integration in alignment with your Execution Plan – IAM solution needs to be rolled-out in a phased manner. Once you have achieved the milestones, it’s time to on-board new applications. Repeat Step 6 to 10 to achieve this.

     

    For all the fans of ITIL service delivery framework, it is possible to map the above steps to the five volumes defined in ITIL.

    Using the best practice guidance of service delivery, you can map your road map steps identified in the article as follows:

     

    A. Service Strategy

    • Define the measurable business objectives & Scope of your IAM program

    • Assess your environment & business processes and define the future state

    • Prepare Business case for IAM program and Get Top management sponsorship

    B. Service Design

    • Asses and Select the IAM product

    • Layout an execution roadmap with clearly defined & measurable milestones

    C. Service Transition

    • Consolidate user identities into a centralized authoritative repository

    • Apply Governance through Role Modeling

    • Configuration and Customization

    D. Service Operations

    • Roll-out different use cases

    • Measure and Report

    E. Continual Service Improvement

    • Step No.11 can be followed for newer end points integration and business processes implementation in alignment with your Execution Plan.

     

    I hope this article has provided you food for thought so that you avoid the mistakes typically performed during IAM solution roll-out and follow a structured approach to execute your IAM program.

    Success of IAM program demands a collective effort. Let’s Secure Together!

    About the Author:

    Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.


    founder-and-ceo-sacumen
    linkedin-badge


    Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.

    Leave a comment