- 03 Nov
Let’s make your Identity and Access Management (IAM) Program a Success – A Strategic Roadmap
Let me start by listing few scenarios:
Do these scenarios look familiar to you?
I bet it would for a good number of people.
As per a study, majority of the IAM programs do not end up meeting the Business objectives.
For those who are looking to roll-out IAM program, you can very much make IAM program a success provided you learn from the mistakes committed in executing the IAM program. For those with existing IAM solution, you can still take many of the inputs from this article to ensure that you have a greater chance of meeting your business objectives.
Let me explore a few common mistakes (at both thinking and execution level) that are made during an IAM solution roll-out:
Now that we have seen the typical mistakes to avoid, let me layout a Strategic Roadmap for your IAM program:
1) Define the measurable business objectives & Scope of your IAM program – Typical Business objectives for any IAM Program will be:
While these high-level business objectives are well-known and pretty understood, what is missed is to put a more detailed measurable metrics for these business objectives.
Reduce the Employee on-boarding time from 2 weeks to 3 days by 1st year and from 3 days to 1 day by 2nd year.
Reduce the administration cost from the current annual cost of $800k to $300k by 1st year.
Putting measurable business objectives will help you devise a focused well-defined scope of your IAM program as well as help you layout your execution plan accordingly.
Defining the scope of your IAM program with the geography and timelines associated is an extremely important step. Don’t define an overly broad scope. Your scope of your IAM program should be clearly covering what you plan to achieve over a given time.
An example of scope can be –
You will have a greater chance of success of your IAM program as you will be able to define and measure your IAM program success and show tangible benefits to your management.
2) Assess your environment & business processes and define the future state – Based on your measurable business objectives and the defined scope, you have a list of departments and applications that will be integrated with your IAM solution. Get a thorough understanding and documentation of the business processes, birth right policies, and workflows by talking to the business units’ owners (don’t guess that a business process applied for one business unit will apply to others as well!). I have seen that even the well-known organizations miss on a very important step of understanding and documenting the business processes.
This is the step where you would decide on which business process you can and will automate. Please note a very important point that “You cannot automate every business process”. This could be due to various factors such as the business requirements, compliance requirements, product limitations etc.
Also this is the step where you assess the bad processes (existing ones) that you would like to discard and devise a new one. This assessment and decision need to be done by the Business unit owner. There is no point in using your IAM solution to implement bad business processes.
3) Layout an execution roadmap with clearly defined & measurable milestones – Now is the time to layout an Execution Roadmap based on outputs coming from Step 1 and 2 and define what you will effectively do from Step 4 to Step 10.The execution plan should avoid Big-Bang approach and take a phased approach. Keep the following points while laying out your execution plan:
4) Assess and Select the IAM product – Time do some Googling and shopping! Search for IAM product companies list and review their product data sheet to perform an initial assessment. Next is to create a RFI (Request for Information) and send to various IAM product OEMs. The RFI should be based on your outputs coming from Step 1 to 3. Once you get the responses, you should map it to your requirements, business objectives and processes and execution roadmap. Next is to call for demo/POC of these products from the OEMs and evaluate. Once the assessment is done, you should select the IAM product OEM based on merits of product for your requirements. Get the commercial details from the selected OEM.
5) Prepare Business case for IAM program and Get Top management sponsorship – Prepare a strong business case based on your output coming from Step 1 to Step 4. You will have to sell the value that will be brought by the IAM solution to your Top Management and Business unit owners. Your business case should not only include the Product license cost but the Total Cost of ownership for your IAM solution. As I mentioned earlier, IAM program is one of the security domains that is most closely associated with Business processes and Business owners. IAM programs typically run over multiple years and it needs an understanding and strong commitment from your Top Management to ensure that you have the funding flowing and the IAM program indeed achieves the objectives for which it set out for.
Top Management sponsorship will bring the seriousness and commitment from various Business unit owners and management layer. Without the support and involvement of your Business unit owners and other management layer, you will never be able to make IAM program successful because IAM program success ultimately ties to the fact that how closely it is aligned to the business processes and no one will understand the business processes better than Business unit owners.
6) Consolidate user identities into a centralized authoritative repository – Time for execution to start! Your IAM solution will need an Authoritative Identity repository to refer to. You need to perform an assessment of the User attributes to enrich your centralized Identity repository from various other repositories. This would ensure that central Identity repository will provide the current and correct Identity data to your Identity Management solution to propagate it to end points or applications.
7) Apply Governance through Role Modelling – Next is to get the aggregate view of access privileges. Over a period of time, roles are created at end points and assigned to Users as needed. As the organization evolves and the structure and processes changes, many of these roles become irrelevant or a need arises to define new roles to match with the current state. Also Users go through different stages of Identity life cycle which leads to the scenario of orphan account or assignment of extra privileges.
As part of the Role Modelling exercise, you need to get the roles and access data from the end points you are looking to integrate with your IAM solution. Once you get the roles and access data, you can assess and identify any orphan or rogue accounts. You can then initiate an Entitlement certification process where the Business unit owners can review the User’s access (roles assigned) and approve or deny or update the User’s role.
8) Configuration and Customization – Time for configuration and customization. Many configuration activities are performed in the product such as attribute mapping, creating the provisioning roles, Birth right policies, workflows, notifications etc. This is also the time where you will develop custom connectors to integrate your Identity management solution with different end points for which the Out-of-box integration may not be provided by the product. Test your solution well for all business scope in scope of that phase.
9) Roll-out different use cases – With all the ground work done, you are ready to roll-out different use cases (On-boarding, termination, user self-service, Role change etc.). But don’t rush to roll-out the solution to all. Run a pilot program by rolling out solution for a few targeted users and departments. Get feedback from Business unit users, employees, contractors etc. on the usage and effectiveness of the solution. Incorporate the feedback after mutual agreement with Business unit owners. Once you have stabilized the solution with various use cases, you can then plan to roll-out the solution to slightly bigger group or the organization level as you defined in your Execution plan.
10) Measure and Report – Your IAM program success will depend on you to measure the program success based on the metrics and milestones you defined in Step No. 1. You should be taking regular feedback from Business unit owners and end users to understand how well the solution is meeting the requirements. Also the results and the associated metric need to be presented to Top Management at defined and regular intervals. Try to showcase the tangible business benefits as much as possible.
11) Repeat Step 6 to 10 for newer end points integration in alignment with your Execution Plan – IAM solution needs to be rolled-out in a phased manner. Once you have achieved the milestones, it’s time to on-board new applications. Repeat Step 6 to 10 to achieve this.
For all the fans of ITIL service delivery framework, it is possible to map the above steps to the five volumes defined in ITIL.
Using the best practice guidance of service delivery, you can map your road map steps identified in the article as follows:
A. Service Strategy
B. Service Design
C. Service Transition
D. Service Operations
E. Continual Service Improvement
I hope this article has provided you food for thought so that you avoid the mistakes typically performed during IAM solution roll-out and follow a structured approach to execute your IAM program.
Success of IAM program demands a collective effort. Let’s Secure Together!
About the Author:
Nitesh carries a deep passion for the information security space. Nitesh is the Founder and CEO of Sacumen, a focused and niche Security Product engineering and Services Company. Nitesh has spent more than a decade in the Security space and carries multiple prominent security certifications such as CISA, CISM, CGEIT, CISSP, CSSLP, CEH, ISO 27001 LA, CCSK and HCISSP. Nitesh is on a mission to transform the perspective of IT security from a FUD (Fear, Uncertainty and Doubt) perspective to having IT security being harnessed as an enabler and differentiator.
Sacumen is a Security Product Engineering and Services Company. Sacumen was born to address the pressing needs of Enterprises and Product companies looking for a trusted, focused and niche Security services partner to help them develop innovative security products and solutions. Sacumen is focused on providing services to develop innovative solutions in the areas of Identity and Access Management, Application security, API Management and security, Authentication, and Security product engineering.