Updated: Mar 9, 2020
Identity and Access Management (IAM) is a convoluted topic for many organizations. Organizations struggle to get IAM related modernization or enhancement initiatives which impacts enterprises face challenges to get it right. Within an organization, many think that they know IAM – regardless of which function they represent – but only a few “practices” IAM, and can get it right. IAM also means different things to different key players. Due to the complex nature of today’s information & data landscape, the notion of Identity is no longer limited to a human identity nor the security practices are limited to getting firewall rules or privilege access or vulnerability management addressed. Today’s IAM needs to be thought, strategized and practiced as the focal point for entire organizations security. Most organization don’t practice IAM considering it a focal point, instead, they chose to treat IAM as “just another initiative” and treat Cybersecurity, network security, privilege access all as separate siloed initiatives and expect smooth running IT organization that keeps business, audit, IT verticals and, most importantly, the end-user productive. Many such efforts results into budget overruns, staff turnover due to lack of progress, “CxO heads rolling” and no tangible business benefits from millions of dollars that have gone into.
It is equally astonishing to see that in today’s data breach, privacy and cybercrime era that we live in, IAM (includes identity governance, authentication/multi-factor authentication), privilege access, cybersecurity, and data analytics are treated as a standalone practice area with come commonality.
We at CredenceIA Consulting have advised clients, developed Greenfield IAM solutions, migrate from legacy solutions to leading-edge solutions and come up with innovative solutions such as QuickStart implementation offerings. With the acquired experience and leaving down in the trenches, here are major observations on the overall complexity of getting IAM right, and key pillars to a successful IAM program.
Remember, IAM is not about getting someone access and periodically reviewing it – it is much more.
Lack of clear objectives
One of the challenges that the CISO and other leaders face in addressing IAM is the lack of clear objectives. What are you trying to address? Is your IAM program reaction to a recent breach or audit finding or customer dissatisfaction or tool obsolescence? Are your approach to IAM and overall information security just a Band-Aid vs taking a cohesive approach that can outlive tactical perceived challenge? These are some of the questions that need to be answered to ensure the long-term viability of a meaningful IAM program, better ROI on investment (both time and money) and ensuring end-user satisfaction. CredenceIA has developed best practices on how to get IAM program right. Best practices are starting point, and every client situation is different, every organization has different DNA and dynamics. As an IAM leader, find that common thread that can help you and other see-through the clutter.
Lack of stakeholder buy-in – “Its an IT Issue”
How many times IAM initiatives failed to get traction when a larger number of people started voicing their opinion? This is far too often one of the most common reasons why IAM initiatives fail to realize their potential. CredenceIA methodology is to conduct workshops as part of our socialization of an initiative and build consensus and articulate benefits that resonate with diverse stakeholders. This alone helps get the understanding across that IAM is not just another “IT issue”, and needs participation from across the enterprise. Not all stakeholders are technically focused. Everyone has different objectives, expectations, and visualization of what the end product looks like. Having a Business Requirement Document (BRD) with signatures from stakeholders is one thing vs. ensuring stakeholders have understood how the end solution will address their priorities/objectives. A committee of stakeholders, timely and customized messaging, and visualization of end solution early-on are critical factors to make sure stakeholders are engaged, approving of the initiative and success of the program. The right external partner/advisor can make a difference between success and a disaster.
One of the crucial factors is leadership turnover. Turnover we are discussing is at the thought leadership level (think SMEs) and as organization level (think Director or VP or CxO). In many cases, both thought and organization leadership may be coming from the same person(s). We have seen scenarios where a leadership departure results in re-start to the entire IAM program or initiatives resulting in big demotivating factors for stakeholders and creates questions about remaining leadership. IAM program cannot and should not be changed with leadership turnover considering long tail to IAM programs. The key is that if the IAM program or initiative is socialized enough, has steering committee oversight, right technology selection, has the right external partner then leadership turnover impact can be minimized.
Lack of readiness to embrace change
Understanding and challenges related to IAM have evolved over time. Similarly, there are different technology and implementation approaches available to address IAM challenges. Today's identity is not only about HR and application access data and managing the lifecycle around it. Identity has evolved, compliance requirements have evolved, cyber threat, privacy and insider threats are real issues and are related to identity. The age-old "who has access to what" question and how to address that differentiates between barely managing IAM vs. being on the leading edge. We have advised and have helped our clients embrace new architectural and implementation ways to address the ever so complex identity and successfully address IAM related challenges, and more importantly, how to challenge the status quo. Yes, one can still implement an IAM solution with traditional siloed way where each of the above identity challenges are handled piecemeal, vs. take holistic view and bring key identity data from HR to application to infrastructure to SIEM tools to unstructured data (i.e. firewalls) and apply analytics to it to help you better prepared for future of IAM.
CredenceIA Consulting team is a pioneer in innovative architectural/implementation approaches. Our proven experience in advisory, implementation services or managed services can help you stabilize IAM ecosystem, set organizations to handle next-generation IAM challenges. Concepts like identity warehouse can make a case for faster migration to new tools, reduce vendor tool dependencies, bring a great deal of automation, allow for data analytics, detect segregation of duties violation (SOD), help with compliance and reduce your audit burden – all while saving you time and money.
Is your Board paying attention?
Every time there is a breach or data leak or significant audit finding or similar, IAM comes as a topic to the board. Promises are being made, and then the traction moves away. IAM is hard to explain, and many CEOs and Board members lose interest after arming CIO/CISOs to “fix IAM”. Fixing IAM is not a onetime effort, and is a multi-year journey. Boards and C-suite needs to be more proactive on IAM challenges. Being reactive can be costly in IAM space. It is time to take IAM seriously and stop from just providing lip service. As we do our assessment, we come across scenarios of legacy authentication systems – the front door to critical assets are our of life, are ignored since there are no immediate perceived needs, and because it is “working”. Security initiatives are always under budget.
Know your users and what they are doing
From the early days of IAM and then IGA, users were simply employees and contractors (non-employee) of an organization. In today’s complex environment users are not only traditional employees and contractors but also include 3rd party users, machine IDs, external business applications and more. Each user type will have its own requirements, use cases, and risk profiles. Managing user across each type is just step one. What matters is knowing what a user is doing and taking real-time (or proactive) decisions is what would set program maturity apart. This can only be done if you have a leading IGA tool which is capable of bringing data from diverse endpoints, use this data to come up with risk-based modeling and make risk actionable.
Remember the mantra:
Don’t just give access – understand what a user is doing with that access.
Don’t forget user experience
Gone are the days where IT was limited to buy a tool that had clunky User Interface (UI) and dismal User Experience (UX). End user-friendly UX experience makes IT and Business to coexist with lesser friction, you get better participation from your end-users, happy end-user makes good decisions vs. rubber stamp. With that, select IGA solution that continuously invests in improving user experience, allows flexibility and adaptability to interface tailored for different users and makes UX intuitive.
Choose your Services Partner wisely
Not all System Integrator (SI) are created equal. Depending on the initiative, pick the right SI to ensure you can stay within the stipulated time, budget and, most importantly, can get expected outcomes. As you go through the selection process for the SI partner, make effort to meet and discuss with key team members about their past experience, the thought process, the technology and implementation approaches. Ensure that the key players from these discovery sessions are going to be the actual team members, or have a certain time commitment to other team members who may be the boots on the ground. Remember, quality of work and wisdom on what works and what does not always come cheap. Cost or size of a firm is an important factor, but at times working with boutique firms brings its own benefits.
Migration is not as easy as it sounds. IGA tools are long term commitment and to better realize value of your investment in an IGA tool require thorough vetting process and involvement of stakeholders across enterprise. Equally important is to think about use cases and requirements and evaluating IGA tools across these use cases and requirements to avoid buyer’s remorse.
Not all IGA offerings are created equal
IGA solutions have evolved over the years. The legacy offerings were primarily architected to be on-premise and focused on addressing IT-driven challenges (one or more of operational efficiency, automation or promise of such, identity data consolidation to address a regulatory obligations). Business needs were either secondary or after-thought. A lot has changed. Gartner (2018 Magic Quadrant for Identity Governance and Administration) indicates IGA time to value (read faster implementations) and tools that offer IGA-as-a-service will be leading the pack. Some IGA tools are retrofitted to make them more aligned with current demands, the best are build ground up to stay ahead of curve with cloud preferred architecture, thinking IGA as combined IT/Business challenge and adaptability not only for complex and medium & large organization but also for small and medium businesses (SMB) segment.
One such leading solution is Saviynt’s offering which seamlessly blends IT and Business needs into one unified offering. It provides improved business process efficiency (e.g. Segregation of Duties, proactive sensitive information analysis, risk-based policies & reviews, risk profiling of user access, audit friendly control evidence exchange, analytics derived policies for provisioning, risk-based workflows, continuous visibility of access to enforce internal controls to name a few) while keeping balance with IT priorities (flexible and least development centric implementation, rich connector library, end-user in mind UX, flexibility to customize to an organization’s needs, lesser operational overheads and able to evolve and adapt). Saviynt’s Identity 3.0 with context-based risk analysis, next-generation UX, ability to bring and use data from SIEM, UBEA and wide range of endpoints is a force in itself to look out for.
If you are evaluating IGA solutions or considering moving your home-grown solution or legacy solution or have concerns with the current implementation, let’s connect and discuss how IGA can make a difference combined with innovative solutions like QuickStart from CredenceIA.
Get your IGA implementation right
Selecting IGA tool is one thing. Without right partner and their experience/offerings IGA investment has a higher chance of failure or lackluster adaptation.
It is well understood that for a successful IGA implementation, a well experienced System Integrator is important. For successful realization of the investment in IGA, you need a system integrator who has industry experience, is vendor agnostic, who has IGA experience from wide range of offerings.
CredenceIA Consulting’s team comprised of highly experienced and high-quality resources including a dedicated team with experience across IGA offerings (from legacy solution to current/next generation). We have a dedicated team with a focus on IGA offers from leading providers. CredenceIA Consulting has a team of experienced resources at every level (i.e. from architect to engineer).
Why CredenceIA Consulting?
CredenceIA Consulting LLC specializes in Information Technology services to help companies solve challenges in technical implementations, operations, governance, risk, and internal audit. The company specializes its offering Strategic advice & Roadmap recommendations, System Integrations and Program Governance in the area of Information Technology with a focus on Identity and Access Management, and Identity Governance.
Our experienced consultants have an average of 10+ years of experience with Identity Management (IAM) technologies. We are committed to our clients and we take pride in the quality of work we do. We realize that the work we do has great impact on the day-to-day business of our clients, their end-user satisfaction and information risk/protection. We consistently deliver the highest quality work with best talent and high performing teams. Every client & project is different, and to that, we tailor our advice, approach, and implementation of each engagement. Experience the high-quality, consistent and agile services and find a great partner & adviser who puts you first and not the $.