Contributed by Gaurav Kabra (GK), Practice Director, IAM, Herjavec Group
In our 2021 Cybersecurity Conversations Report, we asked our executive leaders what the foundation of security is. The unanimous answer was “Identity.”
As organizations have embraced digital transformation and transitioned to hybrid or remote work environments, it is important to consider whether your enterprise cybersecurity strategy has kept up. Developing an identity-centric security program by implementing Identity and Access Management programs is key to surviving this paradigm shift.
From an IAM assessment to a fully managed program, Identity and Access Management (IAM) projects are largely dependent on five critical building blocks that ensure their success.
Building Blocks of an IAM Project
1. Data, Data, and Data
Data is the new currency of the modern world. It’s an integral part of critical business processes and feeds directly into IAM systems to enforce enterprise access governance and management policies.
As data is the heart of any IAM system, poor data quality can hurt critical procedures like application onboarding, authoritative identity sources onboarding, and access provisioning. It can also lead to an incorrect or missing correlation of identities to application accounts, which can be detrimental to access re-certification campaigns and the leavers’ process. This may lead to the IAM system showing an incomplete access list for a user as it was unable to map their application accounts to their identity. Not only that, if the IAM system doesn’t have a complete view of a user’s profile, the policy regarding segregation of duties won’t trigger a remedial action to an access violation.
One common mistake that often leads to poor data quality is cleaning source data after the IAM processes go live. This can seem like a shortcut approach but is ultimately short-sighted as projects often spend less than adequate time in the data source analysis phase and in the data clean-up phase. This often results in long-term issues and eventually, users may lose confidence in the IAM system.
Analyzing and cleaning source data before feeding it into the IAM system using a data analysis tool such as Herjavec Group Data Manager (HGDM) is one of the best ways to ensure good quality data. HGDM may be used as a staging platform to integrate with virtually any type of application using a rich set of out-of-the-box connectors. Analysis of data using pre and post-processing logic helps in cleaning up stale data and ensures flexibility in the data output format.
2. Buy-in from Senior Management and Stakeholders
In order for any IAM project to be successful, the executive team must be on board with the project requirements. Even if the IAM project delivery team has all the necessary key players to ensure the successful delivery of the engagement, there is risk of project delays or failure if there is no (or minimal) involvement from the senior business stakeholders.
Developing a governance and target operating model before onboarding the IAM program is a great way to ensure all necessary stakeholders are well informed and on the same page. This will allow your team to liaise with the senior leadership team, principal data owners, and the IAM project team to articulate roles, responsibilities, and the general project plan.
3. Simplifying Inefficient and Rigid Processes
An IAM program is only as good as the data and processes that feed into it. If an organization’s processes and policies don’t reflect the technical or logistical requirements necessary, the IAM project will likely not deliver on the expected results.
If a new employee doesn’t officially enter the HR system until their joining date, the employee may not be able to fulfill their duties until IT provisions the required accesses. This inefficiency can cost the enterprise and lead users and executives alike to lose confidence in the IAM system. Similarly, when an employee leaves the organization, if the HR team doesn’t update their system in a timely manner, the IAM system may be delayed in de-provisioning access after the employee has left the organization, leaving the company vulnerable to insider threat.
Enhancing business processes before implementing them in the enterprise IAM tool will maximize the potential of the IAM tool and program as a whole. Additionally, the IAM project leaders should work closely with senior business leaders to ensure that business processes are fit for purpose and align with the future goals of the IAM program.
4. Selecting the Right IAM Tool
In order for an IAM project to be successful, organizations must be diligent about selecting the tool that fits their individual needs. Often, IAM projects fail or incur significant and unnecessary costs if the selected tools don’t comprehensively address the goals of the organization.
Enterprises should use the RFP phase to perform due diligence with the IAM service provider and verify that the selected IAM technology will not only meet the company’s current needs, but is also well-equipped for their goals and requirements.
5. Implementing the IAM Project Phase Approach
The IAM Project implementation plan is critical to the success of the program. Generally speaking, any IAM solution that is deployed will add new and unfamiliar processes and technologies that the enterprise team (the end-users) will be required to engage with. If implemented poorly, this can be overwhelming and result in users rejecting the adoption of the tool, no matter how efficient and beneficial its functions may be, completely defeating the purpose of the IAM solution.
With any IAM solution, assume that the business process and technologies that need to be implemented will be relatively new to the end users. As a result, no matter how efficient and beneficial the functionalities are, end users may become overwhelmed and reject the adoption of the tool, which in turn defeats the primary purpose of an IAM solution. Therefore, it’s not always advisable to implement all the IAM capabilities in a single project phase.
Instead, focus on defining a strategy for a phased approach to implementing and rolling out IAM capabilities. Involve as many beta users as possible to gather feedback, and use agile methodologies to implement them in subsequent releases. We also recommend conducting ‘roadshows’ to spread awareness around the benefits of the IAM system.
It’s important for organizations to understand that there is no one-size fits all approach in the IAM space — an IAM solution will only be as successful as the organization leading the implementation.
To learn how Cyderes’s Identity & Access Management practice can support your organization’s Identity needs, please connect with a security specialist here.
Take the first step in transforming your cybersecurity program
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.