Having worked in the Identity and Access Management (IAM) sector for the last decade, I have been part of, and led many IAM projects at different phases of the engagement, starting from the RFP process till the final delivery sign-off meeting. IAM projects, no matter what phase they are in, are dependent on some critical factors for their success. One would expect that the delivery team should give due importance to these factors, which can necessarily make or break a project. Sadly, that's not always the case, resulting in a revenue boost of local pubs. I am writing this post to help others to be successful, as we often find every successful IAM project starts from the same fundamental building blocks.
1. Data, Data, and Data
Data is the new currency of the modern world. In the world of big data and analytics, information is an integral part of critical business processes and is also crucial for taking strategic decisions; These business processes feed directly to the IAM systems to enforce an organisation's access governance and management policies.
Data is the heart of any IAM system, and poor data quality can hurt processes like application onboarding, authoritative identity sources onboarding and access provisioning, to name a few. It can also lead to an incorrect or missing correlation of identities to application accounts, which can be detrimental to access re-certification campaigns and leavers' process. What's worse than a situation where the IAM system shows an incomplete access list for a user because it was unable to map their application accounts to their identity? Alternatively, what if the segregation of duties policy didn't trigger a remedial action to an access violation because the IAM system didn't have the complete view of a user's access profile?
Cleaning up source data after the IAM processes go-live is one of the most commonly committed mistakes. For some short-term quick wins, projects often spend less than adequate time in the data source analysis phase; subsequently, also in the data clean-up phase. This later results in plugging holes as and when they pop-up in a sailing ship and eventually, users lose confidence in the IAM system.
It is highly recommended to analyse and clean source data before feeding into the IAM system. A data analysis tool like Securience Data Manager (SDM) may be of assistance. We can use SDM as a staging platform to integrate with virtually any type of application using a rich set of out-of-the-box connectors. Analysis of data using pre and post-processing logic helps in cleaning up stale data and ensures flexibility in the data output format. With a simple deployment architecture, SDM doesn't cause any performance overhead and purpose-built to perform complex data correlation operations.
Check out SDM's capabilities in detail here.
2. Buy-in from Senior Management and Stakeholders
Quite often, almost all the IAM projects are kicked-off hastily to quickly realise the investment benefits and get value for money. The IAM project team may have all the necessary key players to ensure the successful delivery of the engagement; however, risks of project delays or failure loom if there is no or minimal involvement from the senior business stakeholders. The top management should believe in the benefits of an effective IAM programme which should further trickle down to different areas of the business.
Imagine a situation where you’re meeting with an application/system owner to on-board their system to the IAM platform. How will you react when the owner says they haven't seen any communication about the IAM programme and the value in onboarding their application into a third-party (i.e. the IAM) system; This often leads to delays in onboarding applications, which in turn delays the project.
It is advisable to develop a governance and a target operating model by liaising with the senior leadership team, principal data owners and the IAM project team to articulate roles and responsibilities before kicking-off the IAM programme. It's always good practice to use an industry-proven methodology to help businesses create their IAM strategy and roadmap.
3. Simplifying Inefficient and Rigid Processes
Organisations have data policy and procedures; Projects create business processes from these policies, which are then translated into technical requirements and implemented in the IAM system. There's often the case that these processes have evolved very little over time and may no longer serve the same purpose as they did before. The IAM system is as good as the data and processes fed to it, and it may not deliver the expected functionalities.
If a new joiner first appears in the HR system on their joining date, it may take at least a week before the IT operations provisions all their required accesses before they can fulfil their duties. Another example can be in the case of a leaver when the HR team does not timely update their systems with the leaver's last date. The IAM system may not start the de-provisioning of the leaver’s access weeks after the person has left the organisation, resulting in audit nightmares!
It is recommended to tweak and enhance the business process before implementing them in the IAM tool. Work closely with senior business analysts to ensure that business processes are fit for purpose and align with the future goals of the IAM programme.
4. Selection of IAM Tool
We have all worked on IAM migration projects which, quite frankly, can be a nightmare. The chances of failure are too high with massive costs and efforts involved. Why does such a situation occur? It may be because the previous IAM product had served its purpose but doesn't entirely solve the modern-age business problems of the organisation. Without a future strategy, the problem may re-occur with the new IAM solution as well.
During the RFP phase of choosing the IAM tool, my team and I ensure to perform due diligence and verify that the selected IAM tool can solve the current and future use cases of the client's IAM requirements. We are partnered with the market leaders in the IAM space and perform thorough proofs-of-concept to solve tomorrow's IAM business problems today.
5. The Big Bang Approach
The big bang may have been responsible for the existence of the universe, but it may not be the best approach when implementing an IAM solution. I have made it a standard practice to assess all the project and business variables to choose the desirable implementation approach.
As tempting as it sounds, it is not always advisable to implement all the IAM capabilities in a single project phase. The IAM tool and processes will be relatively new to the end-users, and it can be quite overwhelming for them. All these new functionalities, no matter how efficient and slick they are, may not have the same level of impact as one would have expected; this will lead to lesser adoption of the tool and may defeat the primary purpose of the IAM programme. However, depending on the business objectives and circumstances, a big-bang implementation plan might be the right approach for a client.
My IAM practice aims to define a strategy for a phased approach to implementing and rolling out IAM capabilities. We involve as many beta users as possible to gather feedback and use agile methodologies to implement them in subsequent releases. We also perform roadshows to spread awareness and benefits of the IAM system. We believe in not feeding the whole pie at once, no matter how tasty it is!
I plan to cover these topics in more detail in future posts, diving deeper into delivering successful IAM projects and sharing my experiences of how we have overcome challenges along the way. Thanks for reading!
By Gaurav Kabra
IAM Practice Lead, Securience