Identity and Access Management (IAM) systems help ensure your staff only have the access they need. Without these controls for systems access your data & IP can be left open to security breaches.
IAM like other security domains is well-populated with great technology solutions and selecting the right IAM tooling for your business is critical, it will be the foundations on which your access controls and processes rely. However, with this technology as your foundations, you need to ensure you're sitting on solid bedrock.
There are many non-technical factors within IAM that make the difference between project success and failure. If you don’t consider and improve these underlying elements alongside implementing the technology, you'll likely pay the price over the long term.
The below is some helpful advice to consider when planning for a smooth journey.
Tone from the top
As IAM leaders we need to think of this strategy as a business change programme enabled by technology and not the opposite.
IAM tools drive standardisation and efficiency when they control a wide range of systems and processes and a focus on wide-scale deployment should be a target of this strategy. To support this, your organisation’s security policy and standards should include which key identity and access management controls are mandated and to what level. Codifying your organisation’s risk appetite into policies and standards (signed off at a senior level) will create an imperative for the organisation to support the programme.
Overcommunicate!
When embedding IAM business change early, continuous stakeholder engagement is critical, but as you roll out the capabilities and onboard systems there will be stakeholders who don't initially welcome the changes. To help with this, it's important to continuously share the benefits and vision of the improvements for the organisation, and individuals. Alongside this push of information, you should seek input on what isn’t working and which changes the business want next.
Consider engaging champions in key business areas to support their team and continue to sell the benefits, gather feedback and business-oriented requirements for the project. When you give the business influence, you will inevitably drive advocacy and buy-in.
A well-engaged steering committee made up of representatives from the business, IT and external experts is a great place to publicise success, look for help (especially where challenges relate to resistance in particular business areas) and gain support on key decisions taken by the IAM project.
Data and processes
The cause of common challenges often comes down to data and process. IAM tools are powerful and flexible but if they are fed bad data or the processes they execute are poorly designed, an IAM tool can be a very expensive way of making bad decisions faster!
You're likely undertaking an IAM programme because your existing identity management processes are not entirely effective; with issues taking many forms including audit findings, inefficient processes and control gaps. IAM technology can often help with these issues, but technology alone is unlikely to address the root causes effectively.
Many organisations have evolved isolated IAM processes without holistic design which can lead to ineffective and inefficient processes. IAM tools typically come with out-of-the-box workflows for these processes but will often not fit your existing ways of working and will require significant customisation to fit. Don’t customise your tooling to suit your existing process or you're likely to fail. Take this opportunity to review existing processes, and reengineer them to match your tooling.
Where possible, standardise processes based on advice from your IAM strategy and implementation experts and don’t underestimate the effort it will take to agree on process changes with process owners.
Even with great processes, your solution is not going to be a success unless the data it consumes is of high quality. IAM systems, by their nature, take data from many different sources which often lack alignment in the way they handle data.
IAM systems require strong data alignment, for example ensuring all users have unique user IDs that can be correlated across multiple systems back to HR data. These systems will often suffer from numerous data quality issues including containing redundant users that need to be cleaned up and poorly described roles and entitlements that make access request approvals and re-certifications very difficult.
All of these common data issues will trip you up if they're not addressed in the source system. Some should be completed before a system is connected to your IAM solution, some can be addressed over time. However, beware of generating a large backlog of data issues that act as a drag on realising your objectives.
These are just a few examples of things that need to be considered outside of the core IT solution implementation. Organisations that fail to prioritise these and other non-IT challenges underestimate the work needed to get the best from an investment in IAM.
Experts at Savanti can help you to identify and address the full range of technical and business implications. Savanti have a team of experienced IAM specialists who have developed a proven delivery framework and will guide you through all the areas that need to be considered, showing you how to prioritise and address these or lead your whole programme for you.
If you need support with your IAM journey, please get in touch info@savanti.co.uk or visit our website: www.savanti.co.uk
For more information about Savanti's IAM service, please provide your details below:
