Your business operations can be complex and require multiple technologies such as applications, platforms, services and infrastructure. Effectively overseeing and controlling who has access to what across this landscape can be a daunting challenge. Unfortunately, there are numerous horror stories of failed IAM projects and many companies continue to struggle with effective IAM to protect their critical data and assets. In this article we’ll explore some of the reasons IAM fails and examine leading practices to help ensure IAM success.
First let’s define what we mean by Enterprise Identity and Access Management (EIAM). In simple terms, EIAM are the roles, policies, processes, procedures and technology that facilitate oversight, authorization and control of all forms of access to company computing assets. The forms of access under EIAM include, but are not limited to employees, contractors, customers, services and devices. How well a company oversees and controls all these forms of access is essential to preventing unauthorized access and malicious activity that can result in disruption to business operations or worse. The discipline of EIAM is both broad and deep and in general terms consists of the following three domains (in no way comprehensive, representing only the basics for each domain):
IAG (Governance)
1. IAM strategy & roadmap
2. Policies (compliance)
3. Governance Model
4. Roles & Responsibilities
5. Audit
6. Incident Response
IAM (Access Services)
1. Workforce access
2. Customer access
3. 3rd Party access
4. IAM Services
a.) SSO/MFA
b.) LDAP/AD
c.) Authorization
d.) Monitoring
PAM (Privileged Access Management)
1. Risk model
2. Administrator accounts
3. Secrets vault
4. Check out controls
5. Monitoring/Audit
Why do so many EIAM projects fail? As described in the definition for EIAM, successful EIAM must account for roles and responsibilities, business processes and technology. When any of these are glossed over or worse, ignored entirely the chances of failure increase dramatically. Access Management is a security capability that cross the boundaries of business and technology and requires the business stakeholders to be involved from day one. There is no technology panacea that is likely to satisfy 100% of your access management requirements so it is important to have a well thought out strategy for how you will provide effective EIAM to your company. You must know your risk appetite, regulatory and compliance requirements and the level of controls required to protect your critical assets while enabling users to perform their jobs uninterrupted. Easy huh? No, not easy but manageable if approached the right way. So given all these challenges, how can we increase our chances of successfully providing effective EIAM at our company?
1. Understand your risk appetite and compliance requirements
Many factors such as your industry, business model, products and services influence your operational risks such as likelihood of being attacked by APTs, regulatory standards and required access controls. The more highly regulated your industry is or the more sensitive your business is (e.g. financial services) may require you to have less appetite to take on risk leading you to implement stronger access controls. It is important to have clear visibility to risk, compliance and required controls before you kick off your EIAM project.
2. Define roles and responsibilities for key stakeholders
Multiple access decisions such as entitlements are business decisions that need to be made collaboratively between business and IT stakeholders. Successful EIAM projects require a proper governance model with clearly defined RACI (responsible, accountable, consulted and informed) for both business and IT stakeholders. Critical decisions must be made jointly to ensure the result of the decisions is sustainable, viable and necessary to protect business operations. Lack of a governance steering committee on an EIAM project is an obvious red flag and needs to be remediated immediately. Governance provides the necessary managerial oversight, decision making and leadership required for effective EIAM. This governance ideally will continue after the project and the EIAM solution has “gone live”.
3. Plan for changes to business processes
New access management solutions can significantly impact business processes by changing how users login to business applications, what they can access and do in the application and more. Involving business stakeholders early in the EIAM project will help mitigate the risk of changes having adverse impact to business productivity but each affected business process should be reviewed so the true impact changes will have is well understood and addressed. If changes to business processes are glossed over or ignored altogether, it can result in consternation among users and reduce adoption of the new EIAM solution or worse. Depending on the complexity of your business, the changes and impact to processes may not be trivial and require the appropriate level of effort to minimize disruption.
4. Pick the right technology partner
As previously mentioned it is very unlikely that a single technology product or service will satisfy all your EIAM needs. There simply is no technology panacea and it is imperative that you identify the right product/service that best satisfies each business requirement for access management. The same is true for implementation partners and it is critical to select a partner with a demonstrated track record of successful EIAM delivery, who understands potential pitfalls and how to avoid them. When selecting a technology vendor it is important to consider the maturity of the vendor, their customer base and how quickly and well they respond to risks and issues with their product/services.
5. Set a good infrastructure foundation
High rate of adoption of Cloud computing is driving increasingly complex and federated business solutions. Many companies find themselves with multiple access management tools, domain controllers, active directory instances, protocols and other infrastructure services that make effective oversight and management challenging. Establishing good change control and infrastructure hygiene as soon as possible is an important prerequisite for successful EIAM. At a minimum your company should define infrastructure principles and standards including architecture patterns for access management that serve the purpose of reducing complexity, threat surface and increase sustainability, quality of services and ultimately protect the business.
In summary, to ensure successful EIAM, it is imperative to consider more than just the enabling technology. You’re unlikely to find a single technology product or service that satisfies all your access requirements. Further more, any new access management product/service you introduce at your company will very likely change current business processes and job functions, making it important to plan for this upfront. Having clear understanding of your risks and compliance requirements are critical factors in designing a fit-for-purpose EIAM capability. Providing managerial governance ensures that the appropriate level of executive sponsorship, decision making and support is available. Equally important is choosing the right partner(s) who have demonstrated their ability to successfully deliver EIAM is a critical success factor. Lastly, addressing your infrastructure (including hybrid Cloud environment) to provide a solid technology foundation for your future state EIAM will dramatically increase your chances of a successful EIAM deployment. Following these leading practices will facilitate a smoother EIAM project and improve the likelihood of success.
