The Journey to IAM Success

Identity and Access Management (IAM) is a framework that integrates the business process and policy with technology to ensure the right people have the right access to the right data and doing the right thing at the right time for the right reason. Over the past decade, IAM has shifted from being an end user experience, operational efficiency and regulatory compliance driven to a key strategy that focuses on reducing risks and enhancing overall security posture in an organization. When IAM program is done well, it brings significant business values to multiple stakeholders within an organization. However, there is a lot can go wrong with an IAM program if it is not planned well. With more than 10 years of experience in IAM advisory and project implementation, we summarize the top common pitfalls of an IAM program that helps you to strategize better in the planning and avoid these risks in your IAM journey.

"Identity security is not a one-time project; it is a journey. A journey that includes a series of initiatives that are incorporated with strategy, capabilities, vision, people, process and technology to continuously addressing the ever-changing identity landscape in the business."

1. Lack of defined IAM roadmap

It is important to understand multi-phased approach is expected in an IAM program. Due to this nature, respective stakeholders may gain the business benefits at different phase at different timeline. In example, if you are starting the IAM program by introducing self-service password management service, help desk team and end users would be the stakeholders that would get immediate benefit as it would immediately reduce the high volume of help desk tickets and increase user productivity at the same time. As soon as the stakeholders understand how IAM could bring the benefits to them respectively, you may quickly realize all IAM services become important and the immediate challenges would be what to prioritize. Without a well-defined IAM roadmap, you may soon experience the stakeholder support will start to falter, turning the early excitement to a slumping state. Therefore, it is extremely important for organization to build a defined IAM roadmap and use that as a guiding principle to establish the communication to the respective stakeholders of what IAM services to be delivered, by when, impacts & benefits to who. Do expect business priorities may change over the time or other factors such as technical complexity which IAM roadmap may need to be re-assessed periodically and adjusted to align with the changes in organizational needs.

2. Lack of strong executive sponsorship

IAM is a program that impacts everyone in an organization. From an onboarding process for a new joiner, role changes in between to the offboarding process, it involves multiple stakeholders across different department. An IAM program is about business process re-engineering which leads to the changes that could affect cultural adoption of certain practice or even conflict between departments. To manage this effectively, it requires the appointment of IAM program owner with the support from strong executive sponsor that has the authority and internal respect, willing to become the change agent to drive the transformation towards the successful IAM journey. The IAM program owner needs to be a leader that has high respect within an organization and has the good relationship across multiple stakeholders and departments. The IAM program owner is responsible to lead the IAM initiatives, discuss & negotiate the prioritization across multiple stakeholders, understand the current gaps and strive for an objective-oriented solution to close the gaps, establish a clear communication plan to keep the senior management and respective stakeholders informed of the program progress. Finding the quick win values to be delivered at early stage of your IAM program is important to ensure executive sponsor has the confidence and trust to continuously support and fund the program.

3. Not engaging the right key stakeholders

A successful IAM program is everyone’s responsibility, it is a business initiative. If the program is to be driven by IT or security team solely, you could expect there would be lot of gaps in the delivery as the team may not have the complete understanding of the business process and application inventory details especially if the current IAM operating model is managed by each application team in a siloed manner. Meanwhile, having too many people involved without a clear definition of objective and their responsibility will impact user productivity that leads to disengagement. Common stakeholders of IAM program include IAM program owner, application/system owners, security operation team, HR team, governance & risk management, enterprise architect, business unit management, IT helpdesk team, IT infrastructure & network team, application developers, data owner, process owner and end user representative. When designing an IAM program, be sure to set the right expectation with the key stakeholders when to involve them and what to expect from them, obviously with a well-defined IAM roadmap would help on this. In example, the involvement of HR team will be crucial in the discussion and understanding of identity context & mapping, user onboarding/offboarding process but they are not needed when it comes to access review governance use case.

4. One-time "deploy and finish" approach

If you tend to use “boil the ocean” approach to include everything (all applications & IAM use cases) into a single project and having the expectation to get it delivered in a very short timeline says 6 months to integrate with 30 applications to deliver access review governance & lifecycle provisioning/de-provisioning use cases, very soon you will realize that it is an unrealistic timeline and you are almost guaranteed to fail in your IAM program due to several reasons: scope creep, disengaged stakeholders, resource drains, integration complexity, poor business process, change adoption and ultimately failed to justify the return of investment with high project cost. Instead, look for quick win opportunities especially at early stage of your program – starts with small and grow bigger. Rightfully, quick wins shall be delivered within 3-6 months and subsequently keep it within 6 months for each phase (the shorter the better). Each phase shall has the clear objective what is expected to deliver.

5. Focus too much on technology & features

Organizations often think that implementation of IAM technology will solve all the identity issues. We have seen too many cases of organizations that focus heavily on the technology or any advanced features, ended up with limited view on the overall business values of IAM initiatives and struggling to capitalize the maximum gains. For example, real time provisioning capability is available on any IAM technology (that’s given by default!) but comes to actual implementation, organizations may need to tweak the current HR process to get the new joiner data to be available on daily basis (instead of monthly basis!) and changing this process itself may take up to weeks or months to happen which leads to extended timeline in your IAM implementation. Another example: organizations demand advanced predictive role engineering capability from IAM technology but in fact the maturity of role management is rather low at which organizations still adopt low-level of entitlement approach. Watch out different IAM technology vendor may have different licensing model – some may bundle identity governance and lifecycle as a suite, some may allow you to purchase by module which makes the investment more justifiable. Imagine if you start your IAM program with identity governance, why do you need to pay for identity lifecycle license. Therefore, having a well-defined IAM roadmap will help to plan for better financial model for your IAM program.

Successful IAM program focuses on the perspectives of vision, strategy, process and governance first, then pick the right technology to fit your requirements – not the other way round!

6. Poor privileged access management

Some of the common gaps of managing privileged access in many organizations include standing privileged access, sharing of privileged accounts, unmanaged machine identities (service accounts, SSH keys, bot’s access), high volume of orphaned accounts, lack of visibility on privileged user activities, outdated asset inventory, etc. Without proper control on privileged access, these gaps lead to high security vulnerabilities, compliance violation and business risks. A good privileged access management (PAM) control will safeguard the privileged credentials in a secure vault, establish the policy & workflow to restrict privileged access at on-the-need basis, eliminate the exposure of privileged credentials with session management technology that broker user’s session to the designated target systems with session recording & monitoring capabilities. Be sure to have a proper plan for your PAM program rollout and adoption as you are taking away the existing easiest path for your administrators to work! Also, PAM is not a one-time project, you need to establish a standard procedure to continuously onboard the new assets and credentials to PAM.

7. Application integration complexity

One key thing to take note – many IAM vendors will tell you how easy the integration path between your application and IAM system using standard protocol such as API, database, SAML, OIDC, Radius, etc. At the same time, many organizations may not keep track of application inventory details. As a result, too many assumptions are being made on the integration context and most of the time the assumed integration approach may not be feasible which may incur additional costs for you to get it ready before the actual integration could start. Does your application provide REST API? If yes, what functions are available? Does it have the user management function – if not how much to build it? Do you allow direct integration with database? Any encrypted values in database fields such as password? What is the encryption algorithm? Is there any unique identifier for identity mapping between application and HRMS? Which application is in the roadmap of technology refresh? Which application will be sunset soon? How to connect to your cloud application?

Having a good understanding of your application landscape will help on prioritizing which application is ready to be integrated in your IAM program.

8. Focus 80% making it perfect which leads to 20% result

We all know that automation is the key in an IAM program, not just it helps to increase operational efficiency but also to improve compliance posture by reducing human intervention errors. We have seen many organizations tend to focus making it perfect or automating the bad processes which does not produce tangible outcome as they go deeper. For example, it does not make good sense to build an API to achieve full automation for a legacy application that is used by merely 5% of the users within an organization. Another common scenario we see is organizations that spent too much effort and time on the customization to fit their existing practice, workflow or even the look-and-feel (UI/UX) that leads to expensive upgrade and daunting maintenance later.

Instead, we recommend spend some effort to analyze each requirement – is this mandatory? Is there any other option? does it worth the customization? Is this the right opportunity to optimize your current business process based on best practice? What is the advantage of adopting the new approach?

There is a reason why it’s called 80/20 rule. Don’t aim for perfection, there could be a little gap for certain solution, be open to discuss and accept new idea/suggestion. Do the impact & risk assessment, implement compensating control to address the gap if needed.

9. Siloed approach - not strategic to scale for future needs

Identity silos is another common pitfall that we see in many organizations. As we assess the maturity of IAM landscape in an organization, here’s what we discovered:

• Having different IAM tools that serve specific business needs such as SaaS based SSO tool just for cloud applications and another separate SSO tool for on premise applications
• Multiple MFA providers – each application has its own MFA which impacts user experience & maintenance
• No integration between IAM tools or overlapping functionalities within IAM tools

Instead, we recommend organizations to conduct maturity assessment to examine your current state against best practice, understand latest IAM trends & landscape, build a strategic roadmap to lay a good foundation of your IAM program and ensure it is practical, sustainable and scalable to meet current & future needs. Watch out the new IAM market trend of identity fabric that some new or modern IAM vendors may have adopted it under a converged platform.

10. Resist to change

Change is expected to happen in an IAM program. We have not seen any successful IAM program without a change. Many organizations tend to stick heavily back to the current process & workflow which may have already been adopted for the past few decades. As a result, they may be struggling to adopt that “old” practice with a modern IAM tool or spending additional effort & time to customize the IAM tool to fit the “old” practice or worse waiting another few more years for IAM tool replacement. Another typical resistance is the user adoption on MFA – we have seen organization takes up to 1 year to complete MFA enforcement just because there are some users not willing to enrol and adopt the new way of authentication.

Change can be driven by top-down approach where it starts from leadership believe that change is for better and putting words in action on the ground to implement culture change.

How Cydentiq can help

The identity professionals from Cydentiq have more than 10 years of practical experience in helping organizations to achieve their IAM program goals. Whether your vision is about operational efficiency, user productivity, risk reduction, regulatory compliance or privileged access management, Cydentiq has proven IAM methodology and framework to help organizations avoid the common IAM pitfalls and establish the IAM journey with confidence.

Our holistic identity security services ready for you

Cydentiq’s proven customer success methodology that consists of Plan, Build, Run & Scale approach, combined with our exclusive focus on identity security domain, vendor-agnostic advisory services, deep implementation experience and managed services capabilities, we are ready and confident to help you building successful IAM journey ahead.

Find out more at https://www.cydentiq.com or contact us at [email protected]