Lessons learned from successful Enterprise Identity and Access Management Projects at Program level, part 1/3

Before going into the details, lets agree on the foundational definitions of Identity & Access Management. And allow me to say; the thin line between what defines Identity and Access is a kind of a moving object, and its commonly referred to as SSO, IDM, IAM, IDAM, IDG, however:

Access Management: Takes care of Authentication and high level Authorization at URLs level, to allow central management of access to multiple applications, that can be very seamless to achieve SSO, and can go up in the complexity of authentication into Second-factor Authentication, then Multi-factor authentication (MFA), which can be combined by Adaptive-authentication, including Behavioral and Risk based or Attributes based authentication.

Identity Management or Governance: Takes care of the medium to low level Authorizations, and it starts from doing a System-to-system level integration to allow central management of the Users' Profiles that contains: Roles, Entitlements and Privileges to achieve Identity Lifecycle Management (Enrollment, Provisioning, Moving and De-provisioning) Identity manager would need to integrate with at least one "Source" for Users attributes ideally Human Resource Management System (HRMS) for Internal Employees and/or CRM for External User Customers, and on the target applications side, it can integrate with multiple "Target" Applications to manage the Users' Identity Lifecycle within.

Confusing enough! Lets simplify it by saying that Access management is the Key to the room, and Identity management is what you can do in that room.

Out of my experience in medium to large scale Enterprise Identity and Access Management Projects since 2011, where I supervised multiple projects at Program level, I kept on updating my "Lessons Learned" and here we start:

1- Get Senior management sponsorship and involvement, because IAM will apply controls around People, Systems and Processes

2- Be aware that IAM will touch many aspects of the organization and will have many Internal and potentially External Stakeholders, that would imply having a solid communication plan to facilitate required coordination and collaboration.

3- Avoid big-bang approach and slice out your project into multiple phases, use Agile methodology, or even handle it as a Program.

4- Identify and select solid implementation service provider with solid experience and references, and get the Vendor endorsement which can be extended to project manpower interview, and avoid time-and-material approach.

5- Start with an inventory of your applications, and identify some basic information about them, to help you: prioritize, realize number of internal and external users for each application, identify your business owners for each application.

6- Early alignment with relevant organizational objectives, example: IT Dept. need to reduce password reset tickets, Security Dept.: need to know who has access to what at any point in time, or to achieve better compliance with Saudi National Cybersecurity Authority - Essential Cybersecurity Controls (NCA-ECC) or GDPR, Business Dept.: need to achieve SSO.

7- Keep in mind that following our definitions above: Access management is not the same as Identity Management, where you can have some of your Applications covered with Access or Identity or both, and you can start with Access or Identity, there is no right or wrong here, its about your organization's objectives, where generally speaking highly regulated entities or ones having large amount of Users and Applications would start with Identity management to achieve compliance and reduce IT load for managing users, and entities with the objective of making Business Users happier would start with Access management to achieve SSO. You need to decide which applications to be covered with Access and/or Identity management.

8- Conduct an early integration feasibility. The importance of this step is realized during system level integration between IAM and applications in scope, that said, they earlier the integration assessment is conducted the better, to ensure for example: Identity manager needs to integrate with Users' profiles that should be exposable from the target application(s), and you need to very keen to select a Vendor with the largest number of out-of-the-box ready identiconnectors (OOTB) for your target applications by version wither branded commercial-of-the-shelf (COTS) or in-house-built, equally, Access manager needs to integrate with the web-tier of the applications either through version-based agents, or being standards-ready application for the likes of SAML, OAuth and OpenID Connect.

Will stop here for this article and will come back to you soon with part 2/3 to drill-down a bit on the concepts and recommended approaches.

Digital Identity is foundational to Digital Transformation