ISACA’s 10th Annual Geek Week Conference in Atlanta, GA featured speakers across a wide range of security topics from Risk Management to Penetration Testing. During the conference, policy and technical tracks provided a forum for participants to exchange experiences from the front lines of IT security, including industry best practices as well as driving both accountability and effectiveness for security programs within the organization. The week-long event included plenary and panel sessions, practical workshops and technology demonstrations.
I had the opportunity to lead a session during the conference. This summary presents the key themes, ideas, and considerations that emerged from our Identity Management Presentation at the conference.
Overview of Key IAM challenges
1. Poor Data Quality
Identity Management relies on accurate data to determine who a person is, define their relationship to the organization, and what systems, applications, and assets they are entitled to have. Without accurate user information, realizing the benefits of Identity Management is impossible. If the underlying data is incorrect, then users will be provisioned to the wrong applications and access approval requests will be sent to the wrong managers.
2. Process Misalignment
HR processes for onboarding and off-boarding must work seamlessly with the IAM system. If the service level agreements (SLAs) are misaligned between HR and IT, the results can degrade service levels.
For example, if we tightly integrate HR’s creation of the worker in the HRIS with the creation of the user’s IT accounts and assets, then we have a dependency on the HR processes that did not exist before. The challenge occurs because HR’s SLA’s are focused on completing onboarding before the first paycheck cycle for the worker and not the first day of work. If the HR data is not there, then none of the worker’s accounts or assets will be provisioned. The key takeaway is to align onboarding processes with worker provisioning.
3. Stakeholder Risks
Stakeholders are an important asset and are critical to the success of any Identity and Access Management program. Few IT projects have such far-reaching scope as Identity Management (IAM) engagements, touching stakeholders across all business domains. Too often, key stakeholders are left out of the planning process, which leads to surprises. Surprise and preparation rarely go hand in hand.
We have seen IAM projects where there are very few business stakeholders involved in the requirements/ design/ build process. This leads to missed requirements, a lack of buy-in, and puts IAM at risk of failure.
At one organization, HR was engaged very late in the project and had concerns whether the policies and processes in the IdM solution were accurate and supported operational objectives. Worse, they were reluctant to change their onboarding processes which led to clunky workflow-based processes, or workarounds, that were replete with errors and required additional staff to support.
4. Scope Creep
The breadth of IAM’s reach is also a challenge as new requirements spring up from various departments in the organization. These can rapidly overwhelm a project. IAM projects usually start with a simple goal, such as automating user on-boarding and off-boarding, and they often devolve into an overwhelming number of requirements far afield of the original scope. Adding in additional user classes (e.g., contractors, partners, suppliers) or organizations (e.g., subsidiaries) late in the project is a recipe for disaster.
Focus on building the foundation and develop a road map that shows when additional integrations and functionality will be delivered. The road map will help reduce the pressure to expand scope by capturing the requirement and showing where it fits into the overall plan.
Strategic planning is critical for managing this complex change and high-level strategy development and steering committees are needed to ensure success. IAM is a standard part of the IT infrastructure and requires a deeper integration of technology into the architecture of the business. As we have observed, technology changes quickly so it is not enough to have a strategic plan and road map. Organizations must have strategic planning processes that are embedded, responsive, and continuous to be able to adapt to the ever-changing business landscape and build an effective IAM environment.
Here are seven elements to Include in your Strategic Plan/Road Map:
- Narrowly defined scope for the first phase to build the IAM Foundation
- Establish your scope and budget across the program
- Review current state processes and define future state processes to support IAM
- Include time for data quality analysis and remediation
- Communication and engagement with stakeholders by workstream
- Identify cross-workstream dependencies
- Establish Governance Structures
To learn more about this topic, view my presentation below.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us today!