Selecting a vendor for your Identity Management solution can be an overwhelming task. The market is crowded, product functionality covers a wide range of features, and the investment in both money and time is guaranteed to lock in the business for 2-3 years.
If the chosen product comes up short in a key area, the impact on your organization can be profound.
A major financial institution selected an IAM solution primarily on its ability to provide superior governance and compliance functionality. The solution did indeed perform well in these areas, simplifying segregation of duties, privileged account management, and compliance reporting.
While stellar in this one dimension, the chosen solution had a major deficit: its ability to provision user accounts was immature and often failed, which resulted in a lot of pain to the organization. Provisioning users to systems and applications required manual intervention and were inconsistent, prone to errors, and difficult to manage.
To address this shortcoming, a second product was implemented to automate provisioning. While this solution solved the provisioning problem, the new tool did not integrate well with the first product.
The end result? The organization had to implement a set of scripts and manual processes to move data from one tool to the other to support its governance and compliance requirements.
How can we avoid missing a key requirement and stop ourselves from making a bad choice? What then should a buyer keep in mind? I believe the answer to this question lies in three basic concepts: minimizing uncertainty, understanding the challenges, and determining criteria that matter.
The basic question is “What is the problem we are trying to solve?”. The answer, however, depends on where you sit at the boardroom table. The better we can define the problem and engage the different areas of the business in the decision, the more likely we are to understand what we need from our solution. The key is to cast a wide net and engage stakeholders across the organization to solicit their input.
Two Tips to Minimize Uncertainty
We suggest taking a page out of the Concurrent Engineering playbook and pulling together a cross-functional team of stakeholders from across the organization to conduct an IAM Assessment, or better yet, develop an IAM Strategy.
- Engage representatives from different business and IT groups (IT Operations, Security, HR, Business Managers) to identify key functionality, uncover issues, prioritize IAM opportunities, and consider trade-offs in cost & design choices. By engaging people from different functional areas you can socialize the benefits, identify and address any issues, and start building consensus on what the tool needs to do to be successful.
- Develop an IAM Strategy to set direction for the organization and support product selection. Key outcomes:
- Identify opportunities and set priorities
- Define dependencies and the sequence of projects to deliver the most value
- Allocate resources based on input from key leaders/stakeholders who represent the business and IT
Understand the Challenges
The organization must come to grips with the fundamental problems it is trying to solve with its IAM product. The successful performance of the solution depends on a complete understanding of the business and the key challenges the organization is facing should be surfaced before selecting a product. While technical analysis is critical, a functional evaluation against the business requirements is very important for the overall decision making process. The proper assessment of a solution must be evaluated by its impact on the business, IT, and provisioning processes.
Two Tips to Understand the Challenges
- Map your processes for Onboarding, Offboarding, and all the provisioning tasks that are tied to those processes. Validate the processes with HR, Business Owners, and IT support and operations. This approach will build a common understanding about the current state.
Gather Requirements/Input across functional areas in Business and IT. For example:
- Are the administrative tools sufficient to manage user accounts effectively?
- Are production requirements consistent with existing capacity?
- What are the most frequent support issues (password reset, RSA token / VPN) lack self service tools?
- What are the access requirements for support staff?
- What are audit/reporting requirements?
- When is an employee created in the HRIS system?
- How will HR procedures affect downstream logical access? (For example, what happens if a transaction is cancelled?)
Determine Criteria That Matter
An IAM solution can only be selected properly when vetted against the organization’s core requirements. To reduce an overwhelming evaluation process to a manageable one, organizations should start with the basics: a clear definition of IAM objectives, user types (employees, contractors, partners, customers), business processes involved, and metrics used to assess provisioning success or failure.
After agreeing upon basics with key stakeholders, IT managers should then evaluate vendor offerings with a thorough understanding of the existing infrastructure and of the IAM technologies necessary to achieve the defined goals, purposes and metrics.
Typically, vendor selection decisions are often driven by IT alone. This fact and a lack of clear definitions, conflicting purposes, unclear objectives, high expectations and confusing marketing claims lead to long lists of evaluation criteria when IT managers consider IAM solutions. IT decision-makers need to focus on the selection criteria that substantially improve provisioning processes and those that matter the most to the business purposes the product will support.
The main difficulty in prioritizing criteria is distinguishing low-level, check-box items from capabilities that positively impact business processes. Organizations should evaluate IAM products using criteria that will affect the way their business operates, not those simply found on a vendor’s spec sheet or a 3rd party review.
For example, integration with Active Directory is always listed as a key IAM function; however, many products have a Top-Down architecture that can break a user’s access if Administrators make changes in Active Directory directly (a feature that is often desirable in large organizations). However, there is a significant improvement in both the administrative and user experience if the integration is bi-directional allowing administrators to make changes in AD that are synchronized by IAM up to the user store.
Questions directed at process or resource requirements will separate the technically interesting features from those that impact implementation time lines and success.
Four Tips to Determine Decision Criteria
Often IAM vendor evaluations target specialized features in narrow business cases and neglect quantifiable, enterprise-oriented business objectives. This challenge was outlined in the case study above. Instead, organizations should focus on only those criteria that:
- Meet the needs of the business as defined with the highest returns (improved productivity, reduced licensing costs)
- Result in measurable differences to the business (improved SLAs, less rework)
- Substantially improve business processes (user provisioning, compliance)
- Sort out vendor strengths and weaknesses (Evaluate where a product is in its maturity lifecycle)
Photo credit: flickr