By: Tony Naples, Director IAM, Trace3
As acceleration of the Internet of Things (IoT) and mobile computing continues at an incredible pace, organizations of all sizes are shifting away from traditional notions of perimeter security to an identity-based security approach. As businesses evaluate identity and access management (IAM) products to assist with implementing this approach, the desire to achieve the benefits often quickly overshadows their organization’s readiness to implement an IAM solution to achieve those benefits.
So, what steps should information technology and security leadership take to be prepared?
Define User Roles: Determine if the organization’s information security strategy framework is inclusive of definitions of users’ roles; the types and scope of resource access entitlements those roles should and should not have; and policies that govern items such as password requirements, segregation of duties, who is allowed to request access, and account provisioning, just to name a few. In addition to ensuring these elements are present, you should validate that the key stakeholders and system owners are aware of them. This will speed creation of requirements and use cases that become the roadmap for the IAM solution deployment.
Validate Data Accuracy: Determine the accuracy of data in the systems to be integrated with the IAM solution. Duplicate employee or user account records, incomplete records, and a user record from one system that cannot be matched or correlated to that same user’s record from another system via a global user ID (GUID) will hinder the ability to establish a complete picture of a user’s identity across the enterprise.
Evaluate Current Business Processes: Most organizations implement an IAM solution to strengthen their security posture and make the process of managing system access more efficient and effective. Determining which business processes are ripe for change or elimination, and what new processes can be deployed to take advantage of the IAM solution’s functions and features will create tangible value and visible wins. Automating bad business processes is never a good idea, and with the immediate reach of most IAM solutions across many applications, the results can have unintended consequences.
Communicate Plans: Be sure all relevant parties are aware of the implementation and benefits of the IAM solution as early as possible. Most organizations have multiple security teams, each managing access for a particular application. While those employees may feel threatened by the deployment of this solution, they are integral to providing the institutional knowledge of how security processes are executed today, especially if today’s processes are not documented. Coupled with training, keeping staff involved, informed and engaged will help them become agents for the change.
Plan Ahead: Lastly, and probably most impactful to cost and schedule is to take these steps before the solution deployment begins. Nothing slows the deployment more and has resources sitting idle, than trying to determine role definitions, cleanse data or have executive decisions made about policies, after you’ve started to configure the solution.
If you are not sure where to start, invest in Trace3’s IAM Assessment and Workshop Service. This valuable exercise will provide leadership with insight on how to make an IAM solution deployment work for the entire organization.
In next week’s blog, I will share the Five Steps to Ensuring a Successful IAM Solution Deployment, which will cover all you need to know to help your organization have a successful project launch.