By: Tony Naples, Director IAM, Trace3
Most organizations implement an IAM solution to strengthen their security posture and make the process of managing system access more efficient and cost effective. Determining which business processes are ripe for enhancement or elimination, what processes can be automated, and what new business capabilities can be deployed to take advantage of the IAM solution’s functions and features will create tangible value and visible wins.
The challenge, however, is that the components of an identity (personally identifiable information, entitlements, roles, duties, attributes) have different owners across the enterprise. In addition, ownership of enterprise resources (applications, databases, data) are also spread across different owners. Each owner has different drivers, priorities and commitments.
In order to ensure business owners and security professionals inside of an organization understand the best way to support business and cybersecurity goals and objectives, we recommend creation of three foundational components of that comprehensive strategy:
The first, and probably most important, component Trace3 recommends an organization establish as part of the IAM strategy is the formal program charter. This document will set forth the goals, methods and resources of the IAM strategy, and if nothing else is produced or established, can be used as the strategy document. The purpose of the charter is to provide a comprehensive overview of all facets of the IAM program, usually within a three-year horizon. It provides executive-level overview inclusive of the program goals, program structure, planning approach, and overall implementation roadmap to achieve the goals of the strategy.
The second component Trace3 recommends an organization publish when developing an IAM program is an explicit alignment of what other efforts, activities and initiatives the IAM program will directly and indirectly support. This is the IAM Strategy Alignment Statement. The purpose of the alignment statement is to align specific IAM investments, IAM process and IAM technology control components to entries in the enterprise risk register, and to outline how specific IAM component investments (IT and/or non-IT) will mitigate those risks to an acceptable level.
The reach and impact of IAM solutions throughout and enterprise necessitates a cross-functional group that can coordinate the requirements, decisions, needs, considerations, and issues of all stakeholders in an identity-centric security solution. The third component Trace3 recommends is establishment of an IAM steering committee. The purpose of the committee is to help ensure continued alignment of efforts across the organization to satisfy those requirements, decisions, needs, considerations, and issues.
The three foundational components of an IAM program and strategy effectively outline a comprehensive collection of activities that need to be completed in order to put a program and strategy in place. By working through each of those activities an organization will gain clarity and understanding about not only the maturity of their existing program, but also about the willingness of the organization to accept a cross-functional, cross-organizational capability that in most cases was probably previously managed in in one department.
If you are not sure where to start, invest in Trace3’s IAM Assessment and Strategy Workshop Service. This valuable exercise will provide leadership with insight on how to make an IAM solution deployment work for the entire organization.
In next week’s blog, I will share the Five Steps to Preparing for a Successful IAM Solution Deployment, which will cover all you need to know to quickly and effectively make the switch to an identity-based security approach.