Applying appropriate and sufficient controls to manage user accounts and access rights is one of the most significant challenges in today’s enterprise’s IT environment.
Intentional or accidental misuse of IT-driven business processes by authorized users can have a severe impact on the enterprise and its competitive position. Vendors of Identity Access Management (IAM) solutions tend to promise that their product will solve all relevant challenges in maintaining access rights. Unfortunately, this is half of the truth.
Let’s have a quick look at 5 drivers of success for IAM programs.
1 Compliance with regulatory requirements
For the last years, auditors have found IAM processes a fruitful object of examination. By raising the requirements from one release to the next, compliance becomes more and more challenging to fulfill. Regulations either name requirements explicitly or refer to a standard of norms that do so (e.g. ISO 27001/2). Either way there are various challenges organizations need to fulfill:
- Appropriate request and approval processes for granting access rights.
- Access right withdrawal on resignation or termination of employment or even on job change.
- Enforcement of separation of duties (e.g. separation of stock trading front office and back office).
- Periodical verification of granted access rights versus an individual’s duties.
- Proper handling and monitoring of enhanced privilege usage.
- A documented baseline for IAM processes and authorization concepts.
2 Focus on processes rather than technology
To tackle the challenges IAM poses, businesses need to look at the processes for maintaining users and their access rights. This is where any IAM program should start, a pre-project for analyzing current processes and procedures and discovering latent and obvious weaknesses and pain points.
Then companies can redesign IAM processes to ensure complete transparency and auditability. This automatically leads to requirements for supporting the technical infrastructure, a list that can be used for selection of an IAM vendor and product.
Be aware if your IT organization requests procurement of a tool prior to looking at IAM processes.
3 Security, cost reduction, user-friendliness
By fixing IAM processes and giving users access to only the information and IT functionality they require for their jobs, information security can be significantly improved. Actually this is why an audit puts such focus on IAM.
Furthermore, introducing proper IAM processes — and possibly a supporting IAM system – can significantly reduce costs for IT operations by providing user self-services and automation of regular tasks. This not only significantly lowers costs for service desk and hands-on IT administration but also puts user experience at a comfortable level.
Often, users face various procedures for requesting access rights for different applications; managers have almost no tool to review access rights of their teams; administrators have to document request procedures manually by using mail archives or ring binders (yes, I do mean paper-based procedures!). This all can be significantly and quickly improved by introducing IAM systems.
4 Start small, think big
Most important is to set the right priorities for your organization’s IAM program and thus derive the scope for the first project and a pipeline for the succeeding ones.
Business process analysis and redesign will show you the most important requirements to focus on first, and this should define the scope for the initial project. Depending on your organization, the scope could be one of the following (or something completely different):
- User self-service for requesting access rights for a set of pilot application systems
- Automation of on-boarding and off-boarding processes
- Setting up periodical recertification processes for business critical applications
- Introducing functions for temporarily granting privileged access rights and monitoring their usage
- Federation of access rights of your partner web portal to business partners
- Or even only preparatory work to get ready for introducing IAM solutions (e.g. housekeeping activities, preparing documentation for authorization concepts, create a business role model for the corporation, etc.)
A common mistake is to put too much scope in the first project, thus overloading it with complexity and dependencies. Best advice is to have a complete view on the target solution and start with a manageable amount of work. The first project will be complex anyway as it will need to introduce various new processes and technical interfaces.
5 Ensure sufficient funding and management support
Neither IAM product prices nor costs for running IAM programs are negligible. But in most cases, IAM programs will show a positive ROI after few years — even by only honoring direct effects such as reduced help desk and administration costs. Taking risk reduction into account — as in ROSI calculations – the return comes even quicker.
Strict budget constraints for an IAM program most often lead to the decision to focus on regulatory requirements and to postpone other targets. This often leads to removing IAM functionality from the scope that would help to reduce operational costs (such as user self-service), thus minimizing ROI.
Management support for your IAM program is a critical support factor. Since the IAM program will have to negotiate changes with various business units in your organization, it will require competencies and management support. Change management induced by IAM programs in particular needs to address non-IT sections such as HR and business application owners, but also service desks, IT staff and various other projects.
Alexander Schellong is CSC’s General Manager Cybersecurity in Central & Eastern Europe, Italy and Turkey.