Knowing and managing who has access to your critical data and applications is an imperative security capability. For most companies, access is distributed across multiple technologies, including but not limited to applications, servers, databases and platforms. Organizing and effectively governing all the forms of access across your company can be a daunting challenge. You must strike a balance of having effective access controls to protect the firm without adversely affecting business operations.
Determining who should have access to what and how that access will be authorized and governed are business decisions. How access is requested, reviewed and approved are largely business processes. Access at the compute level is controlled by the technology that facilitates effective identity and access management. IAM involves people, process and technology, and these must all be taken into account in order to realize effective access control—technology alone will not satisfy your IAM requirements.
Compliance presents another key consideration for getting IAM right. If your company operates in a highly regulated industry, you will need to account for multiple compliance requirements when planning your IAM capabilities. Role-based access models, management oversight of entitlements, and audit trails may be mandatory components of your IAM system. You may also need privileged-access management to govern and control who can access your most sensitive assets such as servers and other infrastructure.
IAM success factors
The business landscape is littered with failed IAM projects that did not properly plan and account for the people, process and technology required for effective management. Being aware of the following factors will significantly increase the likelihood of success for your IAM project:
- Don’t focus on technology alone. IAM technology is no panacea. Often, IAM projects are treated strictly as technology tool implementations, with little or no consideration given to their effect on users, business processes, entitlements and compliance. The technology is important, but implementing it in a silo risks misalignment with business requirements, poor adoption or performance, or unforeseen remediation costs once the tool is operational.
- Align business and technology stakeholders. IAM solutions are often provided by the technology organization, but business users are the customers. Without clear alignment between business and IT, your IAM solution can result in undesired disruption to business operations, costing the company lost productivity or worse. To set the foundation for effective IAM capability, business and technology stakeholders must be completely aligned on the end-state goal from day one.
- Know your risks and prioritize accordingly. Many failed IAM projects attempted to go after too much too quickly and thus were doomed from the start. Taking a risk-based approach to prioritizing the order in which applications and technology assets get onboarded to the IAM solution is a better means of mitigating risk to your business. This approach also facilitates a stepwise rollout of IAM capabilities that minimizes disruption.
- Be infrastructure-ready. IAM infrastructure requires multiple components, including integration with an authoritative source such as a human resources system; connection with directory services such as LDAP; hardware such as redundant servers for high availability; and dedicated software for monitoring and alerting. Infrastructure components can be on-premises in your own data center, in the cloud or both. Ensuring your infrastructure landscape is ready for IAM will mitigate risk when deploying the end-state solution.
While these suggestions can go a long way to designing and implementing a successful IAM approach, many companies do not have the experience in-house to make sure all of the necessary bases are covered. In these cases, an experienced third-party risk advisor can play a valuable role in executing and delivering comprehensive IAM capabilities that factor in people, process, technology and data to create a harmonized and effective IAM solution.
Regardless of which route you choose, paying close attention to and periodically updating your IAM framework is a business imperative. The right IAM solution gives you greater control and increased insight to protect your data and applications without disrupting your business processes.