5 PITFALLS OF IDENTITY AND ACCESS MANAGEMENT. A guide to avoiding the classic mistakes that lead IAM programs to failure. focal-point.

Transcription

1 5 PITFALLS OF IDENTITY AND ACCESS MANAGEMENT A guide to avoiding the classic mistakes that lead IAM programs to failure. focal-point.com

2 INTRODUCTION Organizations interest and investment in Identity Governance and Access Management (IAM) solutions is rising rapidly. The IAM market is forecasted to grow to $18.3 billion in , doubling its value from just three years ago. With the modern perimeter expanding due to factors such as cloud adoption and the increased network presence of third parties and service providers, 47 percent of IT security professionals said they are currently investing in IAM for externally focused apps, and 32 percent plan to do so within the next year. Only 8 percent have no plans to invest in IAM. 2 But, for far too many companies, a commitment to IAM does not always result in an effective implementation. And while this can happen for a variety of reasons, Focal Point s team of IAM experts sees the same five scenarios come up again and again. The following is a summary of what organizations tend to get wrong when implementing an IAM solution and how to avoid them. 47% Companies currently investing in IAM for externally focused apps 32% Companies planning to make this investment in the next year 8% Companies with no plans to invest in IAM

3 From the very beginning, organizations must look at IAM as an evolving part of the business that is intertwined with enterprise strategies. Treating IAM as a project creates the impression that it has an end-date. This mentality can lead to IAM solutions being implemented and then left alone, doomed to fail without the resources they need to strengthen the organization. In order to be successful, organizations must consider IAM as an essential component of their cyber security program, one that aligns with key business strategies and is continuously evolving as the organization changes and grows. As an example, companies that are heavily involved with mergers and acquisitions or hiring hundreds of new employees within a short time span have to deal with rapid internal change. These companies need to regularly assess their IAM policies, processes, and automations to ensure that they are still meeting the organization s needs and allowing employees to seamlessly and securely transition into the company. In addition, when launching a new cyber security initiative, this program mindset will help ensure that proven IAM tools and practices are embedded into the current tools, systems, and processes that are in place to protect the enterprise against breaches. In addition, as change occurs in the enterprise, IAM tools and practices must adapt and evolve along with the organization. With IAM integrated into all relevant business areas, it has the opportunity to contribute continuous value to an organization, rather than sitting stationary on the outskirts of the business. 1 IAM IS VIEWED SIMPLY AS A PROJECT, NOT A PROGRAM. PROGRAM ONGOING ALIGNED WITH BUSINESS OBJECTIVES EVOLVING INTEGRATED INTO THE BUSINESS C-SUITE SPONSORSHIP DEFINED IAM OWNER PROJECT END-DATE CHECKLISTS STATIC SILOED LIMITED BUY-IN PROJECT MANAGER

4 A project-type mentality also leads to inadequate funding, time, resources, and infrastructure required to make an IAM solution successful and beneficial. A successful IAM strategy requires careful planning from the very beginning. Before diving into an implementation, the IAM team should develop a multi-year plan that breaks up costs into implementation and operational stages. The plan should forecast the number of people needed, whether the solution will be run on-premise, and, if so, what infrastructure expenses are expected. Within this plan, a team structure should be developed, with an IAM owner, so roles, responsibilities, and accountability standards can be established. Companies should also build into the budget the hiring of vendors who are paid on a time and materials required basis, not a fixed fee. Businesses frequently enter agreements with fixed-fee vendors without a realistic perspective as to what goes into the program, which can create unpredictable budget overruns. By paying for time and materials as program expectations and scope dictate, the organization will have the flexibility it needs to properly support the IAM program. 2 COMPANIES DO NOT INVEST ENOUGH INTO IAM. Businesses frequently enter agreements with fixedfee vendors without a realistic perspective as to what goes into the program, which can create unpredictable budget overruns.

5 Planning and investing in IAM are crucial components of IAM, but this level of effort will not matter if the eventual users of the application are not welcomed into the decision-making and implementation early on. Research has proven that one of the most prevalent reasons for IT project failure is the inability to create the right mindset among users about change. 3 Leaving end users out of the loop means they are less likely to buy into the program at launch. From the very beginning, the IAM team should educate users about the implementation, what is going into it, and why it matters. They should show them what the new system will do and how it will elevate their ability to contribute to business strategies. Once they are convinced of its benefits, they will emerge as evangelists, spreading the good news about IAM to other users. 3 END USERS ARE NOT BROUGHT ON BOARD. IAM TEAM COMMUNICATION FLOW ADVANCED NOTICE REGULAR UPDATES QUESTIONS & INPUT FEATURES & BENEFITS TRAINING FEEDBACK END USER Leaving end users out of the loop means they are less likely to buy into the program at launch.

6 Too often, gathering support for IAM is assigned to relatively lower-level players, such as database or systems administrators. But the pursuit of buy-in should not come from the bottom-up CIOs and/or other tech leadership members have to take the initiative to secure the support of the CEO, CFO, and other C-suite executives. Seventy-three percent of respondents in an IBM study agreed that top-level support was fundamental to their projects success. 4 Again, IAM evangelists must make a case for IAM as a highly aligned business-driver, as opposed to yet another disconnected IT project, to gain executive support. A simple, high-impact way of gaining executive buy-in is identifying some quick wins that will provide immediate return and demonstrate the tangible value of IAM. Enabling multi-factor authentication (MFA) to secure sensitive applications and data can be an extremely effective IAM initiative that can serve as a type of pilot program to win over executives and get them on board with further investment in IAM. Another fundamental way of gaining support is to show a clear return on investment for the IAM intiative. ROI can be derived by evaluating the impact of automating the processes for handling the user life cycle management process and access certification process. Reducing the manual efforts involved in on-boarding and off-boarding users and manually intensive access review processes can yield very meaningful cost savings that support the ROI needed for executives to buy into and invest in IAM. 4 THERE IS A LACK OF EXECUTIVE BUY-IN. TIME SAVINGS Automated end user lifecycle management Improved cyber security posture Automated controls resulting in fewer issues COMPLIANCE COST SAVINGS ROI IT SECURITY SAVINGS

7 Without clear, proactive communication, the CISO, the C-suite, IT, and the end users can all develop different ideas about the functionality and purpose of IAM, giving way to mass confusion after launch. The IAM team must set expectations about IAM at every stage of the adoption process. In a recent NACD study, only 15% of directors were very satisfied with the quality of cyber security information they receive from their management team. 5 As part of proactive communication efforts, it is important to directly address some reservations about IAM among stakeholders and to be clear about the advantages IAM will bring to the organization. 5 THERE IS A LACK OF COMMUNICATION. Some may balk at the cost of implementing an IAM solution, while others may be resistant to change and argue that the necessary time and resources are not available to support IAM. By acknowledging these reservations up front then explaining how you plan to alleviate them you boost the credibility of your IAM program. The team should also take this opportunity to stress the advantages of automated identity governance how it will bring newly hired personnel and contractors into daily operations more immediately, allow users to more quickly gain access to business tools and resources, and provide more accurate reporting tools. CONCLUSION As with any major investment, there are plenty of missteps that companies can take with IAM. The five pitfalls described here demonstrate that treating IAM as a one-time, check the boxes project to muddle through is sentencing it to failure. Instead, organizations should recognize IAM as a permanent and essential element of an overall cyber security posture just like onboarding for HR and customer relations for sales and marketing. In doing so, IAM will prove itself every day as an enabler of swift and secure business success. Resources 1 Statista. 2 SecureAuth News. 3 IBM. Making Change Work. 4 IBM Institute for Business Value. USEN&htmlfid=GBE03618USEN 5 NACD.

8 About Focal Point s IAM Services Focal Point Force Identity Governance and Access Management has cemented itself as a strategic priority for organizations in all industries. Focal Point partners with these organizations to ensure that IAM and IDaaS systems are integrated within the organization in a way that places security, efficiency, and compliance at the forefront. Focal Point has partnered with leading solutions providers - including Oracle, SailPoint, Quest, CyberArk, ForgeRock, and Okta - to deliver seamless integrations for best-of-breed IAM and IDaaS platforms. Strategy Assessments Planning and Design Development Testing and Validation Production Support Knowledge Transfer Remote Operational Support ForceID Audit (IAM Maturity Audit) SUMMARY 10 years+ delivering IAM services 100s of successful IAM and IDaaS deployments 4 million identities under management Leading IAM experts with security, privacy, and analytics specialists About Focal Point Focal Point Data Risk is a new type of risk management firm, one that delivers a unified approach to addressing data risk through a unique combination of service offerings. Focal Point has brought together industry-leading expertise in cyber security, identity governance and access management, data privacy and analytics, internal audit, and hands-on training services, giving companies everything they need to plan and develop effective risk and security programs. By integrating these services, we provide our clients with the flexible support they need to protect and leverage data across any part of their organization. Simply put, Focal Point is the next generation of risk management. Contact Us focal-point.com // info@focal-point.com Focal Point Data Risk is a registered trademark of Focal Point Data Risk, LLC.