Gartner IAM Maturity Scale

Transcription

1 Gartner IAM Maturity Scale Many large organizations have tried to reduce the levels of complexity within IAM and address compliance issues through technology projects. These projects are often poorly coordinated, focusing on checkbox compliance, rather than reducing risks and improving resiliency. The organization then finds itself struggling with another layer of complexity without realizing clear business value.

2 What level of maturity is your IAM program at and how do you ensure successful implementation and improved business value? IAM leaders and security and risk management professionals should use Gartner's maturity assessment for IAM to assess the maturity of their organizations' IAM programs and define the steps necessary to improve maturity. This will enable them to determine which aspects of a maturity level are most important to them and understand how to advance to the next level. This is a crucial exercise, because immature IAM programs are likely to be inefficient, ineffective and unable to deliver their full business value. The Maturity Phases These are built based on key indicators of maturity, which encompass management of processes, personnel as well as organization, technology, and business culture. Gartner has identified five maturity levels that represent increasing capabilities: Phase 1: Initial Phase 2: Developing Phase 3: Defined Phase 4: Managed Phase 5: Optimizing Governance is ad hoc and informal Tactical priorities set based on certain business drivers An IAM governance structure is defined Projects are aligned with vision and roadmap IAM performance targets are actualized Performance is continuously monitored Transformational value Tools put in place on a piecemeal basis Technology redundancy is likely The IAM PMO is established IAM architecture aligned with EA The IAM program is dynamic and adaptive to changes in business conditions Business value is tactical An IAM architecture is defined Responsibilities are poorly defined Discrete technology projects An IAM vision is defined Key stakeholders are actively involved in the IAM program Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 2 DO YOU KNOW WHERE YOU ARE ON THE IAM MATURITY SCALE Gartner have provided insight into what the various IAM principals such as governance, process, technology, infrastructure and business value looks like at each phase. This is then coupled with key recommendations on how you can transition to the?next ideal phase of maturity.

3 PHASE 1: JUST GETTING YOUR IAM PROGRAM STARTED At this level of maturity, IAM activity is unfocused and embraces diverse operational tasks within multiple silos. is ad hoc and informal, with no executive sponsorship. At best, responsible managers and administrators have only a conceptual awareness of IAM and its capabilities. IAM PROCESSES are ad hoc and informal, varying across silos, and have minimal automation. IAM activity is driven by the immediate needs of specific business problems and tasks, although competent managers and administrators may achieve some consistency in the way IAM activities are performed. Basic roles may have emerged informally, but responsibilities are poorly defined and scattered across the organization. Consequently, IAM activity has no measurable business value stakeholders are concerned only if actions are tardy or erroneous. Identify business drivers. Align efforts with the vision and mission of information security, specifically addressing any IAM relevant controls arising from policy. Identify processes, especially those for administering identity and entitlements. Seek effective sponsorship for technology projects, such as sponsorship by security or BU leadership. Establish liaisons between BUs, project teams and information security. Inventory IAM skills, at least on a per-project or per-process basis. Inventory IAM technologies; identify functional overlaps and redundancies; and look for opportunities to rationalize and consolidate IAM investment and to synchronize between silos. Identify opportunities for improved efficiency and if necessary for regulatory compliance for improved effectiveness. 3

4 PHASE 2: DEVELOPING YOUR IAM PROGRAM CISOs and other responsible managers are beginning to recognize IAM as a discipline in its own right, requiring development to be better integrated into IT management processes. is likely subsumed with information security governance, but within that, IAM might not be sufficiently clearly addressed to ensure good decision making. Responsible managers have identified certain business drivers and set tactical priorities for IAM focused on individual business units (BU); however, it is unlikely that there has been a check for coherence across those silos. IAM PROCESSES are semiformal, driven by a top-down approach, and tied to individual BUs and target systems. Operational processes focus on discrete parts of IAM, particularly the administration of identity and coarse-grained entitlements. Individual projects will have CISO or BU management sponsorship and their own project teams. A liaison between BUs, project teams and information security is informal. An informal inventory of IAM skills is initiated on a perproject and per-process basis. The IAM leader defines a high-level organization chart showing roles and links between IAM and business decision makers, as well as links within IT for IAM. IAM TECHNOLOGIES have been selected and implemented independently by individual BUs or for discrete target systems. No formal infrastructure design has been created. Technology redundancy is likely, in some cases, with multiple instances of the same class of product. No provisions are made for growth or change consistent with business objectives or history. CISOs may embark on infrastructure projects such as single sign-on (SSO) or identity governance and administration (IGA) product selection and implementation, still reflecting an ITdriven initiative and focus. is tactical and tied to specific processes. Efficiency improvements are commonly identified as goals, but performance targets are poorly defined. In some cases, failed audits or new regulatory compliance initiatives may have prompted hasty investments in technology to provide effectiveness improvements. Direct business value is typically low. It may slightly improve processes (for example, improved user experience); however, this will be difficult to translate into increased revenue or cost savings. Inordinate attention is paid to the justification of technology products based on IT drivers, rather than business drivers. Define and seek acceptance for an IAM governance structure. This may be congruent with the information security governance structure. However, for this period in the maturity cycle, it is likely to require separate focus, especially in larger organizations. Seek an executive sponsor for IAM. (Again, this may be wholly or partly subsumed by sponsorship for information security.) Define an IAM vision aligned with stakeholder needs to establish program objectives and priorities. Define and seek acceptance for a roadmap of investments and projects that cover program objectives according to priorities in a manner that is consistent with the organization s typical planning horizon. Formalize IAM processes, and seek consistency across BUs and target systems. Establish an IAM program management office (PMO), with a charter to manage the IAM program. (As for governance, this role may be wholly or partly subsumed within the information security PMO.) Define IAM program roles (that is, the participants within all IAM management, project and operational activities), and begin populating the responsible, accountable, supportive, consulted and informed (RASCI) matrix. Define participants skills, and identify training needs. Define a technology-focused IAM architecture (within the context of the organization s information security architecture). Rationalize and consolidate IAM investments. Select and implement new IAM technologies, as set out in the roadmap. Define interfaces between the IAM infrastructure and the information security and IT service and support management (ITSSM) infrastructures. Define IAM performance targets. Identify quantifiable improvements in efficiency and effectiveness; tie effectiveness improvements to information security and the organization s critical business imperatives to manage governance, risk and compliance (GRC). Look for ways of using IAM to drive increased revenue or cost savings for the organization. 4

5 PHASE 3: TRANSITION FROM DEVELOPMENT TO DEFINED At this level of maturity, CISOs and other responsible managers have identified the need for a common approach to IAM. An IAM leader and an IAM architect (not necessarily full-time or discrete positions) have been identified. structure is defined and accepted. This may be wholly or partly independent of the information security governance structure; the key thing is that IAM is recognized as a distinct initiative to be governed. There is an executive sponsor for IAM. The CISO or IAM leader has defined an IAM vision based on stakeholder needs. A roadmap has been defined and accepted. Initial investments are being made to implement the roadmap. TECHNOLOGY-FOCUSED IAM architecture (within the context of the organization s information security architecture) has been defined. Comprehensive IAM processes are formalized and consistent across BUs and target systems. The IAM PMO has been established, with a charter to manage the IAM program. IAM ROLES are defined; however, the RASCI matrix may not yet be fully accepted and embraced by all stakeholders. Participants skills and training needs are defined. Resource allocation planning is established to meet new operational and project needs in the coming years. INFRASTRUCTURE DESIGN (aligned with the architecture) is defined. Projects to rationalize and consolidate earlier IAM investments are underway, along with new IAM technology selection and implementation as set out in the roadmap. IAM performance targets are defined and achieved. There are sustained, quantifiable improvements in efficiency and effectiveness tied to information security and the organization s critical business imperative to manage GRC. is typically moderate providing incremental, but significant, improvements to existing processes that will result in increased revenue or cost savings for an organization. Refine the IAM governance structure to improve decisionmaking processes. Establish strategic planning and budgeting for IAM across the whole organization. Begin continual reviews of the IAM vision and roadmap to ensure continued alignment with the organization s strategic business goals. Review and (if necessary) refactor multiyear technology and other initiatives to align with the current vision. Integrate IAM processes across all BUs and target systems, and align them with relevant IT, business and partner processes. Seek the active involvement of key stakeholder in the IAM program, and establish the PMO as the liaison between different parts of the organization. Get stakeholder commitment to the RASCI matrix. Establish processes for continuous revision as organizational change occurs and capability expands. Establish proactive skill development for IAM participants. Add business and information views to the IAM architecture, and seek alignment with the enterprise architecture. Create a catalogue of standard technologies and artefacts within the architecture. Refine IAM performance targets as needed, as IAM coverage grows. Measure quantifiable improvement in support of multiple business-critical imperatives. Look for ways to use IAM to drive significantly increased revenue or cost savings for the organization. 5

6 PHASE 4: MANAGE YOUR IAM PROGRAM At this level of maturity, IAM programs are firmly established, and their business value is widely recognized. IAM PLANNING IAM TECHNOLOGY IAM ARCHITECTURE is fulfilled and refined and budgeting are performed across the entire organization at a strategic level. The IAM leader continually reviews the IAM vision and roadmap to ensure alignment with the organization s strategic business goals. Multiyear technology and other initiatives are reviewed and (if necessary) refactored to align with the current vision. has technology, information and business views, and is fully aligned with the enterprise architecture. From an enterprise architecture perspective, the architecture has an IAM viewpoint. IAM is architected for choice, with a catalog of standard technologies and artifacts. IAM PROCESSES IAM PROGRAM IAM INFRASTRUCTURE are integrated across BUs and target systems, and they are fully aligned with relevant IT, business and partner processes. has active involvement of key stakeholders, and the PMO functions as a liaison between information security, data center operations, application development, HR, finance, legal and compliance, and all lines of business. IAM roles are well-defined and aligned across the enterprise, and the RASCI matrix is fully populated. Organization charts accurately reflect the roles of IAM-relevant personnel within IT and across the enterprise. Proactive skill development is underway. vision. is smoothly integrated with the information security infrastructure to ensure highly effective use of complementary technologies, such as security information and event management (SIEM), user and entity behaviour analytics, segregation of duties (SOD) controls monitoring, and data access governance and the IAM infrastructure. IAM performance targets are actualized and refined. There are sustained, quantifiable improvements tied to GRC management, as well as all of the organization s critical business imperatives, to attract and retain customers; build an innovative and agile organization; maximize performance, profitability and competitiveness; and so on. is typically high IAM enables new ways of performing horizontal or vertical applications that will result in significantly increased revenue or cost savings for the organization.to align with the current vision. Optimize the IAM governance structure. Continually review and optimize the IAM vision and roadmap. Establish IAM processes as business processes, and continually optimize. Continually optimize the work of the PMO. Continually review and refine the RASCI matrix. Embed the IAM architecture within the enterprise architecture. Review standard technologies and artifacts, and remove or replace suboptimal choices. Optimize the value IAM delivers to information security, GRC management and other critical business imperatives. Continually monitor IAM performance targets, and institute changes as needed to promote business agility and competitive advantage. Look for ways to use IAM to enable new ways of doing business 6

7 PHASE 5: ENSURE CONTINUOUS OPTIMIZATION OF YOUR IAM PROGRAM At this level of maturity, IAM programs are integral to the business strategy and are continually reviewed and refined to cater to changes in technology, organizational dynamics or business requirements (i.e., optimized). Programs at this level are dynamic and adapt to changes in business conditions, even radical changes, and support even transformative business plans. structures are continually optimized. The IAM leader continually reviews and optimizes the vision and roadmap. IAM ARCHITECTURE is likely to be embedded in the enterprise architecture. Standard technologies and artifacts are continually reviewed, and suboptimal choices are removed or replaced. IAM PROCESSES are established as business processes and continually optimized. The work of the PMO is continually optimized. The RASCI matrix and skill development program are continually reviewed and refined. IAM INFRASTRUCTURE design is continually reviewed, and suboptimal elements are removed or replaced. The value IAM delivers to information security, GRC management and other critical business imperatives is continually optimized. Performance is continuously monitored by the leadership team, and changes are instituted, as needed, to promote business agility and competitive advantage. is potentially transformational IAM enables new ways of doing business across industries that will result in major shifts in industry dynamics. Further improvement is impossible; however, continued effort must be invested in the actions listed in the previous level s recommended actions for improvement to maintain this level of maturity. Many organizations fall into a hysteresis loop between this level and Level 4 (Managed). Relaxing the optimizing effort may have no measurable impact for some time, but processes and capabilities will eventually deteriorate. Sustained effort is required to return to Phase 5 (Optimizing). 7

8 Ensure IAM Going Forwards You should continuously perform an IAM maturity assessment on a quarterly or, at least, an annual basis to track improvements and gaps in maturity. The results can be used to: Gain increased visibility into the organization's approach to IAM and its IAM program maturity. Establish priorities, and inform budgeting and spending decisions. Discover program and control gaps. Demonstrate the progress of maturity initiatives. Adjust organizational structures or inform outsourcing decisions. Communicate with different audiences for example, the IT organization, users, business executives and the board of directors. IAM leaders should adopt the following steps to improve the maturity of their IAM programs: Assess the Current State. To increase maturity levels, an organization must understand its overall maturity level, as well as that of each indicator, and use this as a foundation to increase IAM program maturity. Understanding the current level of IAM maturity enables IAM leaders to recognize how this level constrains what can be achieved and to set expectations accordingly. Identify Gaps. Here, the IAM leader works to identify the program deficiencies preventing the IAM program from reaching its full potential. In many cases, the maturity of the IAM program is unbalanced across the indicators listed here. For example, having a well-developed set of operational processes and controls won't ensure a positive impact, unless they are supported by well-defined roles and well-understood (and accepted) responsibilities. Set Maturity Targets. Once the gap analysis is complete, maturity target setting defines specific goals for improvement. The maturity target is not a "blue sky" activity; it must be grounded in reality, recognizing business priorities, required resources, program change capacity, and the prevailing organizational personality, corporate culture and maturity. The IAM leadership team can define two levels of targets: Desired state: The strategic goal vision and roadmap components of strategy, including goals for maturity, may be lacking below Level 3. Planned state: The objective to be achieved within a given time interval at high levels of maturity, a planned state could coincide with the desired state. 4 5 Plan Improvements. Improvement planning identifies the gaps between the current and the desired states, and the transitional steps required to fill these gaps. (A planned state that is more than one maturity level above the current state is unlikely to be achieved in a single project. "Half-step" projects typically have a greater chance of success.) The program improvement plan must define the improvement projects that will be undertaken to fulfil the plan. The improvement plan defines the necessary details (e.g., the scope, objectives, deliverables, resources, costs and schedule) to initiate improvement projects. The projects can be prioritized based on budget, schedule, impact, resource availability and time to value that is, the time between project initiation and when it begins to deliver value. In many cases, not every maturity improvement project will be completed during the same year. Continuously Improve. As with other key activities, a continuous improvement program should be put in place for IAM. Gartner recommends reviewing IAM maturity and improvement goals on at least an annual basis, as part of the IAM program planning activity. IAM program maturity assessment is a cyclical activity. Subsequent assessments will evaluate now-current states (a measure of the success of any maturity improvement projects), re-evaluate the desired states and define new planned states. At Level 3 (Defined) or above in management processes, the desired states are likely to flow from strategic planning. Whether you are at the beginning phase of your IAM program, looking to shift into the next gear or planning for the future, 2018 Gartner Identity & Access Management Summit will be covering all of these stages in more detail. Offering practical and actionable insight into how you can update and refine your IAM program based on leading-edge research and renowned analyst insight. Find out more 8