H2FY20 Journey to IAM Success: Exclusive insights and recommendations
as appreciated. You need to deliver a visible impact, e.g. the
integration with physical access to buildings, so that physical
access and system access can be enabled and disabled within a
single process.”
“ Identity is not as
tangible as a new laptop.
It is not as appreciated.
You need to deliver a
visible impact.”
Scott Cornfield
CISSP
Identity and Access Manager
Sky UK
Making users’ lives easier is the best way for most IAM
programs to show a quick win. However, if auditors are
the main stakeholder, you need to take a slightly different
approach, because auditors want to see some quick
improvements. The Identity Management lead of a major
European bank made this point, “Understand how your IAM
program will deliver to the audit pressure.” If you deliver on the
biggest pressure early, that is a quick-win.
“ Understand how your
IAM program will deliver
to the audit pressure.”
Identity Management Lead of a
major European bank
What also helps is to define and measure Key Performance/
Risk Indicators (KPIs and KRIs), to demonstrate a tangible
improvement, e.g. in the time it takes for the onboarding
processes of users or applications or the reduction of orphaned
accounts.
Understand problem areas
An IAM program is not an infrastructure-only initiative-it
involves many parties. The larger the organisation is, the
more important it is to understand specific requirements.
Successfully running an IAM program requires a team that
knows the organisation. The Identity Management Lead of
a leading European bank brought this up: “Organisations
have specific challenges. It is hard to fully understand these,
particularly for large organisations.”
Understanding problem areas and the organisation as a whole
is a many-faceted challenge. It is about understanding what
goes well in the organisation and what does not. Timothy Forde
recommends “Don’t start with the product, but understand
“ Don’t start with the
product, but understand
the problems and
processes in uyour
organisation first.”
Timothy Forde
Enterprise Security Architect
IAM Major retail bank
the problems and processes in your organisation first.” This
requires people in the team that know the organisation, well
beyond the technical aspects of IAM.
Ensure you have the right resources on
hand
Making your IAM program a success very much depends
on having the right resources and skill sets to hand. A large
banking and financial services institution´s Enterprise Security
Architect articulated the challenge most organisations are
facing today, “Skilled people are rare.” However, he also
came up with good advice on how to address that challenge
within the organisation, “Go for the ERP people. They know
workflows. They know about data consolidation. They know
rule engines. Data and processes in ERP must work together,
the same as in IAM. They are familiar with similar problems.”
What could be added is greater knowledge about the business
side of the organisation
Many of the interviewees emphasised that the challenge of
having the right resources and skills can’t be solved by simply
hiring externals. Understanding the problem areas requires
understanding of the organisation. However, that must be done
by the internal team. Tom Golson concluded, “The organisation
itself must have the business skills. Process knowledge
resides internally.” Scott Cornfield added, “To a large degree,
Identity should be done internally. You need to be close to the
business.”
It is a common view among the interviewees that it is easier
to build up sufficient skills in IAM tools than to train externals
in understanding the organisation’s specifics and to try and
create an intimate understanding of the business that is
required for making the IAM program a success. Scott Cornfield
said, looking at the interplay with system integrators, “Have
them help, but not control it. Be in control of vendor selection.
Choose the technology you have skills in.”
Understanding the required skills, getting the right people on
board for the IAM program, and educating the team are among
the key success factors for IAM programs. As the Director of
Global Identity & Access Technologies at Global insurance
brokerage and risk management services firm said, “Education
is key to success as well.”
w w w. o n e i d e n t i t y. c o m
Define the processes
Many IAM programs get into trouble because the processes
they implement are not what the users expect. Scott Cornfield
sees, “process optimisation as an important element” of IAM
programs.
The APAC bank’s Enterprise Security Architect adds that
IAM programs, “must focus on processes, not technology.
Sometimes, it took two years to figure out that an implemented
process was incorrect.” Defining processes first helps in
achieving the quick wins and reaching the goal of the IAM
program, but also in reducing the cost of IAM programs.
Customising tools and processes is an expensive element in
IAM programs. This becomes far more straightforward and
efficient if processes are defined first, not during customisation
Keep an eye on identity information
quality
A specific area of processes that has been highlighted by
the practitioners is between HR systems, IAM, and the target
systems, which heavily affect the quality of Identity information
that can be achieved.
Tom Golson put it clearly: “IAM is many times more
complicated than everyone believes. You must define the data
flow and processes to achieve the required quality of Identity
information.” He also pointed out another pitfall, “There is the
misconception that IT or data owners are the only people who
care about the quality of data.”
“ IAM is many times
more complicated than
everyone believes.”
Tom Golson
Associate Director, IT Security
Texas A & M University
Wolfgang Zwerch, Identity Management Lead at Munich Re
was even more direct: “Garbage in, garbage out. Bad security
models at the system level and bad data will not be healed by
just implementing an IAM tool. It becomes transparent, but
without well-thought-out processes it will not become fixed.”
Scott Cornfield also commented on data quality: “HR data can
vary in quality and may not be as reliable as expected. Look at
it and understand how good or bad it is. Optimise the process
and the quality of data delivered. Also look at the other data
sources for IAM and how good they are.” He also recommends
taking a broader view: “Look at processes end-to-end, from HR
to IAM to the target systems, not as siloed processes.”
Solving challenges in data quality requires a strong backing
by stakeholders, because it is about the intersection between
HR, IAM, and the system owners of other source and target
systems. However, the most important advice came again from
Scott Cornfield: “Talk with them.” Getting the other parties
on board, figuring out the responsibilities for data quality
and optimising the processes can only be successf
Please complete the form to gain access to this content
