Understanding your current Identity and Access Management (IAM) capabilities and how IAM impacts your business is key to ensuring that you have a strategy that is appropriate for your organisation and one that works. IAM should not be considered a once-off project, but rather as a program of work which delivers according to the specific requirements of your business.
The current proliferation of mobile devices in the workplace means that increasing numbers of organisations are implementing bring your own device (BYOD) guidelines in order to facilitate mobile and remote working. However, ever-increasing numbers of devices logging on to your network can mask a very real security threat: the threat of unauthorised devices gaining access to potentially sensitive business information.
A recent survey of 176 information security professionals carried out by the Cloud Security Alliance and Bitglass found that 57% of those surveyed have reported security incidents related to unwanted external sharing. As well as this, 47% had reported incidents involving access from unauthorised devices.
These statistics highlight the need for businesses to take control of who can access data belonging to the organisation.
Identity and Access Management (IAM) has become a key concept which sits at the heart of IT, providing control over the identities within your organisation, what they have access to and when. As the business landscape continues to change, the scope of Identity and Access Management is evolving to incorporate areas such as Mobile Device Management, Rights Management and MultiFactor Authentication (MFA).
A well planned IAM strategy solves a number of significant business challenges and delivers tangible benefits to the business:
- Reduces significantly the costs of the identity lifecycle – provisioning, change and leaving –automation of these events to an agreed policy can dramatically reduce the number of IT administrators and support operators needed to deliver the lifecycle services.
- Significantly improves Identity quality in an organisation by timely and automated enforcement of identity and information security policy thus ensuring a more accurate, holistic and complete view of users and their profile across numerous directories and user repositories.
- Leads to a reduction in licencing costs – ensuring that the right users have access to the right systems at the right time means that organisations should only pay vendors and service providers for the services and applications they are actually using, thus solving the age old problem of over provisioning leading to over licencing.
- Increases organisation productivity by providing on time access to all required systems to end users thus reducing expensive personnel downtime throughout the identity lifecycle.
- Improves the user experience – a well-defined and executed IAM strategy means that users have appropriate levels of access to all the systems they need, when they need it. Through self-service capabilities they can fix their own problems directly with service owners – e.g. request new access, reset passwords etc., taking IT administrators and the helpdesk (with associated delays, errors and costs) out of the loop – thus resulting in users being happier with the service.
- Improves agility – a well-defined and executed IAM strategy means that introduction of new services or applications or migration of existing services should be much quicker, easier and less costly to execute. These new services typically need to be plugged into “identity connectors” with simple policy configuration needed on your IAM service to define who needs access to the new service, how they are given it, when, how they change access and when they lose access.
- Reduces the costs and burden of governance and compliance – using IAM tools to define, execute, capture and measure Information security policy activity means that audits and compliance reporting should be a one click activity from IAM reporting toolsets.
- Improves organisation security – automated systemic execution of Information Security and IAM policy significantly improves the operation of key risk management controls. It also reduces the likelihood of poor IAM practices emerging due to solving of traditional problems identified above such as shadow IT, over-provisioning, poor credentials management, non-existent or periodic de-provisioning, lack of identity or policy transparency etc.
All of these types of issues and requirements fall within the realm of Identity and Access Management, and as businesses move away from pure on premise infrastructure and adopt the promise of cloud services, IAM will become an even more critical security control to have in place. The right IAM strategy will ensure you are not sacrificing control and putting identities, data and services at risk, in return for improved end user functionality and reduced costs.
Critcal success factors for formulating the business case for an IAM strategy or project include:
- Identification in order of priority the objectives for IAM in your business.
- Gaining consensus and buy-in from key business stakeholders – It is important to realise that execution of an IAM strategy is a significant undertaking involving delegation of responsibility and input on policy formulation from multiple business functions
- Establishing your IAM strategy as a key component of your overall Enterprise Architecture and your Information Security Architecture – As such it needs to be planned, designed executed and governed in the same way that you manage your overall Information Systems strategy and architecture.
- Prioritised and phased implementation – eat this elephant in pieces. IAM is a complex and sophisticated project and ongoing service. Over ambition or over complexity in any phase is likely to lead to failure of that phase.
- Ensuring that you take on IAM skills early. It is important that key IAM skills are acquired by appropriate people within the organisation early and ongoing – even if you outsource some or all elements of strategy, design or execution. That way they can lead, contribute and validate key elements of the IAM strategy, design or execution throughout the journey.
- Ensuring that IAM strategy and Architecture is part of your ongoing ICT/ISM planning. Phased implementation means that elements of the roadmap need to be designed or executed on an ongoing basis to ensure appropriate levels of penetration in the business. Change means that new services are taken on or old services are retired which means that IAM needs to adjust to the ongoing business needs. Information security threats evolve as do IAM technologies and offerings so ensuring that you have the right tools and application of these tools will ensure that your IAM service continues to deliver the appropriate security and risk mitigation controls to the business whilst enabling the business from an access and agility perspective.
It’s essential for businesses to realise the role IAM plays within their organisation and how IAM issues and requirements relate to their IT Strategy and goals to ensure they are aligned. So before launching into implementation of IAM solutions, we recommend you:
- Determine your current IAM maturity level
- Identify your specific IAM challenges and goals
- Identify your gaps and key priorities
- Plan the right roadmap for your business
- Identify the right tools and platform that will support your IAM plans
With the knowledge and understanding of your current capabilities and a vision of where your business should be, you can launch a successful IAM program, with some quick wins to realise immediate value, and provide the foundation for planning your IAM Architecture and Designs.
If you’re interested in learning more about our IAM Assessment service speak to one of our team – visit https://www.ward.ie/about-us/contact-us/ or call +353 1 6420100.