Identity and access management (IAM) is at the front lines of security. Yet for all its importance there are too many IAM projects that haven't lived up to expectations, took too long, cost too much to complete and even failed outright.
But everything about IAM — controlling access, managing and securing privileged accounts, achieving governance — is so important that organizations keep hammering away at their IAM projects hoping that things will get better.
How can you do things differently and make sure that your IAM project doesn't become another wreck on the road to security and compliance? In this e-book, I'll describe the multi-faceted world of IAM and point out common characteristics of failed projects. Then, I'll introduce new thinking, new tactics and new approaches like One Identity that can help you make sure your project succeeds.
Let me start by quickly reviewing what IAM is:
Anything you do to make sure that people can get to the stuff they need to do their jobs.
That's it.
That boils down to the processes and technologies around three functions:
Let me define the 3 pillars in more detail.
Thus, the essence of successful IAM lies in addressing all three pillars of functionality.
If it's a struggle for you just to grant your users appropriate access, then IAM is never going to be more than a tactical, operational exercise for you.
You may be saying, "I already do all this stuff!" My reply is, "Yes, you do. But how effectively do you do it?"
Are you sure that your people can access their stuff? Are you spending too much time and money providing and managing access? Is the access you're providing on par with organizational, regulatory and user expectations?
Are you spending too much time and money providing and managing access?
Here are the most common types of failed IAM projects:
Death by one-off, in which multiple solutions from multiple vendors provide similar functionality, but in multiple pockets of the infrastructure. Think, for example, of all these solutions running in the same organization:
One size fits some, in which the organization engages a big platform vendor for an enterprise solution that, at first glance, will meet all of its IAM needs. But a few years into the project the organization finds that it is still performing too much of its IAM manually, buying too many point solutions with siloed functionality and pumping in too much effort with no end in sight.
Provisioning only. The lynchpin in any IAM program is provisioning, or the processes that provide the access for both standard and privileged users. Yet provisioning is often the most time-consuming, error-prone and disjointed IAM activity, and if the organization can't be certain that each user has precisely the correct rights across each system, then it will not achieve good governance. Most traditional IAM solutions from big platform vendors focus on provisioning, but because they are complex, custom-built and expensive, they are often the poster children for failed IAM projects.
You may be able to see yourself in at least one of those scenarios.
So what does the fallout from an IAM failure look like?
Inefficiency — Basic access management duties take too long, require too much IT involvement and are done too inconsistently. How long does it take your organization to fully provision a new user with all necessary access rights? How many separate e-mails, phone calls, spreadsheets and processes are involved? How many separate IT entities does it affect? Your users should be fully provisioned the minute they start, with a single request and fulfillment action, and IT should be involved only if something goes wrong; otherwise, you are probably at some stage of a failed IAM project.
Audit exposure — When the auditor comes calling, do you head for the hills? Can you even confidently report which users have which rights or permissions and whether those entitlements are actually appropriate for their job? If it is difficult for you to gather, deliver and interpret information for an auditor, your IAM was likely a failure. And if the audit requires lots of IT staff to perform lots of manual tasks while their real job goes undone, it was certainly a failure.
Living on a prayer — When there is a disjointed, heavily IT-dependent, multi-siloed approach to IAM, business stakeholders must hope that everything is going well. An undeniable sign of an IAM failure is not knowing about a problem until it is too late.
Inflexibility — If you had to manage access to a new, business-enabling application with very little notice, could you? If a BYOD flood hit your company, could you handle access for all those devices? If dealing with that kind of change is difficult (or impossible) and requires more new IAM solutions, more IT involvement and more siloed approaches, your IAM project is not likely successful.
In short, a number of factors can get in the way of a successful IAM project:
Your users should be fully provisioned the minute they start, with a single request and fulfillment action. Otherwise, you are probably at some stage of a failed IAM project.
IAM projects bedevil companies in many different industries.
One Fortune 100 company believed its only option was to invest heavily in a customized IAM solution from a large vendor. The company engaged 16 Java developers to custom-build connectors for provisioning and deprovisioning users across hundreds of applications. Two years into the project, this army of developers had succeeded in building only one connector and was able to provision users to Active Directory, but could not de-provision them.
The technology company realized that it had three full-time employees tasked with simply filling the provisioning gaps left by its customized solutions.
A major bank had a set of 12 UNIX-based applications used every day by every teller. As a result of integrating these applications with the bank's large IAM framework, each teller had to remember 12 passwords. The cost of resetting the passwords the tellers forgot was more than $1 million per month.
A large technology company spent years with major IAM vendors on two failed projects for provisioning more than 100,000 users. One day, the company realized that it had three full-time employees tasked with simply filling the provisioning gaps left by its customized solutions.
A document management company successfully implemented a framework for provisioning, but then found out how much time and money it would take to add other needed IAM functions. It was compelled to shop for other products for managing single sign-on, passwords, Active Directory, UNIX directories, privileged accounts and governance.
Three months into a 12-month IAM project, an energy company was barely able to provision and still unable to perform governance. The vendor was acquired by another vendor that recommended an entirely new, equally expensive and potentially longer project to accomplish the same things, minus governance. Meanwhile, the costs the company incurred to maintain homegrown applications were becoming excessive.
Do you see your company in any of those five examples?
But … there is hope.
A growing number of organizations are finding that, with the right approach, IAM can go from a necessary evil to a business-enabling asset. For these organizations, the utopia of users having what they need to do their job (access); every user having exactly the right access (provisioning); all the right people making it happen and knowing what goes on (governance); and a unification of all of those is much closer to reality than they thought possible.
When line-of-business managers decide who should have access to what, and when they can provision on their own, everything gets easier.
Here are a few common characteristics — a basic recipe for IAM success — that we can draw from successful projects:
To return to the five projects I described earlier, four are well on the path to IAM success.
The password-challenged bank consolidated all UNIX identities and logins to take advantage of the existing, ubiquitous Active Directory logon. That virtually eliminated the $1 million-per-month burden of resetting its tellers' passwords.
The technology company implemented a configurable provisioning and governance solution. It achieved all of its objectives in a few months, instead of the few years the failed project had taken. The senior manager for identity and directory services at the company says, "Now we have a global, intelligence-driven IAM platform for access governance that ties our people's identities, permissions and roles to business rules."
The document management company continued to build IAM functions on top of its framework for provisioning, always emphasizing interoperability, adherence to standards and reduced complexity. Eventually, the futility of maintaining the custom solution became obvious, so the company implemented a future-proof provisioning and governance solution.
The energy company implemented the same provisioning and governance solution as the technology and document management companies. In 14 weeks the company achieved what it had failed to do in three years with the previous solution. The director of information security at the company reports, "The time savings has been remarkable. We can now auto-provision 50 percent of our application tasks."
Each of these projects followed the recipe for IAM success and used the One Identity family of products.
In 14 weeks the company achieved what it had failed to do in three years with the previous solution.
One Identity is a multi-award-winning family of solutions built on the three pillars of IAM functionality:
Figure 1: One Identity provides access management, identity governance and privileged management for the widest range of user types and access scenarios
Many vendors offer solutions similar to pieces of the One Identity family, but none offers the breadth across all areas of IAM or the success-enabling features explained in this e-book. Consider the unique, powerful and business agility-enabling benefits of One Identity:
One Identity helps organizations get identity and access management (IAM) right. With our unique combination of offerings, including a portfolio of identity governance, access management, privileged management and identity as a service solutions, organizations can achieve their full potential – unimpeded by security, yet safeguarded against threats.