In the first part of this two-part series, we discussed some of the Identity and Access Management (IAM) best practices that we have learned over many years and many projects. In this post, we focus on some of the key risks and pitfalls that need to be considered throughout the full lifecycle of an IAM program.
Availability of Resources
Having the right skill set mix is a critical success factor for any IT project. Due to the broad array of technologies, processes, systems, services and applications tied to an Identity Management solution, organizations rarely have all of the required skills in-house. Therefore, we recommend working with an Expert Managed Services provider who can assess the skills required for your project and complement skills that are available internally.
Increased Security Risk of Poor Implementation
Identity Management solutions are the backbone of security policy enforcement. A successful design will address both administrative and security requirements. The design of administrative processes for managing directory information and access control rules must be a pragmatic trade-off between security requirements and the realities of day-to-day operations.
When done well, an Identity Management solution ensures that a security policy can be enforced across the enterprise consistently. If done poorly, an Identity Management solution can jeopardize security. Therefore, it is critical to strike the right balance between an IAM implementation that follows the security policies.
Data Ownership and Other Political Issues
Organizations often experience difficulty in reaching agreement on the project definition due to historical data management and ownership practices. Understand that most people genuinely care about maintaining the quality of the IT services they provide for their users. Concern over jeopardizing this quality is often a root cause of resistance experienced by the Identity Management implementation team when their project is initiated.
Complex Design Considerations
The following aspects should be considered from a design standpoint:
- Data Policy Establishment – Many organizations launching an Identity Management project find themselves making trade-offs between wanting to keep the directory lean and efficient on one hand, and on the other hand wanting to use the directory as a general data warehouse. Design a data policy that explains what types of information should and should not be stored in a directory.
- Authoritative Identity Information Sources – The creation and management of identity information by different applications, each with its own data store, leads to a need for complex business process and information modeling. It is important to develop strong requirements and an assessment, design and implementation methodology that are used to ensure a smooth implementation process by actively and methodically managing complexity and its associated risk.
- Cleansing Data from Authoritative Sources – Some organizations assume that data maintained throughout their organization is reasonably up to date, accurate and compatible. Inconsistencies in data representation, data management policies and data store designs can cause problems. Spend time evaluating, configuring and deploying meta-directory, virtual directory and directory synchronization software to reduce the risks associated with poor data quality.
- Administrative Process Redesign – Identity Management solutions reinvent how administration is performed. Traditionally, each application introduces its own administrative tools. User accounts and associated privileges are added to a file or small database. Unfortunately, status quo means that there is often no single view of a user’s rights. This precludes the opportunity to ensure comprehensive changes to or even revocation of privileges as the employment / customer / partner / supplier relationship evolves. Thus, the way account administration is performed must be reinvented to ensure that users have all (and only) the tools they need to do their current jobs.
Rolling Out to Users
In today’s business environment, it’s never been more important to demonstrate quick wins for IT projects. While it may be less risky from a purely technical point of view to use a deliberate and methodical approach, full deployments take 12-18 months to complete. Your political climate may or may not support an IT project with that long a delay in an observable return on investment (ROI). High value projects should be rolled-out quickly, but in the context of a comprehensive design.
As always, Simeio Solutions stands ready to assist you with any Identity Management project. We have a full range of professional services, expert managed services and Identity-as-a-Service solutions to help you address even the most challenging projects.
Batool Aliakbar and Ashwin Achar
Senior Managers – IAM Practice