It is no surprise that many IAM initiatives fail. An enterprise-wide Identity and Access Management initiative, by nature, is complex. It deals with so many facets of an organization such as IT, security, infrastructure, internal and external facing customers, vendors, partners and service providers, etc. In addition, it also deals with a multitude of services — provisioning, password management, authentication, authorization, entitlement management, application security, privileged identity management, access governance — the list goes on.
Based on our experience of providing IAM services to organizations of various sizes and verticals, we at Simeio believe that some of the key guidelines discussed in this post can go a long way in ensuring a successful IAM initiative.
Get Stakeholder Support and Keep Them Engaged
- This can be a daunting task — yet extremely critical. It is imperative to educate the various IT and Business Groups about the program and goals. Show continuous ROI to keep them interested. Show them the short-term goals/wins while building a long-term vision.
Choose the Right Technology
- Begin with understanding the infrastructure and the need to build a strong, standards-based, service-oriented and flexible framework. While business processes and strategy will govern your IAM initiative, the technology set you select will form the backbone. A platform-based solution, rather than point-based, is recommended. Think about various models such as on-premise v/s leveraging a business-ready cloud to leverage Identity as a Service.
Build the IAM Roadmap
- “Listen” to the key needs of the business and your organization. This is key in prioritizing your initiatives and determining the sequence, understanding dependencies, budgets and resources. It is of immense value to engage with a partner as often an expert perspective helps in determining the tactical v/s strategic. Realize that this roadmap will need to be updated based on deployments and release cycles and feedback.
Put It in Action
- Once you have prioritized the applications being integrated (for example – for provisioning, access request, compliance based on Risk, Usage, Volume of Requests, Complexity, Geographical coverage signifying global impact – if applicable) – it is now time to put it in action. Implement methodologies to standardize the integration process of various applications. An experienced partner will be able to build this for you. “People” will be key – so ensure that you have the skilled resources backed by a solid RACI matrix, which is communicated and agreed upon. Strong project management will be handy to keep this on track. Finally — provide the right training to administrators and end-users so that adoption is easy.
- Change is a constant. If not managed properly, even the best implementations can fall through the cracks. Communicate quick wins, the benefits realized along with managing release cycles and deployments. Think about engaging with a Managed Service Provider to manage infrastructure, application-related issues, upgrades etc. so that you can concentrate on the roadmap and continue to show progress and wins.
Now, Govern It
- Build the right structure, processes and policies for on-going governance. This should be in line with the enterprise vision and strategy.
Beyond some of the best practices, our experience has also led us to understand some of the key risks and pitfalls that need to be considered throughout the full lifecycle of an IAM program. These key risks and pitfalls will be discussed in the next part of this blog series.
Batool Aliakbar and Ashwin Achar
Senior Managers – IAM Practice