Sometimes the hardest part of a journey can be its first step.
As organizations try to keep up with the demands of digital transformation and cloud adoption, starting an identity program can be a daunting process. Between customers, employees, and non-human identities such as systems and applications, there is a lot to think about—and a lot that can be missed. Getting off on the right foot depends on effective planning. So, with that in mind, here are a few considerations that often slip through the cracks but, if addressed properly, can help organizations make their identity program more successful.
The Forgotten Stakeholders
Identity programs succeed or fail on the merits of the technology — but people have the most determinative impact on program success. No identity program will succeed with an appropriate and broad set of stakeholders. This team should include not only IT operations but also database administrators, security operations, and others. During a recent discussion with the Beyond Best Practices Technical Working Group subcommittee, we brainstormed a “forgotten audience” list based on our experiences. The list includes several groups that sometimes fall off the radar, including line-of-business technology teams, human resources departments, and legal departments. It is easy to forget that the legal team needs to ensure identity practices comply with legal frameworks and that the human resources department is a critical part of the organizational changes spanning the entirety of the identity lifecycle – from hiring to promotions to exits.
A lack of coordination between the right stakeholders stagnates projects within the overall program. Getting beyond the first set of systems and applications becomes more difficult as a lack of stakeholder coordination stalls further progress. Aligning the adoption benefits with organizational change management is a great way to prepare all stakeholders for the impact of identity-related projects and to judge what parts of the business may need to be involved in the planning stage. Using your identity program as an opportunity to build cross-organizational trust and relationships will not only aid in the success of the current program, but prepare the organization for future cybersecurity, workplace productivity and business-led initiatives. These initiatives, like Digital Transformation projects, rely on consistent and correct identity data. Thinking about how these changes will affect the ability to maintain identity hygiene after deployment will reduce the amount of cleanup needed in the future.
Lack of a Detailed Infrastructure Map
Secure access must extend across an ecosystem of applications, workloads, endpoints, mobile devices, cloud environments, and users. As part of preparing to deploy IAM solutions, it is vital that organizations properly map their network and understand the access needs of the roles and user groups they plan to create. Knowing how current processes lead to data and systems being accessed is a necessary component of implementing IAM properly. Any existing problems such as orphaned accounts, missing Active Directory attributes, or deeply nested groups inheriting excessive permissions needed to be identified and rooted out.
IAM vendors can help with this process. Ask the vendor what problems you are likely to run into given your environment and data. Understanding your organization’s IT landscape and the existing state of identity management will allow you to work with the vendor more effectively to determine what will be needed to manage the IAM solution on an ongoing basis.
No Measure of Success for Your IAM Program
Another key factor for the successful implementation of an IAM strategy is tracking the right success metrics. Exactly what metrics are best will vary depending on the priorities of the organization. For example, a company that is worried about business efficiencies may give more weight to measuring how quickly accounts are onboarded and offboarded. Here is another area where the team of stakeholders that have been assembled can contribute. Knowing how key performance indicators (KPIs) will be used and by whom, will enable the identity program to achieve its goals more effectively in both the long term and short term.
So, what are some important KPIs to track? Here are a few recommendations from IDSA
- Time to provision—a measurement of how long it takes to provision new users. The faster users are provisioned, the better.
- Number of orphaned accounts—these accounts represent a dangerous attack vector and should be eliminated. They can be identified by examining the frequency of login activity.
- Amount of access rights for accounts—any user account with a higher than average number of permissions should be subject to additional review.
Having the right KPIs is essential for ongoing management, so the organization knows what is working well and what isn’t. IAM vendors should also be consulted for additional advice to increase effectiveness.
Lack of Integration Across Security Technologies
At IDSA, we advocate integrating IAM infrastructure with security technologies to enable real-time, intelligent decisions and interventions about access and authentication. For example, integrating Security Information and Event Monitoring (SIEM) and Identity Governance Provisioning (IGA) offers organizations the ability to use security alerts captured by the SIEM to lead to revocation of access rights for the identities associated with the breach.
The right integrations can increase the efficacy of security controls, creating greater value for security investments. The same can be said of their effect on compliance initiatives. Regulations like the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) require the ability to track and audit login activity. By implementing IAM, organizations can advance their compliance program. Before embarking on this journey with a vendor, take the time to consider what integrations may benefit your security and compliance initiatives, and plan on talking to vendors about their APIs and what integrations they support. Pre-packaged best practice guides and accelerators can greatly simplify attainment of your identity outcomes and results.
Walk, then run
Build from what you already have — every organization has some collection of identity technology, practices and corporate knowledge. Leverage these as starting points to build the future of your identity program, bringing stakeholders together and tracking/measuring success along the way. With proper planning and incorporating best practices from organizations like the Identity Defined Security Alliance, enterprises can avoid common pitfalls and make sure their identity program meets their organizational needs as they evolve.
About the Author: The Beyond Best Practices Technical Working Group subcommittee was formed in July 2020. The team, led by Paul Lanzi, includes Aubrey Turner, Stephen Bahia, Christopher Hills, Morey Haber, Jesper Johansen, Jerry Chapman, Chris Arnold, and Dan Dagnall.