How to implement Identity & Access Management for a large Enterprise?
Identity Access Management (IAM) is defined by Gartner as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons”
The definition looks simple, but the implementation is not!
Contrary to the popular belief, IAM is not mere technology implementation, but rather a business-focused enterprise-wide strategic set-up. Hence, like any other Cybersecurity transformation, IAM implementation needs a clear strategy aligned to the Organization’s strategic priorities as well as long term view. It is important to remember that IAM impacts every employee (internal user of IT applications), contractors, and in some cases customers in case they access your IT systems. Hence, the user experience should be the centre of IAM implementation. Million-dollar technology investments will go down the drain if the users are not happy due to usability issues.
Board-level support: It is imperative to have an executive sponsor for your IAM implementation as the board level support will be required to roll out enterprise-wide IAM. The Cybersecurity teams implementing IAM act as enablers sitting in the driver’s seat. The business functions need to be active adopters of IAM. But, the Cybersecurity teams have very less influence on the business functions. It is the board level prioritisation that will push the business functions in adopting various security controls implemented by the Cybersecurity teams. Hence, without the board-level executive support, it is almost impossible for the Cybersecurity teams to implement IAM across the enterprise.
Support from Business lines: IAM implementation can’t be done in silos. It is very much a cross-functional transformation needing active involvement and support from the Business lines across the enterprise. Business lines across the organization should get convinced that IAM implementation will be a key business enabler. Each of the Business lines should agree to support as well as implement business side functionalities in support of IAM implementation. Each of the business lines has its priorities and book of work every year. The needed support has to be on the business lines’ book of work. Else, the IAM implementation will be a failure as Cybersecurity teams will not get the required support from the business lines.
Tool Selection: The market has tons of tools you can consider for your IAM needs. Key considerations in tool selection are:
Technology Strategy: Are your Technology assets on-premise, Cloud or Hybrid? What is the long term technology roadmap?
Legacy: Does your organization have legacy technologies? If so, what are they?
Integration capability: Does the tool being procured have integration capability with critical IT assets? Are all connectors free or do you have to pay per connector?
Custom build: Do you want to custom build or want to purchase off the shelf product. Have a long term view on this.
Cost of ownership: Consider the cost involved in maintaining and supporting year after year.
Resource availability: Is the tool so new that the market doesn’t enough people with knowledge?
Governance: IAM implementation is a large-scale programme. In many cases, it takes years to get to a stable state. Hence, defining governance structure is very important. Especially if you have multiple vendors or a mix of teams, defining roles and responsibilities is key to success.
Operationalization: Begin implementation with the end in the mind! Tool implementation is only one aspect. Operationalization is not easy when it comes to IAM implementation due to multiple impacts across business lines.
Conclusion: IAM implementation is a strategic decision irrespective of the initial scale in scope. Have a big picture view in mind when commencing the implementation. The implementation should not be done hurriedly. The IAM rollout is a multi-year enterprise-wide transformation. It requires disciplined programme/project management for the delivery of the intended benefits.