By Jeroen Remie. An Identity & Access Management (IAM) project rarely or never involves a greenfield situation. Every organization already works with access management in one way or another. As soon as there is reason to change or innovate, this means an organization intervenes in an existing situation. Change management, in other words, which immediately makes it clear that IAM should not only be seen as an IT project. In fact, the fewest challenges lie in IT. After all, tools, and solutions for IAM are now mature, work on the basis of configuration instead of real developer work, are based on standards and there is a lot of choice. Obviously, it is important to make a good selection of solutions that suit the organization, but it is important – especially in the preliminary phase – to first gain a good insight into the following aspects: governance/organization/compliance, process and information, and technology. By properly mapping these three areas, it is possible to lay a solid foundation for a successful IAM implementation.
Regarding governance/organization/compliance, it is all about responsibility, ownership and being in control. The central question that must be answered here is: ‘who can do what?’ In other words: which employees have access to which applications and data? In answering this question, it is important to properly define ownership. In an IAM implementation, there are always many stakeholders involved. The moment everyone owns governance/organization/compliance, there is no owner. That is why it is absolutely necessary to define all responsibilities in detail, which roles exist, and which responsibilities and authorizations are linked to them, so that misunderstandings are impossible. That is also the basis for compliance. After all, you can demonstrate that everything has been recorded properly and that all is compliant with the rules.
What can make this point even more difficult is the balance between ease of use and security. From an organizational point of view, secure data and applications are crucial. But this limits a user in ease of use, leading to the risk that employees are looking for work arounds. That means that all rules must be clear, and that the proper way should be the easy way. It is ultimately about enablement of each user.
Processes and information
Processes and information focus on how an organization regulates important topics such as inflow, throughflow and outflow. How does the authorization process work, which exceptions are possible, for example? Here, not only the IT or security department play an important role, but often also HR. When it comes to information, it is all about the quality of the data. A process can be 100 percent correct, but if the data associated with it is not correct, such a process will have no or – even worse – an opposite effect.
When the issues, mentioned above have been fully examined, an organization can start a search for the right technology, based on product selection with the right requirements, which can then be implemented. There is always the chance of resistance. As noted earlier, an IAM implementation always leads to a change of existing processes. Not everyone will be happy with that. Change can mean, for example, that the IT department no longer just quickly creates an account or that employees cannot share accounts with each other anymore. That is why it is crucial to look very carefully from the start at all the personal interests. Every employee will have to be convinced of the importance of safe and secure access management.
An IAM project does not stop when the tool is implemented and deployed. IAM requires constant attention. It is about creating a stable environment and keep it that way for the long term. And that is precisely why the right preparation – with an eye for all aspects of change management – is a precondition for a successful and safe deployment of IAM.
Jeroen Remie is a security consultant at Traxion, a provider of Identity Centric Security Services in the Netherlands and Belgium with over 130 highly qualified professionals. Traxion is part of the Swiss IT Security Group.
This article has been published on infosecuritymagazine.nl/blogs/goed-change-management-is-cruciaal-bij-elk-iam-project