The importance of IAM
IAM – identity and access management- is the information technology security framework of policies and technologies that ensures the right users (whether employees, customers, partners, or otherwise) have the right level of access to the technology resources they need, including applications, servers, and data. It’s not something that companies have, but rather what they do. Managing the lifecycle of your users’ identities, governing their access, and properly monitoring the use of identities and their credentials through identity analytics is what comprise IAM. IAM also ensures proper controls are in place around the ability of users to interact with critical systems for which they require what’s called “privileged” access.
Avoid the biggest IAM mistake you can make
Simeio’s research indicates that most companies lack comprehensive identity and access management governance when implementing identity and access management program. This gap stems from a lack of strategic vision when it comes to IAM. Additionally, the inevitable siloes that arise between the systems and owners of identities, the IT systems they need to connect to the organization, and the business owners of the applications most necessary to do their jobs also make it challenging to implement a transparent governance process. But if I could name only one mistake that most companies make when rolling out IAM, it would be the lack of support, visibility, and sponsorship from the company’s executive leadership team: everyone—CEO, CFO, COO, Etc., and not just the CISO or CIO—needs to share the same strategic vision around IAM, and they all need to drive it within the organization for it to be successful.
And then avoid the top 10 other common IAM mistakes!
- No IAM governance: a lack of a comprehensive strategy, roadmap, and policies.
- No executive leadership team “buy-in” or guidance
- Lack of skilled resources: IAM engineers, architects, and managers
- Poor or partial IAM implementations that make you complacent (thus vulnerable)
- Multiple unreconciled sources of identity authority (i.e., identities are distributed and duplicated throughout numerous systems of record)
- Political infighting over data and application ownership/responsibility
- Lack of institutional change management processes
- Intuitional “analysis paralysis” results in a distaste for reducing complexity and fear of automation because “manually is the way we’ve always done it.”
- Uncleaned data lifted and shifted into new IAM systems.
- Unrealistic IAM roll-out approaches don’t work for your sponsors and users.
Is your IAM strategy working for you?
The first step in fixing any IAM problem is to understand it. It’s easy to tell if your IAM strategy isn’t working – ask your users, be they employees, customers, or partners. They’d be happy to tell you all the IAM issues that impact the everyday experience of interacting with your IT systems, applications, and services. I would recommend a comprehensive IAM assessment: it will diagnose what you’re doing well, where you need to improve, and what you need to do in the future to achieve the IAM maturity necessary to protect yourself from the potential for breaches and ransomware so prevalent today.
For one client, we identified redundant IAM tools (some of which were still shelf-ware) that could be decommissioned, which enabled a 20% yearly saving in license costs. For another, we identified and implemented unified IAM KPIs that enabled the CISO to demonstrate the success of IAM, gain additional funding for resources, and keep their company’s name out of the newspaper. For all clients, we provide specific recommendations to close their existing IAM gaps in the form of actionable project charters detailing the steps they need to execute to attain the next level of IAM maturity. The cost of a failed IAM strategy can be in the millions of dollars, whereas the cost of a Simeio IAM assessment strategy will be very reasonable.
– Dr. James Quick, Director, Solutions Advisory, Simeio