Saurabh Kaushik,Sr Manager Information Security, Lupin Pharma, talks to CISO Platform on the biggest drivers and barriers of IAM adoption and the top challenges a CISO/organization can face while adopting IAM.
How important is IAM? Why should organizations adopt it?
Identity and Access Management is an integrated set of processes, policies and technologies to simplify and improve user account management,reduce administrative costs, strengthen security, protect confidential information from unauthorized users and make businesses more agile to the changing needs.
Which kind of organizations should adopt IAM and who can give it a miss?
Organizations across industry verticals shall adopt IAM as it has become the need of the hour. These include banks, manufacturers, ITES, telecommunication companies, government etc. Ideally, organizations with more than 1000 users and having a heterogeneous IT landscape can adopt IAM. Requirements can vary from organization to organization. For each organization the IAM solution should be tailored to meet the specific requirements and at the same time be robust and scalable to cater to future needs.
(Read more: 5 Lessons from the LinkedIn Breach)
What are the biggest drivers for adopting IAM?
- Centralized enforcement of enterprise security policies
- Strong authentication for critical assets
- Policy driven access to corporate resources
- Quick revocation of accounts belonging to leavers
- Automated provisioning, de-provisioning of accounts
- Reduced administration costs / Improved SLA’s
- Reduce help desk calls for password resets
- Standardized authentication, authorization framework
- Compliance to regulatory requirements
- Centralized reporting
- Strong Access Governance
- Improved user experience ( i.e Single Sign on to various Corporate Applications )
- Secure collaboration with partners
- Management of post M&A integration / Organizational Restructuring
Which are the biggest barriers?
Some of the barriers faced by organizations are:
- Cost -Cost can be a major barrier for many organizations with shrinking IT budgets.
- Complexity- IAM initiatives can be perceived as a complex exercise as it involves integrations with different enterprise applications and involves good amount of coordination between different business groups or departments. Sometimes existing processes may not be well understood or even documented. Organizations can feel the whole exercise of migrating from existing processes to new ones is a complex and daunting task. Even though complexities exist, with proper planning and IAM domain experience organizations can successfully implement IAM projects.
- Undervaluing benefits of IAM -Some organizations may not perceive an IAM implementation to be beneficial or a good case for ROI. IAM should not be looked only from the security perspective. IAM can reduce administrative costs significantly and enable the organization to comply with regulations in a cost effective manner.
Some of the potential challenges that organizations can face in the adoption of IAM are:
- Managing change -IAM brings in changes to existing processes and procedures. Though these changes are for the better organizations may face resistance internally in accepting changes. This makes it important that IAM initiatives have the backing of top management.
- Managing expectations -Before embarking on an IAM implementation the goals and objectives of an IAM project should be laid down and agreed upon by all key stakeholders.
- IAM product capability - The IAM solution may not be able to address some of the requirements due to limitations in the features its supports or lack of flexibility to customize. While selecting IAM products, due consideration should be given to the capability of products to meet the organization's immediate and future needs. For example, if one of the requirements is to have complex workflows, while evaluating an identity management product adequate consideration should be given in selecting one that features flexible and customizable workflow engine.
- Preliminary work - In most cases, preliminary work may be required before an IAM implementation project can start. Data cleansing can be one such activity. If an organization doesn’t do the initial ground work to identify any preparation work involved, the project effort estimation will not be accurate and can lead to schedule and budget overruns.
- Incomplete requirement - If requirements are not properly gathered and analyzed, the IAM projects may fail to meet the business objectives.
- Big bang approach - Trying to do everything in one go doesn’t work. IAM projects should be rolled out in phases.
- Lack of effective project management -IAM projects can be complex in nature. Without a proper focus on project management, IAM projects can be delayed and run into cost overruns.
- Lack of Skilled Implementation Consultants- IAM project implementations should be carried out by consultants with right business and technical skills. Projects which lack skilled resources may fail in capturing correct requirements, designing an effective solution and completing the project on time
- Scope Creep - Requirement changes in the middle of the project execution can lead to scope creep. Strong change management processes should be in place.
What are the top few steps during the implementation of a IAM project?
The high level steps involved in a mid to large scale IAM implementation are:
- Assessment of the current environment and defining a roadmap -This involves documenting the existing infrastructure, security policies and user management processes. This step should identify and pin point business needs and state project objectives and goals. Based on the business needs and the gaps in the current infrastructure a target state for IAM is developed. A roadmap for implementation is created keeping in mind the immediate and long term priorities for the organization.
- Evaluation of IAM Products.
- Requirements Analysis - All functional and non-functional use cases are captured and documented.
- Design and Architecture of the IAM solution - The IAM solution should be designed such that it is scalable and fault tolerant.
- Build and Configurations - This step involves the actual deployment of the IAM product(s). In most mid-large scale implementations, customizations are necessary to meet some of the use cases. Customizations may include modifying look and feel of the user interface, developing custom connectors where OOB connectors are not available or developing custom workflows.
- Go-live -A successful roll out of the IAM system requires detailed planning.
- Operations - Once the IAM infrastructure is live it has to be administered and maintained like any other IT system. The operations can be handled by a dedicated internal team or it can be outsourced to a third party vendor in an onsite-offsite hybrid managed services model
(Read more: Tips for Vendor Management)
What are the top mistakes organizations make during selection of a IAM vendor?
Organizations should spend a fair amount of time and effort in identifying IAM vendor(s) and selecting the right products.
- Selecting relatively unknown and new vendors, as they provide significant cost advantage, can have risks associated with it. It is advisable to refer to reports from leading analyst firms like Gartner in identifying potential vendors. In the latest Gartner's Magic Quadrant report, products from vendors like Oracle, IBM, CA, Novell and Courion have made it to the leader's quadrant.
- Vendors without a strong Product Support team. Vendor support is essential during implementation as well as once the IAM infrastructure is operational to ensure timely release of patches and troubleshooting product issues.
- Vendors that lack innovation. Some vendors may offer very little product upgrades in terms of adding new functionalities, improving user interface or support for newer devices like smart phones.
- The TCO of products from certain vendors can be high.
ROI parameters for justifying an IAM solution?
Some of the metrics to measure ROI after deploying an IAM solution:
- Reduced time to provision and de-provision user accounts of employees and contractors across all managed systems and business applications.
- Increased productivity of new users with faster, efficient and automated user provisioning
- Reduced volume of help desk calls for password resets
- Reduced time in remediation of user access violations
- Reduced license costs by elimination of orphan accounts in applications
- Reduced time in user access certification processes through adoption of enterprise roles.
(Read more: Technology/Solution Guide for Single Sign-On)
Who are the stakeholders? What roles are they expected to play?
Following are the key stakeholders in an IAM engagement:
- Information Technology – In most organizations IT drives IAM engagements and as such has the most important role to play. IT leads discussion with business application owners to define new processes. IT will manage and oversee the project execution and the work done by the vendor. IT owns the deployed IAM infrastructure and will be responsible for maintaining it.
- IT Security – IS will lay out the policies for access management, passwords and security controls and will work closely with IT Operations to ensure the deployed IAM infrastructure adheres to the information security objectives of the organization.
- Human Resources – Human resources act as the authorized source for employees and other types of users where applicable. Ideally, an IAM system should receive user feed from an HRMS system. HR provides job function, location, department and other details of employees which are used by an IAM system to determine access level of the user. HR is also the authoritative source for IAM to determine whether a user has left the organization and so that access to resources can be revoked or disabled .
- Business Groups – Business groups / departments own the functional aspects of enterprise applications like ERPs, CRMs etc. These applications are managed by IAM. Business groups / departments are key stakeholders in defining user management processes and enterprise roles.
More: Want to become a speaker and address the security community? Click here