9 pitfalls to avoid when implementing an IAM solution
Chances are, your organization already has a plan and a collection of solutions for the complex issues surrounding Identity Access Management and Governance (IAM). But the real trick is figuring out how to avoid IAM pitfalls that have challenged even the most talented organizations in the implementation process. Here are the 9 major IAM pitfalls to avoid:
A sure way to fail is to underestimate the need for a cross-functional team that is enhanced by people with sufficient skill concerning business processes and organization. The implementation of an identity and access management system is not only a project for the IT organization. Major aspects like role concepts, approval structures, GUI expectations or “Chinese Walls” between departments are completely the responsibility of the business. For a successful IAM implementation, bridging and combining IT and business in one project organization is mandatory for success.
With undefined goals, projects are never completed. Project success depends on clearly defined goals and services as well as on a tight framework of planning and controlling. This, in turn, requires a close cooperation between experienced staff at the customer site and the IAM vendor. Make sure that all specifications and targets are mutually agreed and understood before the implementation starts – any later change will disproportionally extend the project in time and budget.
Frequently access right data has not been maintained for a long period of time, resulting in missing links between accounts and the users, orphan accounts, spelling mistakes, etc. Simply stated, access data can be a mess. Therefore IAM projects start with the user-ID consolidation. In this process, user accounts are assigned to their owners. As a first benefit, the user-ID consolidation is quickly uncovering orphaned accounts. Data quality is the key to any satisfactory IAM project
Another IAM pitfall your need to avoid is to just go ahead! Be all things to all people! Although you’re chosen IAM solution should be capable to support all your enterprise-wide IT-systems and must be scalable to process your corporate staff, your project steps must be designed to target achievable goals. By intentionally limiting the project scope for the initial phase to a limited number of target systems and users with the standard functionality, results and successes will be delivered faster, and will help with momentum to achieve the full project scope.
Continue to do things manually, and you will continue to have issues with errors from manual or decentralized work. Problems often arise from an insufficient coordination between the HR and IT departments. Changes in staff and employment are reported too late or sometimes not at all. This is why as a first step, the leading HR data source should be connected to the IAM system in an automated way.
Leading IAM vendors provide a flexible toolkit to allow for customization. However, with the experience of many completed projects, the preconfigured standard systems represent the best-of-breed approach. Abandoning standard offerings in order to customize systems to a company’s highly individualized needs should be the exception. The offered standard products represent the vendor’s acquired knowledge for the best solution, and also reduce implementation and maintenance costs to a minimum. Customers should carefully evaluate the vendor’s standardized systems and may instead adapt their own process-, terminology- and responsibility-structures accordingly.
By not implementing roles, each user has customized access rights. But implementing bundles of access rights is the basis for techniques of automation. A role is the collection of single access rights required for a particular function or task in the enterprise. Role-mining tools provide help when defining roles and optimize them in a continuous process which significantly reduces administration efforts.
But be careful: The introduction of roles requires more than a single definition of ‘access right clusters’. Roles are vital structures, which need a significant amount of support and maintenance. Roles need an assigned owner, who feels responsible for the role’s accuracy. And finally, roles must be reviewed periodically to adapt to changes in organization or IT-systems. Like the rest of the IAM project, divide your role project into smaller stages, bringing IT and business together.
But if you do this, you will have lots of data and not know which data point is the most critical. Implementing a risk metric / risk scoring for your entire access rights structure is a time consuming and resource intense project. However, a Risk Metric is a powerful tool to rank access management objects like users, roles and accounts according to their containing relevance. Balance the benefits with the time constraints for implementation by starting with a top-down approach. This way you can draw your attention to mission-critical aspects at a very early stage of your IAM-system’s operation and complete the full risk assessment over time.
IAM projects are mainly wanted by auditors and IT managers so why bother with departmental concerns? Presenting tangible project achievements to your management and generating quick-wins with the actual consumers of the IAM system can ensure acceptance in the wider organization. Consider end-user oriented features in an early project stage. Implement the available pre-configured request workflows or password-self reset features right away. Save customizing the ‘100% solution’ for the project’s end.
FOR MORE INSIGHTS AND ASSISTANCE, CONTACT US AT: