Managing user access to systems and data is a critical element of information security and the foundation to protecting data from misuse or theft. As organisations add services such as cloud and mobile, and new regulations come into effect like GDPR, controlling access whilst improving the user experience becomes complicated. To address this, organisations are looking for more robust Identity and Access Management (IAM) solutions. However, prior to commencing an IAM programme, it’s crucial for an organisation to first understand what they need to achieve and how an IAM strategy can drive success.
What is an IAM strategy?
An IAM strategy is the overarching business deliverable for protecting systems and data from misuse, whilst outlining how user access should occur. An IAM strategy is often used as the basis for the successful deployment of an identity and access management solution.
The strategy obtains senior management support to the plans which clearly articulate and demonstrate the return on investment (ROI) an IAM requirement will deliver. A well-defined and mature IAM strategy demonstrates to the wider organisation, clients and partners how access to systems and data is managed and how they should operate.
IAM solutions provide organisations with significant savings on ongoing operating expenses (OPEX), as process can be automated and therefore simplified. This reduces the need for interactions with help desks or service desks.
What happens without an IAM strategy?
An IAM project can be one of the most complex and lengthy security projects an organisation undertakes, so it is imperative that a strategy is defined before embarking upon the process. Without a strategy, the definition of business requirements and milestones will prove difficult to achieve and understand, resulting in attempts to deploy the solution and failing to deliver altogether or simply missing the benefits the organisation should achieve.
By following a five step plan, your organisation will have a well-defined strategy and a clear understanding of timelines and ultimate outcomes. You will also remove the potential for catastrophic failures and cause the minimum amount of disruption to the business.
Five steps to get started
Step One: Engage key stakeholders
Identifying and engaging the key stakeholders within the organisation via a face-to-face workshop will allow the discussion, agreement and capture of business drivers, desired outcomes and success criteria for the IAM solution.
Typically, the stakeholders involved would have knowledge or be part of the following business functions:
- CISO
- CTO/Head of security architecture
- Business unit heads
- HR
- IT operations
- Legal
- Audit/compliance
Engaging a larger audience of key stakeholders at this initial stage will ensure all requirements are documented and agreed, and capture success criteria – which are vital to the overall strategy. At this point, it is crucial to consider the need for specific identity and access requirements, such as two factor authentication (2FA) and remote access. For additional protection to sensitive systems, Role Based Access Control (RBAC) can enable users to have access to systems and data which is specific to their role, rather than based on a role someone else may have inherited.
Step Two: Assess current position – Gap analysis
The second step should be to carry out a thorough gap analysis of the businesses current position in relation to joiners, movers and leavers and how this aligns to the IAM strategy. It’s important to have an understanding of what controls exist and how effective they are, and how they assist with building the wider strategy.
The output of this information is compared and mapped against the business requirements and desired outcomes captured in step one to determine any amendments.
Step Three: Determine your data source (Identity)
Any IAM deployment relies heavily on knowing who should and should not have access to the systems and data. Often there are multiple data sources maintained that outline users, from HR to IT.
Identity and Access Management will only be as effective as the data sources it takes its information from, thus ensuring all sources are identified and evaluated is key. It is also good practice to conduct a review of the identity data contained in the source(s) identified to ensure it is accurate and up to date. Reducing the number of data sources simplifies the end to end process for user management and it is recommended that organisations aim for a single data source as part of their overall IAM strategy.
Step Four: Agree policy, process and workflows
For an IAM solution to be effective and provide the desired protection without causing user frustration, then policies, processes and associated workflows must be in place. If an organisation already has any processes, such as joiners/movers/leavers, relating to the management of identity and access, these should be reviewed and updated to reflect the incoming changes and where they do not exist they should be defined.
When deploying a full IAM solution, new business processes and workflows will become part of business as usual activities and impact many of the existing controls. As an example the joiners, movers and leavers process will require review and updating to include the new solution.
Step Five: Plan and roadmap
The final step is to build the road map; including the project plan of the delivery stages and it must take into consideration regular updates to the executive team/key stakeholders to maintain visibility and avoid surprises.
Defining clear stages of delivery will allow an organisation to break the project down into a smaller phased deployment which will reduce the risk of an IAM project failing or hitting problems, whilst also delivering a number of quick wins, such as common authentication. Ensuring that the roadmap and project plan align with the policies, processes, workflows and most importantly technology capabilities at time of deployment must also be included at this step.
It is also during this step that evaluation and assessment should be carried out to select a vendor. This process should take into consideration all the outputs and requirements from the previous steps and most importantly ensure it can deliver these.
Finally, if the organisation does not have the required resources to manage and/or deliver the project, engaging a 3rd party consultancy is a very effective way of ensuring the correct individuals and required skillsets will be involved from the start and remove the requirement of sourcing, managing and training new employees.
For more information on Rivington Information Security, click here.
To find about Ilex International’s range of Identity and Access Management solutions, or to speak to one of our experts, click here.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.