Q&A: Best Practices for Enterprise-Scale Identity and Access Management Systems
What is IAM and how can you make an IAM project a success?
Identity and access management (IAM) is at the core of controlling who has access to applications and data. What does IAM encompass and how can ensure a successful implementation and ongoing value? For answers, we turned to Idan Shoham, founder and chief technology officer of Hitachi ID Systems.
Enterprise Strategies: What is identity and access management?
Idan Shoham: IAM is the glue between users and applications. In very broad terms, it is the set of processes and technologies that tell applications who users are and what they are allowed to access. It includes account and entitlement administration, authentication factor management, single sign-on, and access control.
Organizations with many systems and applications face complexity, both in managing the access of many users to many applications and in enforcing runtime authentication and authorization policies. IAM systems help by strengthening security, lowering IT support costs, and improving the user experience, both at request time and runtime.
Is IAM a project or a program?
Fundamentally, it's a mistake to think of IAM systems as one-off projects. Instead, an IAM system should be a long-term initiative, with permanent staff who continuously add or refresh integrations and optimize processes. In other words, IAM is a program.
Within the IAM program, there should be a series of discrete projects, each with valuable deliverables. Here is a sample sequence:
- Self-service password reset
- Automate employee deactivation from HR feed on key applications
- Automate new-hire employee sign-up
- Create portal for users to update contact information and request new application logins
- Expand service to hundreds of small applications, with "implementer" workflows
- Automate access certification
- Delegate change management for contractor access
- Add segregation-of-duties enforcement
- Upgrade IAM software stack
This example sequence could span two years and will prompt the business to ask for more. This is a large investment, but it should provide new functionality (deliverables) every three to four months.
Keep in mind that IAM programs impact many stakeholders, including business users, managers, auditors, compliance officers, security officers, IT support, and desktop support. There will inevitably be disagreement about priorities, products, architecture, and other variables. A strong executive sponsor is needed to make decisions, minimize risk, and keep things moving.
You mentioned adding or refreshing integrations. How many integrations make sense?
In a typical enterprise, there are a few large systems (Active Directory, RAC/F, and SAP R/3, for example) but also hundreds of small, departmental applications.
It makes sense to automate management of the large systems by eliminating manual administration. For smaller applications, the cost-benefit of automation is dubious; for example, five days of integration work to automate the creation of 10 IDs per year does not make good business sense.
Meeting in the middle is best. Identify the major systems that merit automation and integrate those. At the same time, manage requests and approvals for other systems, but delegate fulfillment to human administrators.
What's the key to high user adoption?
IAM is all about managing records about -- and access by -- people, so it's no surprise that usability is key. Ensure that user-facing components are available when needed and easy to use.
For example, self-service password reset should be accessed from login screens (including the PC login page, even when a user is mobile) and should be very simple to operate. The same is true of forms for setting up contractors, updating contact information, scheduling terminations, and other routine activities.
A return on investment in IAM is typically accomplished by lowering IT support costs, mostly head count. This is the result of successful automation and self-service. The latter depends on user adoption, so usability and motivating users to switch from manual to online processes are directly linked to ROI.
What metrics can be used to evaluate the success of an IAM system?
Long-term IT initiatives are periodically reviewed to see if the investment is paying off. It is important to identify metrics – initial values, ongoing results, and targets. Metrics to measure progress from the baseline to a desirable end-state should be advertised so stakeholders understand the value of the system and continue to invest in it.
There are a many appropriate IAM metrics, including:
- Days or hours to set up access for a new employee or contractor
- Number of security administration full-time employees
- Monthly help-desk calls relating to passwords or lockouts
- Number of accounts on major applications compared to organizational head count
- Time needed to deactivate access upon employee or contractor termination or departure
- Number of users or accounts provisioned or deactivated monthly
Are management strategies the same for all users?
IAM is concerned with automating the IT response to user life cycle events, including setup and deactivation of users. Different user communities go through different processes, and this should be modeled in the IAM system. For example, students, faculty, staff, and alumni in higher education or employees and contractors in corporations have distinct requirements.
Plan on business-process re-engineering for each community to find opportunities for automation and self-service in the IAM system.
Can IAM run as a service?
Increasingly, organizations are moving applications out of their data centers and to the cloud, typically to software-as-a-service (SaaS).
This may mean that you have an on-premise IAM system managing access to SaaS applications or a SaaS IAM implementation managing access to both on-premise and SaaS applications. The former is routine: just more connectors in a conventional IAM system. The latter is bleeding edge: the IAM vendor would have to offer both systems-integrator bench strength and a robust hosting capability
There are no major vendors today with both of these competencies but this may well be the next big trend in the IAM market
Should IT consider integrating best-of-breed components or choose an integrated suite?
Vendors that sell many different IAM products will argue that organizations should prefer their systems because they are "well integrated."
In reality, integration with an organization's existing applications is more important (and may be harder to get right) than integration between various IAM modules. The various components of an IAM system generally don't need to talk to one another directly, instead sharing a common LDAP directory. Everything works well with LDAP. Moreover, vendors such as Oracle, CA, IBM, and others have made many acquisitions and are still working on integrating their various acquired technologies into more coherent solutions.
In short, choose the right product for your business problem and worry more about integration with your application portfolio than across IAM components.