Five tips for getting started on your Identity and Access Management strategy

By Gabriel Wilson; Managing Consultant, Rivington Information Security, written in conjunction with Identity and Access Management specialists Ilex International

Managing user access to systems and data is vital to protection from misuse or theft. As organisations add new services such as cloud and mobile, and new regulations such as GDPR come into effect, controlling access whilst improving the user experience becomes increasingly complicated. As such, organisations are looking for more rigorous Identity and Access Management (IAM) solutions. However, prior to beginning an IAM programme, organisations must first understand what they need to achieve and how an IAM strategy can bring about change and success.

What is an IAM strategy?

An IAM strategy is often used as the basis for the successful deployment of an identity and access management solution. The strategy obtains senior management support to the plans which clearly articulate and demonstrate the return on investment (ROI) an IAM requirement will deliver.

A well-defined and mature IAM strategy demonstrates to the wider organisation, clients and partners how access to systems and data is managed and how they should operate.

What would happen without an IAM strategy?

Without a strategy, the definition of business requirements and milestones will prove difficult to achieve and understand, resulting in attempts to deploy the solution and failing to deliver altogether or simply missing the benefits the organisation should achieve.

By following a five step plan, your organisation will have a well-defined strategy and a clear understanding of timelines and ultimate outcomes.

Five steps to get started

1. Engage key stakeholders to determine in-scope systems

Identifying and engaging the key stakeholders within the organisation via a face-to-face workshop will allow the discussion, agreement and capture of business drivers, desired outcomes and success criteria for the IAM solution.

Typically, the stakeholders involved would have knowledge or be part of the following business functions:

  • CISO
  • CTO/Head of security architecture
  • Business unit heads
  • HR
  • IT operations
  • Legal
  • Audit/compliance

2. Assess current position – Gap analysis

The second step should be to carry out a thorough gap analysis of the businesses current position in relation to joiners, movers and leavers and how this aligns to the IAM strategy.

It’s important to have an understanding of what controls exist and how effective they are, and  consider how they assist with building the wider strategy. These will help with the identification of data sources necessary for step three.

3. Determine your data source

Any IAM deployment relies heavily on knowing who should and should not have access to the systems and data.  Often there are multiple data sources maintained that outline users, from HR to IT.

Identity and access management will only be as effective as the data sources it takes its information from, thus ensuring all sources are identified and evaluated is key. It is also good practice to conduct a review of the identity data contained in the source(s) identified to ensure it is accurate and up to date.

4. Agree policy, process and workflows

For an IAM solution to be effective and provide the desired protection without causing user frustration, then policies, processes and associated workflows must be in place. If an organisation already has any processes, such as joiners/movers/leavers, relating to the management of identity and access, these should be reviewed and updated to reflect the incoming changes and where they do not exist they should be defined.

5. Plan and roadmap

The final step is to build the road map; including the project plan of the delivery stages and it must take into consideration regular updates to the executive team/key stakeholders to maintain visibility and avoid surprises.

Defining clear stages of delivery will allow an organisation to break the project down into a smaller phased deployment which will reduce the risk of an IAM project failing or hitting problems, whilst also delivering a number of quick wins, such as common authentication.

Finally, if the organisation does not have the required resources to manage and/or deliver the project, engaging a 3rd party consultancy is a very effective way of ensuring the correct individuals and required skillsets will be involved from the start and remove the requirement of sourcing, managing and training new employees.

To get in touch with Rivington Information Security, click here.

To read the full paper click here.

To find about Ilex International’s range of Identity and Access Management solutions, or to speak to one of our experts, click here.