A summary of Stefan Bosnjakovic’s presentation
Identity and Access Management Architect
IDM Frankfurt 2019
1. The reality of IDM projects hits home: “Works with …” won’t help you
No company is doing an IAM project deliberately… the predominant driver is regulatory pressure.
• Over 70% of all IAM projects worldwide end up in status failed or incomplete–the predominant reasons are wrong expectations, false promises and lack of experience
• Regulatory requirements focus on companies’ ability to prove that they are able to enforce governance on assigning entitlements to their business applications to employees
• Show sufficient depth of segregation of duties on business process level (i.e. not only segregation of business from IT and front office from back office)
• Cover the entire entitlement set with SoD rule
Consequently, companies try to minimise their efforts to become compliant and look for easy solutions and quick wins–still it is neither easy nor quick, claiming anything else is a lie!
IAM vendors try to sell licenses not solutions. Project managers try to close projects but usually have no intentions to provide value-adds. Large consulting companies try to sell manpower instead of getting things done efficiently.
2. The stumbling blocks-connector issues
Most companies do not run their own IT. Tight budgets and shareholder value pressure forced them to outsource as much as possible and focus on their “core competencies”.
Consequently, companies do not have full control over or even access to their IT assets.
IAM vendor praises their native IAM connectors … well great, but in an outsourced environment the client is NOT talking to an AD-PDC directly but much rather to some strange provider supplied management tool/interface. Anybody familiar with tools like DAW? Such tools are built for human operators not for IAM connectors.
So, your great native IAM connector is rendered useless, as it will never be allowed to talk to any PDC. The only thing you can do is to render a bunch of CSV/XLS-files based on some supplied templates to upload your JML-requests.
You think you can read AD with standard LDAP tools? Nice try … your service provider probably sticks to the MS-supplied default settings and limit query result sets to 1000 records. Your company has more than 1000 employees? Too bad … you need to do some PowerShell programming …and -whoops –there’s your custom connector …
3. Project managers-avoid the easy route!
Project managers want to finish the project assigned to them, they do not aim to provide any value-add per-se to the enterprise.
As such they try to go for as many low-hanging fruits, quick wins and shortcuts as possible.
In IAM there is one overarching rule:
DON’T GO THE EASY WAY! –Build your framework from ground up.
IAM is hard –in case you try to make things easier, you will break it.
Each and every shortcut and quick win will backfire sooner or later. But chances are that your IAM project will have a new project manager assigned to it before that happens …
4. The management-buy in is essential to project success
Management wants the audit findings to go away … not more, not less …
They don’t really want to get involved into the project
Problem #1 …
When an IAM project is not supported by top management –walk away.
As management wants to get rid of the issue, the usually assign it either to IT or business (any of these departments)
Problem #2 …
When you assign an IAM project to IT, they’ll stop as soon as provisioning works, since that’s good enough for them. When you assign it to Business, they will neglect provisioning, as it seems worthless to them and will start to build the house at the first floor.
An IAM project is both –an IT project to start with and a business project to finish it off. Best assign it to CISO/Governance to do it right.
IAM is NOT easy! It takes careful planning and involves Business, IT and CISO
An IAM project usually takes at minimum three years–ignore that and your project will fail Hoping to get anything reasonable done in less than two years is an illusion. In case someone asks you to do it in six months (happened to me several times) –just walkaway
Keep focused on your goal–which is usually the regulators demands. Your most valuable deliverables are DAILY up-to-date SoD-reports and accurate audit-trails of ALL authorizations and provisioning activities.