Foundations of Identity Success – Eight Strategy and Roadmap Elements
Since 2013, Integral Partners has helped organizations maximize internal resources, enforce policy, simplify compliance, secure funding, deploy technology and execute strategies for effective investment in identity governance and administration (IGA), access enforcement and privileged account management (PAM).
Integral Partners experience reinforces the undeniable truth: companies which invest and execute an identity maturity assessment and strategy before purchasing IAM technology significantly reduce overall costs and generate greater value out of existing tools and new investments.
Here are eight areas of a strategic identity assessment and roadmap all businesses should document to plan, define, prioritize, evaluate and execute a successful IGA program.
Over the past four years, identity governance and administration (IGA) has transitioned from being championed by operations and compliance to being funded as a foundational cyber security pillar and mandatory IT investment. Unlike other security tools, IGA has significant business interaction and impacts all technology users in an organization.
IGA projects must be consistently socialized and engaged outside IT to secure program adoption and support. As an enabling technology, identity must be sensitive to user experience and operational workflow to deliver the efficiencies needed for a successful program.
Understanding IGA shortcomings from the user’s perspective then aligning improvement with business priorities for self-service, simplified attestation/re-certification or streamlined process creates long term engagement and support.
For governance, establishing a cross departmental governance committee is necessary to develop broader organizational understanding of identity’s role as an enabler and policy enforcer. An active governance committee should be part of every organization’s commitment to security and compliance. Governance committees generally meet monthly (at minimum once a quarter) and include leadership representation from:
- IT – Architecture
- IT Executive – CIO/CTO
- IT Security – CISO
Identity affects each knowledge worker every day with how efficiently and accurately they can access the technology tools needed to perform their job. Having the right business context to how users request and are granted access, and the permissions they are given, should be documented and shared across lines of business to engage stakeholders and secure executive sponsorship.
Challenges users face with access related tasks can be a significant source of frustration and lost productivity. Leadership is often unaware of access related issues and therefore unaware of opportunities to reduce frustration and improve overall productivity by addressing access shortcomings.
Here are three important business contexts to guide your IGA program:
- Stakeholder expectations, communication and involvement with full awareness of current IAM challenges impacting user experience
- Identity alignment with key enabling business initiatives (cloud adoption, customer engagement, HRIS/Service Desk/ERP upgrades…)
- Addressing organizational challenges – legacy applications, regulation, culture, change management, global workforce distribution
Too often companies purchase IGA and PAM tools for specific use cases or as a reaction to audit findings or deficiencies. This limited use case approach generally results in technology overlap and immature deployment of appropriate solutions.
Understanding existing and future business initiatives then applying those requirements to technology evaluation will support strategic initiatives while anticipating how to respond to business agility and mandated security/compliance.
Before buying new identity software, evaluate your organization across the following:
- Architecture – ‘as is’ and ‘to be’
- Add new functionality to existing tools
- Strategically support emerging corporate objectives
- Anticipate new challenges and opportunities – identity as a utility
- Authentication – centralize and apply standards
- AD group design – optimize directories and security in groups
- Secure unstructured data – identify, manage and administer
Few organizations are required to achieve the highest level of identity automation, governance and enforcement (financial services, banking, etc.). Appropriate identity maturity is relative to each industry.
Knowing best practices, key process standards, and staging identity investment for incremental progress relative to peers will save tens of thousands of dollars and hundreds of hours of effort over the course of your program. To evaluate current and future state identity maturity, focus on these key areas:
- Identity Capabilities:
- Identity Program – governance, management, standards
- Identity data services
- Access management
- Access governance
- Access administration
- Privileged access management
Workforce Skills and Program Support
Because IGA and PAM initiatives are complex and engage non-IT stakeholders, expert services and consulting should be blended with internal resources to deploy and integrate IAM and PAM solutions. The amount of outside consulting needed is a function of in-house skills, experience and complexity of the current environment and chosen technology.
Develop an understanding of what can be done with internal resources by evaluating their contributions across the following skills:
- Existing skillsets – what they already know
- Educated skillsets – what they can be trained to learn
- Experience skillsets – what they will be tasked with during the project
- Exposed skillsets – what they will learn by shadowing experts
It is essential to ensure that any engagement with an outside firm include contractual language for knowledge transfer and training/mentoring of internal staff, to grow your own IAM capability and operational support in the long-term.
Budgeting and Costs
Identity is expensive. IGA and PAM programs involve multiple phases executed over 2-4 years to achieve appropriate automation and maturity. Effective budgeting and deployment is the difference between success and failure.
Plan and budget accordingly as all identity programs have the following expenses:
- Perpetual Licensing or SaaS recurring
- Consulting/Expert Services
- Ongoing labor and support
Return on Investment
ROI is a difficult element of identity because all companies currently perform IGA functions on a daily basis. Justifying automation of what is already being done is challenging to support given competing top line or other cybersecurity alternatives.
To achieve optimal ROI; well defined technology strategy, anticipated requirements and use cases not dictated by vendors and tightly phased deployments are required to generate anticipated results.
- All leading IGA and PAM vendors can support basic provisioning and vaulting functionality, but how thier solutions interact and complement existing and planned security investments should be part of any evaluation and selection.
- POC’s and RFP’s will identify which technology can address known needs, but they often fail to account for environmental nuances and application complexity. Understanding a vendor’s product strategy, release cadence, competitive positioning and ongoing support and documentation are critical to executing a roadmap.
- Understand identity vendor eco-systems and strategic investment in functionality which is not redundant to current capabilities. IGA tools are moving into unstructured data, API security and PAM functionality while PAM tools are evolving in Dev-Ops security. Know where future needs exist and find tools which address requirements without having to bring in new vendor solutions
Action and Execution
Like all successful business initiatives, saying what you are going to do, why it is important, what will it cost, who will be involved, and how success will be measured must to be applied to your identity strategy and roadmap.
Project phases should be 12-16 weeks with controlled scope and deliverables and your strategic roadmap should be revisited annually to account for changes in business and technology options.
At Integral Partners, we work closely with our client teams to deliver world class IGA and PAM solutions on time and in budget. In projects where we execute within a strategic and customized plan, our results are exceptional.
This article is a high-level summary of the advisory elements which provide a proven approach to identity funding and long-term program success.