The What, Why, and How of IAM Governance

June 4, 2019

Most professionals are familiar with the three principles guiding effective business systems: people, process, and technology. But as technology becomes cheaper, easier to use, and more available, the “people and process” principles are often overlooked. This is unfortunate, because people and process are the key to governance: the establishment of rules, standards, and priorities around technology implementation that make it more effective. Without solid governance, no technology solution can fix a company’s problems or help a business meet its goals.

IAM Governance, Explained

Governance is an essential part of any identity and access management (IAM) program. An IAM governing body creates and manages the policies, processes, and standards for all essential IAM functions. Setting up IAM governance means establishing a committee of people with the authority to prioritize, develop, implement, and monitor IAM-related tasks and goals, who meet and make decisions on a regular cadence.

Here are some of the responsibilities managed by IAM governance:

  • Provide executive sponsorship and management for IAM programs
  • Simplify role and access definitions
  • Review entitlements structuring and role compositions
  • Review applications and technology for policy compliance
  • Standardize levels of approval
  • Create workflows for changes and change requests
  • Provide company-wide visibility into user access privilege
  • Design processes for certification and audit tracking
  • Assign responsibilities and enforce policies
  • Align automation to business needs

In short, IAM governance sets the stage for how any IAM program is implemented and managed — allowing companies to execute against an agreed upon strategy and roadmap, and realize better returns on their investment.

The Functions of IAM Governance

The purpose of IAM governance isn’t just to standardize policies and procedures, but to get beyond the organizational silos that make implementing those policies and procedures so unwieldy, costly, and inefficient. IAM program ramp up is an ideal time to establish an IAM governance committee: it will provide the mechanisms to steer the program correctly.

IAM governance needs to address three important functions: reviewing and managing role-based access, providing authority and leadership, and steering the company through changes. Companies sometimes establish separate committees for each function, or more often combine them into a single committee, with the intention of making more efficient decisions and keeping processes standardized across the company.

Role-based access. Many companies underestimate the work involved in role management. The role management lifecycle includes reviewing roles on periodic basis, making sure entitlements are correct, updating roles according to policy changes, certifying appropriate access, retiring roles when necessary, and even providing compliance documentation. Governance ensures that a company knows who has access to what, and why, and who’s responsible for adding and removing access.

Authority. Assigning decision-making responsibility to those with governing authority helps organizations enact and enforce IAM policies and procedures with greater accountability and transparency. Decisions with operational and risk considerations need to be made by the people who own the risk — such as a VP or CISO, rather than a project manager. An IAM governance committee needs to include representation from all the departments that are stakeholders in identity management — which may include operations, compliance, IT, security, HR, legal, privacy, and others. It’s imperative that these stakeholders come together to resolve different types of workflows and procedures.

Steering. Leadership is essential in ensuring effective identity access governance. Executives, managers, and other major stakeholders are often tasked with guiding the IAM governance committee’s focus and direction. They hold responsibility for helping the company follow its IAM roadmap and tackling the highest-priority projects in the right order. Strong, centralized leadership can also help a company better manage shifts in risk, business requirements, funding, or other priorities.

What Makes IAM Governance So Important

Waiting until after an IAM program is implemented to put governance in place is like building a house before setting the foundation. Yet for many companies, governance is an afterthought, if they think of it at all.

Companies with weak governance often fail to implement fundamental change necessary to minimize risk and improve their environment. For example, one only needs to look at how the OWASP Top Ten — an annually published look at the most critical web application security risks and attacks — has barely changed over the last decade. One would think that as companies implement solutions to mitigate the threats on the OWASP list, new threats would evolve. Yet the list’s constancy reflects how organizations still struggle to formalize their security approaches, leaving them vulnerable despite heavy programmatic investments.

Without governance, companies often find themselves taking a “Whack-a-Mole” approach to IAM — putting out fires, dealing with problems only as they crop up, and failing to enforce the right processes in the right places. This approach also often leads to the wrong people making important decisions that should be made by those with the proper authority. For example, an application developer should not be the person deciding whether company passwords should be 8 characters or 12. Good policy enforcement means those with proper authority make these decisions ahead of time, along with the policies and procedures to consistently communicate and enforce them.

Governance also is the crux of IAM as a strategic tool: it’s where the company’s business goals are translated into systematically executed IAM policies and procedures. Without high-level, standardized vision and decision-making, most IAM programs will fail to produce the risk reduction, efficiency, or problem-solving outcomes they were intended to.

How to Successfully Implement IAM Governance

As with nearly any administrative system, establishing IAM governance begins with leadership: a director, CISO, or VP typically heads up the governance committee, selects other appropriate members, and sets the committee’s goals and expectations. The governance committee is then charged with defining the why, what, who, and when of the company’s IAM programs.

To combat some of the common challenges to standing up a governance system — like apathy, lack of accountability, or “meeting fatigue” — many companies have found it helpful to follow these practical guidelines.

Be pragmatic. Figure out what the company needs, what decisions need to be made, how frequently members need to meet and review, and how to reasonably manage IAM priorities without boiling the ocean.

Use existing meetings. If the company already has a standing committee whose members overlap with IAM stakeholders, make IAM governance part of the committee’s existing scope rather than adding a whole new set of meetings.

Keep the momentum. If the company has recently completed advisory services, it’s important get moving on governance as quickly as possible while momentum and stakeholder buy-in are high.

Content is key. The best governance committees conduct meetings with well-prepared, focused proposals that present options, elicit opinions, and seek concrete sign-offs (as opposed to presenting problems without solutions.)

Prepare for change. The IAM director or committee leader should be prepared to change the committee’s roles and responsibilities as the company’s needs change. That way, the committee can evolve from answering questions like, “what vendor should we choose?” to more complex issues, such as, “what’s the best strategy for integrating all of our tools?”