Identity & Access Management (IAM) is an account management system that provides proper access to the technological resources of the relevant people in organizations. Implementing IAM is expensive and very often ends in disaster. This is usually due to the fact that the implementation follows the same principles as in the case with any other IT system: we recruit a maximum of IT specialists and developers and expect a positive result.
It has happened for several times that the implemented system only intensified operational chaos within the organization, and turned into a costly burden. In this case, there is no need to talk about any reduction in costs or increase in profits. Let’s take a look on how to avoid mistakes while implementing the system.
Misunderstanding why IAM is needed
How is usually the budget for the IAM system? The cost of software products is laid down, the least expensive implementation method is chosen (often on its own), and immediately after that, the procurement process starts. Unfortunately, this is the road to nowhere. If the organization does not understand or know how employees, customers, partners, developers, and administrators are accessed, and how their accounts are created, the IAM system will not save. It is impossible to automate and control what is not saved. IAM is a means of automation and control.
For a successful implementation, you need to understand how the management of accounts and access is carried out (officially and unofficially), where the business is moving, how the IT infrastructure will develop in the next 3-5 years, and whether it is planned to introduce “cloud services”, etc.
A working IAM system must manage accounts and access to dozens of other IT systems, each of which is managed in its own way. Owners and operating teams of these systems often resist innovation, preferring to work “the old way”, or, even worse, bypassing new processes and technologies.
Lack of management support
Key people in the organization must understand the business function of IAM systems and keep track of costs and return on investment. Managers are the link between the various departments that can use fragments of systems that perform the functions of IAM.
Moreover, if the IAM system is completely at the mercy of IT or IS, any necessary decision related to changing the business, finances, or personnel either significantly delays the project implementation or the project is not accepted at all.
Lack of IAM strategy and roadmap
In large organizations, where any project is an important investment, the development of an IAM strategy and roadmap has become the norm. These documents not only create, but also constantly update within the framework of an actively changing business and technological landscape.
The document should contain a description of the current state of IAM processes and technologies, determine their target state, and also describe in detail the path to transition from one state to another in the form of a sequence of projects.
Building a successful IAM strategy
The process of creating a successful IAM strategy differs from the IT and IS strategies in the specifics of the application area. For example, when assessing the state of a business, you need to take into account the entire structure of the organization, identify all the gaps related to accounts, employees, customers, contractors, and so on. After that, the project processes onto the best world practices. The result of this analysis will be a maturity model to determine the direction and control the development of IAM.
All problems found are classified according to the level of influence on the business, and it is desirable to determine not only qualitative, but also quantitative characteristics that will help the organization’s leaders make decisions on budgeting projects within the framework of a full-fledged IAM program. Problem analysis also addresses the operation of current IAM systems and services, the processes of launching new IT solutions, and organization services.
The architecture of IAM solutions must be seamlessly integrated into the organization’s IT architecture. Therefore, in addition to the business model, it is important to create a reference IAM architecture, within which it will be possible to determine all potential limitations, integration standards, applications, services and data, and use them in the development of requirements and technical tasks.
In addition, the necessary list of IAM initiatives for the next 3–5 years should be distributed on a road map and agreed with the leaders of the organization. They allow the IAM program to be successful, truly profitable, and reduce costs.