Foundations for a successful Identity and Access Management Program
Identity and Access Management (IAM) relies primarily on getting answers to three basic yet complex questions right: who has access to data, systems and applications, who needs to have access, and how do people or systems with access behave? In a digital world now running at high speed answering these three questions, has become incredibly complicated.
Failure to properly manage and secure identities continues to be one of the most common causes of today’s enterprise data breaches and the problem is not going away any time soon. Today, identities exist far beyond the traditional barriers that come to mind such as employees, partners and customers to include a panoply of new identities such as automated processes and connected things operating in increasingly complex technical environments.
While the implementation of programs that deliver tangible and measurable results is important in all areas of cyber security, it is becoming paramount in the field of IAM.
What are the foundations for implementing an IAM program that not only executes and delivers successfully but also opens the way and incorporates innovation opportunities? Here are 10 critical success factors :
1.- Align the program vision and scope with the organization’s strategy and business objectives
A business driven IAM Program imply engaging your business lines and empowering them from the onset of the program. It also means incorporating your organisation business context and strategy your business case. By doing so, you can avoid the common pitfall of a technology-based foundations that often result in protection systems being disjointed and ineffective
2.- Nominate a sponsor
IAM projects typically fail due to a lack of user acceptance within the organization. Therefore, it is imperative that all relevant stakeholders are engaged from the beginning. The sponsor, designated at the outset of the program, will be responsible for analysing its profitability and initiation. When the program is approved and set up, the sponsor will bring a team together, establish a vision and work towards engaging business partners at the C- level
3.- Nominate business champions
Engaging and maintaining C-level business commitment throughout the program life cycle is one of the most important success criteria. If business lines executives do not understand or cannot defend your initiative it will be difficult to deploy, acquire tools, resources or be empowered to implement an adequate level of protection. Business’ champions are the C-level business unit’s delegates and act as leaders, innovators and will eventually be your early adopters.
Their commitment will contribute positively to the transparency, speed of execution and success of the program. They will also be the empowered and accountable for cyber risk reduction commitment within their respective units.
4.- Establish a measurable risk-reduction approach
Adopt a risk reduction approach concentrating your efforts on the most critical assets. To achieve this, it is essential to integrate cyber-risk into the risk management framework and develop KRIs and KPIs, assuming of course that you have good risk management framework and risk assessment structure in place. This also implies that you have a complete and up to date inventory of assets with a classification scheme based confidentiality, integrity and availability.
5.- Set up a Security Committee
Sustainable support and commitment requires building and maintaining trust. The Steering Committee, composed of members from the areas of both business and technology, is a forum where you communicate about the program and ensure strategic consensus especially for decisions or potential change of directions. Once appointed the members of the Committee meet regularly (usually once a month).
6.- Establish a governance structure
This governance structure is responsible for the budget and the implementation of the program structure.To be effective, governance should have a hierarchical structure and well-defined roles and responsibilities.
One of its main objectives is to continually assess the program execution, alignment with the initial objectives and to adjust orientation if necessary. The governance structure defines the implementation framework and the methodology.
7.- Build an identity-centric architecture
Today your organization needs to deal with highly distributed identities in multiple environments and coming from many sources, applications and social networks. Moreover, with the adoption of the cloud, mobility and the rise of social media, we are witnessing a continuous increase in information flows. Users should be able to access information from anywhere, anytime and from a range of different communication channels. These and many others factors support an adaptation of your cyber security defence strategy and the business case for an identity-centric architecture as the foundation integration of new services, greater responsiveness and innovation.
8.- Approch your product selection methodically
Your criteria and method for selecting the technical solution (or solutions) should be based on a range specifications incorporating not only the whole set your business requirements, but also the relevant input from your strategic roadmap (business and technical). Beyond your business and technical needs consider elements related relevant regulations (e.g. information security, data protection or legal restrictions). In addition, product alignment of your selection criteria with an international standard such as NIST or ISO27001 will ensure that the product itself meets security requirements.
Once your inventory is established and approved, prioritize your selection criteria and develop a matrix that will allow you to measure and compare products based on standardized method before moving to the RFP stage.
9.- Staged Deployment
Undertake the implementation of your projects in stages, starting small quantifiable and significant and gradually increase the scope. Establish criteria to monitor implementation effectiveness. Automate, activate and educate.
10.- Educate, educate and educate
In a universe incredibly digitalized, identity and access management has gone far beyond compliance and computer security, to become a key driver behind improved business performance, digital transformation and competitive advantage.
The adoption practices by your employees, customers and partners are probably one of the most critical program success factors. In addition to training and awareness on tools, business process and the rules governing secure access management, make education a continuous process that also covers reputational and financial damage of a security breach as well as users’ responsibilities.
Identity programs are usually initiated for compliance to address audit finding and improve the organisation security posture. It is now evolving and has become a key enabler to digital transformation. Regardless the reasons behind your initiative, your IAM program is the perfect opportunity to evaluate business drivers, inventory your existing cyber security strategy, consolidate and lay the foundations for a mature identity centric digital strategy.
Since the creation of the Abicem in 2006, we have been committed to providing our customers with high-quality services to optimize their IAM programs. We build partnerships to deliver services and state-of-the-art cyber security solutions. We work with our partners to deliver the expertise, value-added services and technology that strengthens the security of our customers’ critical applications and infrastructure in a borderless world. Our program management delivery framework is the result 13 years of global infrastructure and transformation IAM initiatives within financial sector, telecommunications, airport services, as well as in the chemical and automobiles industries.
1.-Abicem on the Observatory:
4.-Company profile on @CSOFinder