Who is permitted to use an IT system, and which authorizations are assigned? When introducing a central tool for Identity & Access Management (IAM), companies need to be meticulous. These five steps will help you achieve your goal reliably and keep costs under control.
When it comes to IT investments, IAM is not necessarily at the top of companies’ priority lists. Like an insurance, it costs money in the first place. The benefits of IAM, on the other hand, initially appear abstract. In fact, they are enormous, because IAM minimizes IT security and compliance risks by making software, tool functions and digital information accessible only to those who actually work with them. This impedes criminal activities, e.g., with stolen identities, that can cause considerable damage.
In times of cloud computing, virtual and hybrid teams with internal and external co-workers, this issue is more relevant than ever, creating new requirements which are often not addressed by existing IAM systems. As long as a company is spared major damage, modernizing IAM may fall behind other numerous IT projects on the agenda. Last but not least, because an IAM project affects all functions and departments of the company, tying up resources right across the organization.
However, in our view, the concerns are unfounded, because there are proven ways to plan and implement IAM projects. Based on our project experience, these are the five keys to success:
Digital identities don’t forgive any mistakes. When a new colleague joins the company, a manager changes teams, or an external employee leaves the organization, the appropriate user authorizations must be assigned or removed quickly. If not, employees won’t be productive, or the company will risk data leakage, e.g., business secrets could be made public. In this context, legal requirements are of particular relevance. Among other things, companies must avoid toxic right combinations, i.e., a set of authorizations that could lead to violations of the law or cause economic damage. In the banking industry, for example, no one should be able to request payments and subsequently approve them on their own.
Legal requirements form the mandatory part of every IAM project – but there are numerous other requirements to be identified. The first step of any project is therefore very comprehensive: function by function, responsible managers must contact all stakeholders to register the IT systems in use, clarify regulatory requirements and define a variety of user roles. To answer all open questions, a hundred or more meetings may be needed. If you are very ambitious, you might complete this task within four months – but especially in larger companies it’s more realistic to schedule half a year.
This first step is rather meticulous, but it will be rewarded later, preventing unforeseen events, such as additional requirements, which emerge in the course of the project, complicating the entire process and throwing off schedule. Even with the greatest care, it makes sense to maintain a “requirements radar”: Project managers should regularly inquire whether new internal or external requirements have to be taken into account.
Some companies rely on self-developed solutions to manage digital identities. As new requirements emerge, such home-made software may fail to meet all needs. This is the moment for a make-or-buy decision: Can the company modernize the existing tool with reasonable effort, or should you switch to standard software? There are many powerful solutions on the market, enabling more or less configurations. Companies can choose software that can be run on premise – or cloud solutions with the option to include Identity-as-a-Service (IDaaS). At an early stage of the project, you should put several tools on your shortlist and assess their fitness in a proof of concept (PoC).
In many cases, companies opt for an IAM standard solution. During implementation, it is very important that the provider does not bypass the project team. Every single step has to be in line with the project plan, and additional requirements or change requests must be documented thoroughly. Right from the start it should be clear who is in charge of the project and must be approached as single point of contact (SPOC).
A proper role concept minimizes the risk of data misuse but that’s not all. It also makes IT authorizations easier to manage. Each employee is given the set of access rights he or she needs for their tasks – no more, no less. Every team member is assigned to one or more roles, so that permissions no longer need to be assigned individually for each tool.
For critical systems, segregation of duties is very important, i.e., shared responsibilities. Toxic right combinations should be avoided. With an appropriate setting the IAM tool will blocks such combinations automatically. Depending on the industry and the size of the company, it may also make sense to designate a person in certain departments as a Segregation of Duties Manager, who will double check each critical authorization.
When the IAM tool is implemented, all stakeholders are informed and trained, there is just one more task to complete. To make it easy for new managers to familiarize themselves with the processes, the company should prepare well-designed learning materials, such as FAQs and video tutorials: How do you assign a role to a colleague? What needs to be considered during onboarding, offboarding or team changes?
“After the project is before the project” – this rule also applies to IAM. Over time, requirements can change, so that the company will have to revisit the process again. This can be done much faster and easier if you have documented each step, all the stakeholders, requirements and roles in a precise manner.