Five Steps to Ensuring a Successful Identity and Access Management Solution Deployment

Five Steps to Ensuring a Successful Identity and Access Management Solution Deployment

After endless cost-benefit meetings, business case rewrites and months of organizational readiness activities, your identity and access management (IAM) project is funded, has a staff and a start date.  You did everything possible from an organizational readiness perspective to prepare and ensure conditions were set to achieve maximum value. Now you are ready to deploy the solution, and following these five steps can help your organization have a successful project launch.

 

IAM Depolyment

 

  1. Ensure the executive sponsor stays engaged throughout the project to help keep the effort on track and within scope, and reinforce expectations. Hopefully s/he is also the identity program champion, tying the project to the identity strategy. Regardless if the sponsor is an information technology or line of business executive, make sure you’ve built an active role for them. Unless the project has a visible, committed executive with decision-making power, when those unforeseen policy issues arise (they always do in IAM efforts) or when a critical target system owner decides not to clean up bad data, you won’t have the muscle when you need it.
  2. Embrace the features of your IAM application. The Pareto principle is best applied: 80 percent of the functionality in the deployment should be standard functionality of the product, 20 percent should be customized functionality. Over-customization is challenging to maintain, especially if your IAM and security staff are inexperienced with the product. You may find that a capability you heavily customized in the current release breaks when you upgrade to the next release of the product.
  3. Don’t do too much too soon. Ensure the to-be-built solution stays in line with the project roadmap and scoped requirements. Too often with IAM efforts, stakeholders want to address every audit finding and inefficiency in a “big bang” approach, even trying to add requirements after the project begins (suggestion: use your executive sponsor to control this). Two drawbacks with this approach are that it takes too long to implement any usable value (average IAM efforts can last 26 weeks), and it doesn’t allow the staff to become comfortable with the IAM application in increments. By phasing your IAM project and delivering incremental functionality, the stakeholders will see value quicker, your staff will build proficiency, and you can identify gaps in the next phase.   
  4. If you missed a readiness imperative, don’t succumb to the easy route of automating a bad processes, tolerating incomplete data or dropping a key functional requirement. Engage the executive sponsor to reset expectations, assess the risk to the IAM strategy and develop alternative solutions (remember, that’s why you’re phasing this). You don’t want to find you can’t execute compliance audits (the reason you bought the product) because your role or entitlement structures are incomplete.   
  5. Make sure you know how this deployment will be supported after it ends, before it even begins. Training, hiring and on-boarding should have commenced right after the business case and budget were approved, but if you missed it, don’t ignore. IAM resources are in high demand. Nothing causes a project to be viewed as a failure faster than realization the staff can’t use the application or the solution isn’t sustainable in the long run.

 

If you’re not sure how to proceed, invest in an IAM roadmap or deployment service. These efforts can provide leadership with insight on how to ensure IAM solution deployment success.

Tony Naples
Service Delivery Manager, SailPoint
Tony Naples is a service delivery manager focused on SailPoint products. In this role he specializes in the development and deployment of identity-centric security solutions supporting clients' information security strategy blueprint, and consulting with client executive teams on IAM policies and procedures, governance, risk management and compliance approaches. He has more than 15 years experience delivering IAM solutions and more than 25 years in information warfare and cyber security operations.