Five Steps to Preparing for a Successful Identity and Access Management Solution Deployment 

Five Steps to Preparing for a Successful Identity and Access Management Solution Deployment

As adoption of the Internet of Things (IoT) continues at an incredible pace, organizations of all sizes are shifting away from traditional notions of perimeter security to an identity-based security approach. As businesses evaluate identity and access management (IAM) products to assist with implementing this approach, the desire to achieve the benefits often quickly overshadows their organization’s readiness to implement an IAM solution to actually reap those benefits.

 

IAM Depolyment

 

So what steps should information technology and security leadership take to be prepared?

 

  1. Define User Roles: Determine if the organization’s information security strategy framework is inclusive of definitions of users’ roles; the types and scope of resource access entitlements those roles should and should not have; and policies that govern items such as password requirements, segregation of duties, who is allowed to request access, and account provisioning, just to name a few. In addition to ensuring these elements are present, you should validate that the key stakeholders and system owners are aware of them. This will speed creation of requirements and use cases that become the roadmap for the IAM solution deployment.
  2. Validate Data Accuracy: Determine the accuracy of data in the systems to be integrated with the IAM solution. Duplicate employee or user account records, incomplete records, and a user record from one system that cannot be matched or correlated to that same user’s record from another system via a global user ID (GUID) will hinder the ability to establish a complete picture of a user’s identity across the enterprise.
  3. Evaluate Current Business Processes: Most organizations implement an IAM solution to strengthen their security posture and make the process of managing system access more efficient and effective. Determining which business processes are ripe for change or elimination, and what new processes can be deployed to take advantage of the IAM solution’s functions and features will create tangible value and visible wins. Automating bad business processes is never a good idea, and with the immediate reach of most IAM solutions across many applications, the results can have unintended consequences.
  4. Communicate Plans: Be sure all relevant parties are aware of the implementation and benefits of the IAM solution as early as possible. Most organizations have multiple security teams, each managing access for a particular application. While those employees may feel threatened by the deployment of this solution, they are integral to providing the institutional knowledge of how security processes are executed today, especially if today’s processes are not documented. Coupled with training, keeping staff involved, informed and engaged will help them become agents for the change.
  5. Plan Ahead: Lastly, and probably most impactful to cost and schedule is to take these steps before the solution deployment actually begins. Nothing slows the deployment more and has resources sitting idle, than trying to determine role definitions, cleanse data or have executive decisions made about policies, after you’ve started to configure the solution.

 

If not sure where to start, invest in an IAM assessment and roadmap service. These efforts can provide leadership with insight on how to make an IAM solution deployment work for the entire organization.  

Tony Naples
Service Delivery Manager, SailPoint
Tony Naples is a service delivery manager focused on SailPoint products. In this role he specializes in the development and deployment of identity-centric security solutions supporting clients' information security strategy blueprint, and consulting with client executive teams on IAM policies and procedures, governance, risk management and compliance approaches. He has more than 15 years experience delivering IAM solutions and more than 25 years in information warfare and cyber security operations.