Freely subscribe to our NEWSLETTER

© Jelica Videnovi

IAM: a tool for business people?

Simplification has been a motto of most presentations. Why? An IAM project is so vast that there are many chances to fail a project when starting with the wrong components. The aim has to be the right one: IAM is mainly meant for business people. They own the applications, are accountable for them and finance most of them. Therefore, they expect results. IT is the necessary evil to implement the project and systematically back out when it comes to IAM projects. This could not be another way, given that they are responsible for infrastructures, not for entitlements in applications.

Provisioning: a tool for IT people mainly

Still today, IAM project begin too often by the wrong part: the technical part with account and application provisioning. This is an historical approach, connector and automation centric. It is reassuring because it enables to escape confronting business. And this turns into an IT specialist story again. It definitely is the issue: only the IT department gains from it. Provisioning is the optimization of operational efficiency for IT before all. It does not help business very much or not at all. Moreover, the implementation and maintenance under operational conditions of connectors is both time and money consuming.

The real need: mastering application security

Yet, business people’s demands are clear. They want to meet their regulatory constraints (compliance) and to regain control of application security:

· knowing who has access to what

· reviewing access on a regular basis

· streamlining access requests are through standard workflows, with trails for auditors needs

Where is the need of provisioning here? Nowhere!

Governance: the right answer

In his presentation The One Trick That Will Improve Your IGA Tool Deployments, Brian Iverson presented a very pragmatic methodology for themes prioritization. His Risk-Reward trade-off matrix based method classifies the functionalities that need to be implemented according to two criteria:

· Rewards from the business

· Implementation complexity

Result: governance functionalities head the list!

· entitlements catalog

· access reviews

· one stop shopping for access rights

Results are instantly visible

Interfacing with applications can be carried out via Service Desk fulfillment. This is the most effective way to interact with applications given that every person remain responsible in his area of expertise. Business people deal with demands processes and IT with the duration of modifications in application via predefined SLAs.

This sort of project can be implemented in a fraction of the required time for an IAM project with a provisioning approach and immediately displays visible results for business. Compliance is met, visibility acquired and processes are ready to be used.

Provisioning then comes back to its rightful place: optimization of operational efficiency. It is then easy to establish the ROI for each connector depending on the required management actions and of the implementation and support load. Moreover, this implementation can be progressive.

Starting with an entitlements review

In her presentation Selecting the Right Identity Governance and Administration Tool for the Job!, Lori Robinson put forward the evolution of the methods of IAM programs implementation. And the conclusion is the same: 10 years from now, it was typical to begin with provisioning, the good practice today is to start with and access review.

This enables to bring stakeholders into the project immediately, to meet compliance requests and prepares for the projects next steps by addressing the issue of the quality of data stored in repositories.

Governance is a subject in its own right

The solutions available on the market today present a significant gap between this recommendation and the products’ capacities. Indeed, they are all based on connectors and require a global implementation of the solution before conducting the first reviews and therefore giving value to business.

At Brainwave, we addressed the issue differently. Since the beginning, we consider governance as a subject in its own right. We made it possible to make connectors optional and thus avoiding needing too much of IT’s time to meet the expectations.

Our solution can be implemented in just a few days and we only need a few data extractions (flat files) to get all governance functionalities up and running:

· entitlement catalog

· access review

· management workflows

· control automation

· compliance reports

One of our client deployed the solution in 30 days and covered a perimeter of 350 applications, 1500 SoD controls and access reviews: all this without any connector!

Simple extractions and an interface with the ticketing system where enough to meet the expectations and to obtain compliance.

To all that need to start or restart their IAM project, as Gartner, we have only one piece of advice: Keep it simple!

Want to know more? download our White Paper "Best practice for access reviews to reduce risks and improve operational efficiency” by fill in this form http://goo.gl/forms/MwTnZkpMVO