Wise Words To Avoid Horror Stories in Identity and Access Management

It is no secret that Identity and Access Management (IAM) continues to be a challenge for many organizations. As a witness and practitioner in the space for over 10 years now, it is not clear to me that we are getting any better at delivering to expectations and needs. What makes it more painful is the fact that IAM is often the most expensive component of a security program which means that failures of IAM initiatives come at a heavy cost to these programs.

If you were at the Gartner IAM Summit in Las Vegas last week, you probably got a closer look at the current state of IAM.  I wasn’t there myself but I did get an opportunity to review some of the sessions on demand at http://www.gartnereventsondemand.com. There were several good sessions but I thought two sessions in particular provided a good insight into the challenges from planning, governance and execution perspectives. They were “Horror Stories: Why IAM Programs Fail” and “Stop the Finger Pointing: The IAM Role Ecosystem”.

I tweeted some quotes from these sessions as well as some of my own thoughts last weekend. I thought a compilation of those tweets might be a quick and useful read for managers and executives responsible for delivering IAM initiatives everywhere. The tweets are presented below. The tweets with the #GartnerIAM hastag are quotes from the analyst presentations (I also added my own comments to add/clarify a few) and the ones without the hashtag are my own thoughts. Also, please note that these tweets are not in any particular order.

I hope you find these useful.  Getting IAM right is not only a security imperative, it is also fast becoming an even bigger business imperative than it ever was in certain industries, thanks to the uptick in use of mobile and rapid consumerization among other things.

I think healthcare provider space is a very good example of such a rather abrupt change. For an industry that has historically not done very well with security in general and IAM in particular, getting your IAM program to be a business enabler in support of your clinician and patient engagement will be critical to how competitive your organization is in the marketplace. We’ll probably have more to say in terms of details in a later post.

So, yes … getting our IAM strategies right and executing them well should no doubt be a top priority for many of us.

I welcome your thoughts and feedback. Thank you!

I’ll have what she is having. Not a good way to select a IAM product or a vendor #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

They are in the Leaders Quadrant. Not yet a good reason to select a IAM product or vendor. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

We have someone else to blame if the project goes sidewards. Not a good IAM strategy. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

More the customization you need to do to meet your requirements, the lesser of a fit it is. That of course assumes you have detailed use cases of your current and future requirements #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Designing your #IAM strategy or program around a product. Not a good idea #HorrorStories

Not understanding and documenting your business, operational, security/privacy risk or compliance use cases. The first step of an expensive misadventure in #IAM. #HorrorStories

Assuming HR data is accurate and automating life-cycle processes based on the data without appropriate validation #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Trying to “boil the ocean” and not focusing adequately on your most important requirements #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Treating automation as your top priority is another step on your way to a certain failure #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Trying to get ideas from your SIs on what may have worked elsewhere and “hoping” they will work for you. Not a good idea. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

“If we build it, they will come” approach by the technical IAM folks. Not a good idea. Business folks don’t care. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Beware! Using ROI for a IAM business case could be a slippery slope in some instances #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

“What (Process) Re-engineering? We don’t need no Re-engineering.” You just took a big step towards failure. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

DIY only if you know what you are doing, have learned your lessons and are capable enough not to repeat the key mistakes #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

The right sequence is Principles, Policies, Practices, Processes, People and Products. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

If you are thinking products before you have figured out people and processes, you have it wrong #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

An exclusive group of technical #IAM folks developing your strategy? They are likely thinking products ahead of people and processes #HorrorStories

Beware of hiring your SI to develop your strategy as well. There may be a conflict of interest not to mention that they may just not be qualified enough to develop your strategy #IAM #HorrorStories

“Through 2016, enterprises without formal IAM programs will spend 40% more and experience twice as many failures than those with formal programs” #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

What constitutes a #IAM strategy? Vision, program objectives and a two or three year roadmap that satisfies stakeholder expectations #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Remember detection and containment are at least just as important as prevention in #security today. Does your #IAM #Strategy meet the test? #HorrorStories

Effective #IAM strategy today needs active collaboration between traditional security silos #DLP #SIEM #operations #HorrorStories

#IAM stakeholders must include leaders from:

  • Business
  • Technologies
  • Risk
  • Privacy
  • Compliance/Audit
  • Leads from other security verticals
  • HR
  • Vendor Management
  • Help Desk
  • #Strategy

Top #IAM #Strategy priorities today :

  • Business Enablement
  • User Experience
  • Security/Privacy Risk Management
  • Compliance
… in that order.

Your new application is designed to use its own access credentials? You may need to get back to the drawing board #Federation #StrongAuthentication #SSO #OpenIDConnect

Trying to enforce your password policy on your customer facing application? That is yesterday’s #IAM #Strategy. #OpenIDConnect

Your #DLP #SIEM leads don’t know what your #IAM plan is? May be time for #security #leadership to show up. #HorrorStories

Trying to solve #IAM problems solely with IAM solutions? That is yesterday’s IAM #Strategy. #HorrorStories

#GartnerIAM says “There will always be shared passwords & that’s okay. You just have to have the proper controls around them.” Agreed, but does your #IAM team understand all viable workarounds? #Strategy

#Mobile and #Consumer not key components of your #strategy? That is yesterday’s #IAM

Remember #consumer includes internal users in addition to customers #IAM #Strategy

Shying away from #BYOI for customer access? You may still be on yesterday’s #IAM #Strategy. #OpenIDConnect #SocialMedia

Not educating your customers about using #StrongAuthentication on their #SocialMedia ids when accessing sensitive data? You may like to. #BYOI #OpenIDConnect #IAM #Strategy


Submit a Comment

Your email address will not be published. Required fields are marked *

Kamal Govindaswamy

Posted on

December 11, 2014