Over the past few months, I have come to realize, through empirical observation working with our clients, that the way in which Identity and Access Management (IAM) initiatives are carried forward demands a different approach from what we have seen to-date. I mean this from a holistic view: the drivers, the business justification and the expectations around what IAM should deliver to the business have evolved quickly, and this has blindsided many identity practitioners.

Here are some of the highlights: 

  • It is 2012. If you are looking to implement an IAM solution, you need to look at the Cloud
  • Waterfall approaches are slow to get results and harder to justify funding for
  • RFPs and POCs get limited returns for what you invest in them
  • IAM needs governance… both an effective steering committee and a solid Identity and Access Governance platform (IAG). It is much more than just SSO.

I don’t want this blog post to be confused with any of the old “new” hype, such as the prior claims of identity 2.0 or any others, many of which are yet to yield any substantial business value. What I am focusing on is not truly a new IAM technology paradigm or a way to do identity federation. It is more of a new way to think about how to pragmatically undertake an IAM initiative. 

The Scenario

Let’s say you are the newly appointed IAM program manager at your organization. Your CIO/CISO is frustrated that for the second year in a row, your organization failed an external audit (likely tied to a regulatory requirement like HIPAA, SOX, NERC, etc.) Many of the findings reveal deficiencies in the organizations ability to limit a user’s access, as well as taking too long or not being able to thoroughly remove someone’s access when they are terminated.

 Sound familiar?

 There could be other ingredients here:

  • You deployed Sun Identity Manager and now you have to move to another platform.
  • You have a whole bunch of cloud-based applications that the line of business is adopting and it is now your responsibility to ensure that access is properly managed for these applications.
  • Your CIO says that having to wait five days for an employee to be fully on-boarded is unacceptable and this needs to be fixed.
  • Your compliance or privacy officer tells you that the risk stemming from not having a way to remove departmental access rights from people when they are transferred is unacceptable.
  • The line of business is expressing frustration that managers don’t really understand how they are supposed to grant their new staff the access they need to do their job, since the request system’s UI is backwards, and entitlements are gibberish that a human cannot understand
  • End users complain that they have to remember way too many passwords, which they keep forgetting, and there is no user-friendly way for them to reset the password once they are locked out of their account

So, faced with these challenges, what do you do?

The Traditional Approach…

If you have been in IAM for a while, I am sure you have seen this story being played out over and over again. If you are new to IAM, humor me for a moment.

The traditional approach to IAM, let’s call it “the old playbook”, would besomething like what is shown in this diagram.The Traditional Approach to IAM

It is basically a hurdles race (an appropriate metaphor given the upcoming summer Olympics). But the sad reality is that each hurdle takes from three to twelve months to clear and may require US$250,000 or more in upfront capital investment. Falling on a hurdle raceThere is no way that the CIO or CISO that we described in the scenario above would be happy with the prospect of having to fail yet another audit cycle and spend over US$1M before he can see some relief.

Therefore, I declare the old playbook obsolete.

In part 2 of this 3-part article, I will explain what is in the 2012 IAM Playbook.


IAM Program Data Sheet


Frank Villavicencio

Frank Villavicencio