IAM: Observations and Tips from the Real World
Looking at the big data breaches that have been in the news lately, you'll see that most have something in common: compromised security credentials.
That shows why identity and access management (IAM) is such a critical part of a company's security infrastructure.
Today’s enterprises are getting better at IAM—because they have to.
If you're developing or troubleshooting an IAM program, you can't just focus on technology, you have to think about people, too.
The bad guys look for the easiest way to get the data they want, and that weak link tends to be human. Especially human beings who use shortcuts like easy-to-guess passwords or (shudder) write down their password on a Post-It they stick on their laptop or cubicle wall.
The Technical Side of IAM
Having spent more than a dozen years in the IAM field, here are some of my observations and tips on how companies can improve their identity and access-management programs:
- Set realistic expectations. Especially your boss’s. While you're at it, make sure your scope is well defined and the members of your IAM team - which includes all of your stakeholders, including vendors - are on the same page, have “bought-in” to the vision, and ownership is clearly defined. You will waste time and money down the road if you don't have an agreement up front on what is to be delivered and by whom. Remember, IAM is a program that includes service offerings to users. It is not a finite project with an end date, so be prepared to support it for the long haul.
- Don't automate garbage processes! It can take quite a bit of effort to develop more efficient and secure processes before you start working on automation. Make sure you have a solid foundation before you start adding bells and whistles. Get 80 percent of what you want covered through standard processes and tools, then go back for the last 20 percent, which is usually custom and the most expensive part of a deployment. You may also find that when you come back, that last 20 percent may no longer be needed.
- Focus on the future. Build your new system and processes for where you want to be, not where you are today. Make sure your vendors (or internal teams) are able to support that vision.
- Consider what you're working with. For your IAM program to succeed it should be easy to use—and your internal support teams should be well trained.
- Do more with your data. You can glean a lot of information from IAM data to help drive risk decisions. How many people have access to key data and how are they getting it? A mature IAM program can help answer those questions and help you uncover problems before your company makes the news for the wrong reason.
- Keep up with emerging standards. Increased usage of standards or processes like federated identity, SAML, password vaults, and relatively newer or updated ones like OAUTH and OpenID are good steps forward in simplifying the user experience and providing better security.
- Cover your entire workforce. I still see a big gap in making sure all users are accounted for in an IAM program. Many companies still only have an HR plan to manage employees (and for the most part they do that well), but they drop the ball when it comes to effectively managing non-employee identities like contractors and vendors who may have access to critical systems. (Think Edward Snowden.)
The Human Element
Those are some of my thoughts on the technical side of the equation. As for the all-important human element:
- Change users’ mindsets. The biggest thing to worry about when developing an IAM system is apathy from the user base. An excellent interface and user experience is critical and often overlooked. If they don't see the value or find the system cumbersome to use, people are not going to use the system or will find ways around it. No users means no return on investment and a loss of both time and money to the organization. That's a bad combination if you want a successful IAM program.
- Market your system. You probably just spent a lot of time and money to get to the point where you are ready to launch a new service to your users. Don't get cheap on the marketing! You want to drive up the engagement as quickly as possible to get your investment returns faster.
- Turn converts into ambassadors. Make things easier for the department administrator who handles the team’s onboarding and offboarding and you'll gain a fan for life. If it provides them with value, your user base will promote your IAM system for you.
- Consider bribery. Want to see your registration rate improve? Buy an iPad and tell people they'll be automatically entered into a drawing to win it when they register with the IAM system. Watch those registration numbers skyrocket! :)
Not sure where to start or need someone with experience to validate your IAM approach? Our IAM Kickstart Program is designed to help!