[podcast] IAM Strategy Framework Introduction
on their podcast, "Identity at the Center".
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm. In this episode, they talk about:
- Putting together an IAM Strategy - Process and Framework
- IAM Assessments
- How to scope an IAM Program (PUT Chart)
- Identifying and Meeting IAM Stakeholders
- IAM Recommendations
- IAM Roadmap Development
LISTEN HERE or read the full transcript below.
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #1 Full Transcript:
Identity At The Center Episode #1: Introduction to an IAM Strategy Framework
Jeff: Welcome to the Identity at the Center podcast. This is the first of what we hope will become a routine look at the world of Identity and Access Management. My name is Jeff Steadman and I'm here with Jim McDonald, for both Strategic Identity and Access Management Consultants with Identropy’s Advisory Practice. Jim and I have each been in the eye space for over 15 years and have been in the trenches of real world identity management programs, appointments and operations. As far as my background, I've worked for several large companies running IAM operations globally. Jim,would you talk a little about your background.
Jim: Sure, Hi, everyone. Jim McDonald here, I joined Identropy seven years ago and I've been in the advisory services group as well as I started and ran the ForgeRock practice for a while ForgeRock is a IAM vendor focused on external Identity and Access Management and really that's kind of my area of specialty. So my first IAM project was focused on actually went to a manufacturing company. I was responsible for the dealer portal. So I was kind of a web server and web application guy, was more on the technical side of the house, but I was transitioning in my career into getting into more project management program management at the time I was just getting started with getting my MBA at Rutgers University - well shot out there. And you know, I got this opportunity to take our dealer portal and expanded across multiple brands and taking a bunch of different web applications that were used for doing business function. I like ordering and ordering complete machines and parts and submitting warranties and things like that.
And I had to pull it all together into one portal. We had our dealerships across the United States and someone somewhere outside the United States and made a lot of these applications that some users would have accounts in all the different applications with different user names and things like that. And our drive to start with was to get to one I.D. and password per person. And that's a bigger challenge than you than you realize when you start going down that road. And so that's how I got into identity and access management because we came to find out this is actual space, this is something that people are creating solutions for. And that's Captain Obvious. Today was 15 years ago. It wasn't, at least for me. So that's how I got into the space. And I always say, everyone's got their own story. How they got into IAM you know, most of us stumble into it by doing some other job and then found that they were awesome IAM project and got into it at the right time or even today.
I think this is depending on where you are in your career. This is like an area that you're looking to get into.
It's something I think that pretty much anybody with a business background or technical background can get into. IAM. And just everybody has their own career pathway. I think in this space.
Jeff: It's interesting, you said so I was at the Identity conference this past week in Washington, D.C., and I'm in the process of writing a blog post about this, but it's funny that you mentioned how you got into IAM because I don't know anybody who got into IAM starting with IAM. I mean, they started maybe on the network side or helped us side like myself.
I started and helped us kind of moved over to an administrator before moving beyond that.
But I don't know anybody in the IAM space that started in it. do you know anybody that fits that Jim?
Jim: I can think of one person which was Mario DoSita now with a company which transmits security now? I think so. And yeah, he was a developer. We brought him in for the bank that I was working for. We brought him in as a developer and that was like five years ago. And that's why I think you know, my answer for your question was ten years ago, the answer would have been no. But I think more and more now, it's like the IAM races has gotten so big. And we had one of the things that we are always talking about is the need for more talent to get into this into this area. And I think IAM is now in the place where it's like, you know, what kind of a cottage industry where we have to go out and take people who don't necessarily have the skill set. You know people fresh out of college and get them, and IAM. Another example is Fletcher Edington from our company. He was hired as an intern and he was doing technology deployments in the IAM space. And now he's on the sell side. He's built his entire career around IAM. So I think it's more of a kind of a recent phenomenon, maybe within the past five years or maybe a little bit more. But, people have been in this space for a long time. Most of those kind of stumbled into it one way or another.
Jeff: If you mentioned the intern thing at when I was at the conference and we were having an I.T. pro organizational meeting, kind of a get together meeting, I drinking at a bar. And we're talking with a couple of folks from IBM and actually have a an intern kind of process where they bring people in and have them kind of work around the different non-engagement side, like different apartments in the IAM kind of consulting's that they do and they're trying to get more younger talent into those groups as well.
So they actually have a dedicated program to find those people get them exposure and kind of help them figure out where in the iron space they might fit if they fit right. If they don't, they kind of run, they're a big company and they're looking to get support.
And from a talent perspective, and they actually have a kind of decay program, which I thought was pretty cool.
And it's probably something I would imagine lends itself more to the consulting space. Bringing in folks and trying to get people my email. I don't see like an enterprise bringing people in and letting them kind of figure out where they want to be at that level.
But, you know, those folks at some point end up in the industry probably.
Jim: when I first got into I.T. about 20 years ago, there were a lot of different ways you could get into I.T. and kind of build a career.
So there was , you could be a network engineer, you could be a server engineer, things like that. A lot of those spaces have become commoditized. And then, smaller companies, mid-sized companies just outsource server hosting or network setup or voice over IP phones, phone systems. That was another entry point into I.T. back in my day. But, today there's fewer and fewer of those are being commoditized and not necessarily moved out of the United States, but into bigger companies that I'm sure they have internship programs and things like that to get into as well.
But IAM has been one of those spaces where it's evolving so rapidly. And a lot of small companies move into the space and it gives opportunities for newbies or new people to move into the space and really build a career on things that I've always loved about IAM is that people who I think are the most successful have, really good business skills, but enough technology skills to be dangerous or vice versa. They've got really good technology skills and business just enough to be dangerous or obviously if you're really experienced with both, that's great. But you're solving business problems with IAM you know, you really have to look at how do you do things today? How do you want to do them? Compare that with how does the software work out of the box and having the business sense to know that you don't want to take something that you bought that works out of the box and customize it too much and then be stuck with kind of a Frankenstein system.
Jeff: I mean, there's so much more to IAM than just technology, right? I mean, it's there’s management. There's marketing. There's communication, Relationship, building and all. And I think maybe it's not fairly obvious unless you've been in the space for a while.
I don't consider myself overly technical. I know enough, probably dangerous. But I'm not going to go out and write your code and install and configure a system.
But I sort of understand, you know, the macro concepts, how things are gonna work together. How does this work in the real world that large companies and change boards and software review boards and kind of all the company governance that tends to go around, big projects, how to market out there.
And what things I always say during our engagements.
As you know, from a program manager perspective, half your job is out there doing diplomacy, kissing babies, making relationships with people, making people aware of what the services that you're offering. So that's probably a topic that will maybe cover in the future.
You know what makes it good?
IAM program manager and I think that's an excellent topic.
I think we're good on that right road at some point.
So what are we going to talk about today?
Jim: I think what we should try to cover today is something that's kind of near and dear to what we do because we didn't discuss them and based on our real world experience. But putting together an IAM strategy and, with the role that you and I are in and it's just to be clear to everybody, what we do is we're the advisory services team in Identropy. So we parachute in with our clients who are kind of come to the realization that we need an IAM strategy. And then they at some point discover we don't know how to make an IAM strategy.
So I think we could talk about the framework that we follow and kind of the process that we go through, because not every organization and IAM program manager kind of forward to go out and bring consultants in and help with the process. But I think the process is something that anybody could take on. And there might be some focus out there who is interested and just kind of understanding what we do and how we do it. So what I was going to kind of talk about was our framework. And I really like to break down what we do into three major parts. So it's assess, recommend and roadmap. And so let me go through those three parts and break them down further. The assessment phase really understands how things work today. And I think this is important to understand where your starting point is. And really it's going to help you develop kind of where we're at today and what we want to accomplish, which is going to be that recommend phase and then realizing the amount of work that needs to happen to go from point A to point B. So normally with the assessment where we start as we do a lot of we do a scoping exercise or we call it is our Put chart. The Put chart is essentially process's user types and target systems.
The whole idea on why we do that is to go through what is the scope of the IAM program because IAM can mean many different things to many different people. But if you get an exhaustive list of like here is the press we want to go after. Whether its thing related to managing privilege, identities, user on board, user off fording, authentication to applications, whatever it may be, it's not all those things. Maybe it's just password management and it's a finer night scope. But realizing what your scope is kind of the starting point. And one of the great things that come out of that exercise is that as you go through something like who are the user types? So in other words, who are we doing these IAM processes for? You're going to realize, oh, here are the stakeholders that we need to get involved. And we're talking about external customers. For example, we need to get people who within or within our organization respond are the person who is responsible for communication issues or things like that, who provides them support. In other words, when a user runs into an issue or two, they turn early. That's the service desk talking about employees or probably giving HR falls if then as you go into Target's system to say S.A.P or Sales force is on the list or we need to get people involved from those stakeholder groups. Now all those people that we identified with then want to get them involved in a workshop.
And a workshop would be a series of meetings where we understand from folks what, how to things work today, what's working well, what's not working well, what ideas you have for how to make things work better. And so that's kind of the starting point is, I guess to break down the assess phase. It's identifying scope, identifying stakeholders and then meeting with those stakeholders, going through the workshop activities. And that might be a future podcast as well as like what these workshops look are like? How do we structure the workshops? But what I like to do in the workshops as well see workshops drones for them to be very interactive. It's not for us to kind of be interrogating or just asking one way questions and just taking notes, the more that we're interacting and white boarding or going through diagrams and process flow charts, the better. And then coming out of that and kind of the reason we use the term assesses that some things are going to jump out at you right away, like this process is broken or this process works really well as a strength within the organization as weakness. Want to make sure we document all those and then be able to tell the story.What is it that needs to improve? What are the drivers for this program? Why is it important to do something so I don't know? What are your thoughts on that, Jeff?
Jeff: That's right.
I think one of the things that typically end up being the hardest parts of the engagements that we work through with our customers is trying to get that attendance right for those workshops and having people to be available. It is an investment of time; right, to get those folks in there. But it's certainly beneficial, definitely for the customer and definitely for us. They will understand how does it really work today? because you can have things that have written down on paper and process, etc.. And that's great. But that may not actually capture what's really happening. Right, so if we can get folks in the room set up a safe space; write to have those conversations and figure out how do we solve some of the issues that we hear.
That definitely helps out quite a bit when you talk about the assessment. I always find it interesting and I know we both asked this question a lot from an assessment perspective, Are we right on? Do they know that? Does the customer agree with us or do they have a different perception? So it's always interesting to kind of have that conversation. So, we knew that we weren't doing so right here. And, that’s kind of what we're expecting. I don't think I've ever come across one where we've done an assessment and provided, here's why we think you're X and the customer saying, well, you're totally wrong. This is why we’re so much better than what you think. it's we're usually pretty right with that. I don't know if you've ever encountered that from an assessment perspective, but I think companies kind of break brace themselves for the worst and maybe sometimes they're pleasantly surprised or they agree with the assessment.
But I've never seen the opposite where they thought they were doing a lot better than maybe what they really were done.
Jim: I think you're right on with that point. One thing, There are two points that I wanted to throw out there. One is my perspective is like this is your strategy because a lot of times will. And so that drives a certain perspective. You don't need to know every iota of detail and make a strategy. You need to know where areas of improvement, the way passwords are managed is a problem.
You don't need to know every different aspect of the pastor of management policy or from a strategic perspective, if you know that the tool is the problem, the tool needs to be replaced, then that really ought to drive the strategies. You don't want to get burdened with too much detail. And I think a lot of times in the projects that we worked on, some of our clients think you guys are here, you need to know every detail. We need to meet with every stakeholder. Anybody who has anything to do with passwords, it's just not the case. The other point that I wanted to bring out is that, we talked about it as a workshop and at least from an identity perspective, these are engagements. So we're going in and we want to try and get all of this information in a week. So we try and schedule all the meetings in a week. I feel like if our listeners are going out and trying to do this on their own, they should take that same perspective if you spread these meetings out over several weeks or much worse, several months, you're going to lose momentum, get it done. You'll never get it done. You'll forget things. So there's going to be one more person to talk to. And it doesn't create an event. It doesn't create like one of those things I think about when folks hire us to that. The consultants are coming in. They're going to be here this week. You need to be ready.
Right, make yourself available, right?
Make yourself available, really to one of the exceptions. You can do a phone call next week if you can't be there, if you're on vacation or whatever. The reason is we don't let it drag out three weeks. It's kind of like if you can't talk for three weeks; your perspective is not going to be included. I don't mean to be so harsh. you don't really need to be that harsh. But if you have several groups are saying, I guy, you know, if it's just not important enough for them, that's a bigger problem. And so that that is it to me is like you've got to kind of create an event. You've got to have a sense of urgency around it, Right. I mean.
Jeff: let's get people in the room. Let's get this conversation. We know it's an issue.
We've got these high powered consultants coming in, let's take advantage of their time, and set aside the time so we can get this done. That's the only way. I think that's why the hardest parts are trying to get those. To be into that process.to get availability, bigger the team, bigger the number, the larger number of stakeholders, just because that was more difficult. So I think the thing is we try to keep it more core and bring in other folks as needed. That sometimes can help with that as well, because most companies, they typically have like a core kind of IMT, whether or not they're truly a team or not, there are typically a handful of people who really know how it works. And then you've got supporting characters around that might be a subject matter expert experts in that given area that don't necessarily need to be there full time. But we certainly would like to have an hour, two hours and three hours of their time so that we can understand their side of it. That definitely comes into play.
Jim: Right. And so, moving on from the assessment. I think you've made a good point. We would like to with our assessment, bring it back to the client. Have they reviewed it, verify that it's comprehensive, incomplete. We didn't forget something. We didn't state facts incorrectly. Usually that's not the case, but it's good to do a quality check. And then we move on to making recommendations. And our recommendations are typically based on best practices. So we know what the problems are in the environment and we know what the common industry solutions are.
But more so than just technology solutions, it's there's some major themes that we generally look toward, like centralization, automation and consistent processes so that, say you're working with a large organization and they do things different ways and different departments trying to drive toward once. One common way of doing things is that those are the typical drivers.
I'm not going to say that, there's work for 100 percent of organizations, but probably high 90s, doing things from a central perspective or at least having certain things done from a central perspective. Automating, it's not always the case that you want.to automate something, but you don't have a framework for automating where it makes sense. So that’s really what we do from a recommendation standpoint. And of course, Jeff and I have a lot of experience in the space. So we've kind of a lot of these things are second nature for us. But a lot of the benefits that you get and kind of some of these best practices like I talked about are also if you think about any kind of enterprise project, you're looking at an active directory project or something like that, it would be the same kind of theme, centralization, automation. So those are the drivers. One of the ways you can, if you're not working with a consultant that you can start to get some ideas on how the industry solves these problems. We just start to bring vendors in to present them here. Here are the problems. What are you know, how would you go about solving these problems? That's going to give you some information from the industry perspective. That's not how we operate because we do it from a vendor agnostic frame, frame of mind. We want to say, if we were in your shoes, this is how we would do it. We base it on our experience. So I think anybody could implement the framework, but nobody can implement Jim McDonald’s experience.
So for Jim McDonald, because I'm the one who has my set of experience and Jeff is the only one being a citizen. Everybody has those things doing personal service. But, so that's kind of how we go about the recommendations. Kind of some of the major elements of recommendations are going to be people process and technology. What are the things that would go about solving kind of the assessment, doing kind of a gap analysis? you're the gaps and here the recommended solutions.
Another thing I would say is a lot of things that are going to come out of the assessment have nothing to do with technology. They just have to do with how you're running your IAM program or our recommendation is always we've got to run IAM as a father. Let's just go ahead.
Jeff: No. I mean, you're right on. This is an area I think that it's easy to become overwhelmed, it's there's so many things that might come out of just recommendations, but a lot of it typically doesn't tend to be technology based.
Right, it's more on the process side, one of the questions that we like to ask is, why do you do it? Why do you do it that way? And sometimes no one really has a good reason why no one no one figured out or wanted to kind of rock the boat. And, you know, maybe we play bad cop. It's part of the process. It that way, what about this kind of ask those questions? you don't ask those. You'll never get a path forward sometimes. But it's easy to get overwhelmed, especially with some of our larger engagements where you may end up with like over 100 individual recommendations; you can't solve everything all at once. And, you know, that probably leads us into the next part. Here we talk about road map. How do you prioritize what goes first? This is self-service passive reset. More important because your help desk is drowning in those calls or it's privileged access management more important because you're not doing anything there. Right, How do you figure out which area comes first?
Jim: Well, there's really no silver bullet for that. I mean, you've got to look at what are the drivers in the organization. Let's just say you think the driver is automation. We go into certain clients and we just say, my god, you guys are drowning in risk, you know, and other organizations are driven by risk. And, you know, just say, wow, you guys could be doing the doing everything so much better if you just had some automation. Usually it's a balance of all those things. Just risk its automation, its opportunity for enabling new technologies and the certain things are going to bubble to the top.
One thing that I think almost never wants to be heard, but it is the case, is that you're going to. Introduce a lot of new technology footprint to say you're going to put an access management single sign on system in place, you're going to have someone call it heavy lifting, but there's some infrastructure that needs to be laid down. There's going to need to be some basic work put in to play to configure the system.
You're going to have to do implement maybe one system. It's kind of a proof of concept just to make sure that, nobody wants to do a big bang approach or even the smallest enterprises don't want to do big bang. So you you've got to think about things in phases.
Right, I'd say, more is moving to the cloud. The infrastructure phase is either eliminated or shrunk down considerably, but not everything is moving to the cloud. And this is a good blog topic or I guess topic for the future is to talk about,Access Management, single sign on to something that is moving out of the cloud dramatically quicker than the Identity, Governance and Administration space.
That's because companies, the way they do Identity, Administration and Governance varies much more from organization or organization. The fields they have to manage and governance and provision. It just it there's so much more variance where a single sign on has really driven toward some of these federation protocol standards like Samwell 2.0, and open I-D Connect. And those things have been able to move out of the cloud and there's now integration patterns that we'll be able to take. Cloud based single sign on and connected to applications that are even on-Premisis. So. You know, I guess what the point I was making was, don't forget kind of the infrastructure phases. I don't think that you can just say our Phase 1 is going to be it just integrating application because you're going to have to get those feet. Those early configurations and maybe some infrastructure spun off as well. So that's kind of the traditional on.
Jeff: Well, they'll change, too. I mean, what is it you're working on a roadmap, especially if it's like any roadmap beyond a year. there’s going to be changes that come along the way. So you need to be able to be flexible and adapt. as things come down, down the line.
Jim: I think if somebody is out there listening and say, well, how do I apply this to me is I can afford to go out and get consultants, how am I going to build my IAM strategy? And I think the hardest part is less coming up with what you know, I think anybody may not anybody would.
Most of us can look at these problems, look at the vendor solutions that are out there, read what they say on their Web site, watch their YouTube videos and say, I think this will solve the problem. The hard part is being confident that, it'll solve the problem. So that's why I think that you know why or one of the reasons why organizations want Jim and Jeff to come into help is that, what we've seen and we can based on our experience and say, yes, we are very confident.
You don't want to come with a strategy that you're not 100 percent confident. If you don't get expert, if you don't have that experience, I think it really you're going to have to go the extra mile and tap into whatever resources you have available to you. And the best ways on the way is I learned a lot about Identity Access Manage was tapping into my colleagues at other companies and my friends who were in the space and message boards and things like that, because,there are people out there who love sharing information. Jeff, you and I are doing this podcast day because we love sharing information. There's ways to get the information in ways to get people's opinions. I say also within your organization, IAM is you know, IAM as a technical be some to itself. But a lot of the architecture design that you're going to do, pulling someone to the enterprise architecture team, or if you other resources like that you can tap into to help you make sure that you're following good architecture design principles.
Jeff: Right. Well, it's an experience. I think that's the important thing. But, you know, this is one of the reasons why I moved into consulting was when you worked for a single company, you know how they do it.
And you know, the tools that they get when you're in consulting, you're seeing how way more companies do it. You're getting a much broader exposure to a larger number of tools and you get to see much quicker what works, what doesn't work, how particular issue might have been solved in one organization.
And, you know, that's where that experience factor comes into as you pull that situation over and say, OK, this is very similar to what we saw at company X, company Y. Yeah. You know what?
We've seen something similar to that. Let's talk about how this might work and see that that certainly helps. And I think that goes back to reaching out to your network. and trying to figure out everyone struggles with very similar problems, for the most part, it's very rare that not very rare, but a lot of companies struggle with very similar problems seriously that that, if you can talk with more folks in your networks etc. and see how they solved that. There may be components of their solution that might be able to apply to fix your own. And you know, once you talk to enough folks and try to get enough data points; you start to build that confidence level. OK, here's the right way to approach it. So having that broad network and being able to talk to folks, go to conferences, commiserates the folks there. I think I just be straight up and upfront with some of the vendors. If you bring in a vendor and you've got a specific problem, tell them what it is and see how they would solve it. That might help you understand it. They try and sell you their product, but take the information. And as you're comparing different vendors, see how each one handles it. You may find that a you know, a vendor A is better at what you're looking for to say, but specifically the vendor B, even though vendor B might be the big dog right, in the industry. So there is no there's no silver bullet like you put it before.
Jim: So after we go through, assess, recommend and roadmap. Now you have your strategy. I think the final step now is communicate, communicate, communicate. Tell everybody about your strategy presented to your peers, present back. To the folks that participated in helping you define what's working well, what's out working well, get by and write. And I would really start if he can kind of get more of the grassroots level, the people who participated and then work your way up the channels so that you're presenting to an executive team, letting them know that you have by and letting them know how you got to build the strategy, who you talk with and that you've gone back to those teams and they're buying in. And in my experience, executive teams are going to want to know, deservedly agree with everybody, and agree this is the solution. And then they're going to want to know how much they every degree and how much does it cost. I mean, and again, probably another topic for another time is really going about communicating. But that's kind of a soft skill, right?
Jeff: It's all about marketing, right?
Jim: It is that when you're at that point, it's all about marketing. You've got to be able to communicate. You get approval and you start going into projects as where the technology is going to be. Technical skills are going to be even more valuable because, if you're a program manager and you're running projects you don't want to get. You don't want to get technobabble to death or were tricked. You want to be able to evaluate yourself and make sure that you get it. That was always my thing, if something was technology, really that was, you know, outside of my expertise, I'd say, explain it to me. And so I understand it. And eventually I would either understand it or they couldn't explain it to me in a way that I understood. And then I didn't want anything to do with it.
Jeff: If you can't articulate the value of whatever it is you're trying to do, it obviously extends beyond just IAM. But you can't take that, particularly the value of what IAM prime is going to bring. What you're trying to do, you're not gonna get the money to do anything. I mean, right.
I mean, it's you have to be able to tell the story of why we're doing this. What's the benefit for it? How does it make your life better? Right, that gives you the money, theoretically. Right, you know how much money is always up for a date. I mean, budgets are always a hot button item that some companies may have, set aside or any money for that or some haven't really.
Some have been thinking about it for a while. And the longer you wait, typically, the more you get to spend up to get caught up, so to speak. But if you can't articulate the value or what you're trying to do, nobody is going to approve any type of spec for that. So you want to be able to start and start to master that communication strategy of what is what are we trying to do here? Why are we doing it? And why is it important? Those sorts of things, I think that provides a pretty good summary of their process, could probably leave it there for now.
Jim: I agree. I think, you know, our goal I think today was kind of kicked this thing off right. To get it started. And these are the types of conversations we'll have dive into some more of these areas. Well, you know, this really the plan part that we talked about today will talk about build projects, about how to run operations environment. Those are the kind of topics that people are interested in. I think they'll still enjoy this podcasts.
Jeff: Yeah. I mean, really, it's you know, it's a wide range of topics. It's really identity related is probably in scope for us. Know that's current events, topics that we see come up during our own advisory engagements that we're working on, any other items that we might come across that people might find interesting.
And if there's this particular if there's a particular topic or if you've got a question or just general feedback, you can always e-mail us at questions@ identity at the center.com.
We’ll be sure to read all those and take that and plan out future episodes of Identity at the Center.
Jim: Awesome, Jeff was great. I think that was it for our first one, so we're going to call it there. And thanks for listening. Take care.