How to Build A Successful Identity and Access Management (IAM) Program?
Carlos Rodriguez, Director, IT Security & Risk, Citizens Property Insurance
Carlos Rodriguez, Director, IT Security & Risk, Citizens Property Insurance
A successful Identity and Access Management (IAM) program will support your efforts combating cybercrime, but it may prove disruptive to your organization as it requires significant changes in technology, processes, and they way employees interact. User access is what brings together the people, devices, applications, and data that we work with every day. But user access is also the most common area of attack. While IAM technologies have greatly advanced to help with detection, prevention, and response to identity attacks, employees must be brought along for any program to be successful. Here are some key areas to consider to deliveryour IAM Enterprise Program.
Developing an Enterprise Strategy. Start by identifying key stakeholders and process owners that you will bring into the conversation to identify their successes and concerns.Your goal is to listen and lead them to conversations that can uncover how they can be more efficient while managing risk. Keep in mind that this group is likely diverse and includes members who have very different needswhich may include:
• Internal staff who access resources to perform their job
• Partners who need access to resources to support your business
• Product development teams o Technology teams who support the business;
• Customers who access your product or services.
• Define clear roles and responsibilities. Make decisions early on howyou will structure the program; who will lead; who delivers; and who will operate the resulting set of solutions and processes. You will have to identify leadership, delivery and operational roles for supporting the implementation and day-to-day operations of the IAM infrastructure and processes. How you will approach this depends on your organizational structure and culture and many of these roles will likely be distributed across operational teams. Here are some examples of such roles (not all inclusive).
• Program Owner(s).They are often responsible for decision making on behalf of executives and stakeholders. Some of their duties include leadership, budget management, risk management, and communication. The Program Owner should possess solid leadership and communication skills and their role is to remove impediments so the team succeeds.
• Product Owner(s). They are responsible for process, people and technology associated with implementation and day-to-day operations of the chosen IAM solutions. They support the Program Owners and often act as their extension.
• Account Provisioning. This teamhandles day-to-day boarding, changes and deboarding of your user access accounts. The team could be centralized or distributed per business process area. For example, often helpdesk is tasked with these functions while a different team may process access needs for customers.
• Role Management It is critical to understand what roles are needed for your users to minimize risk of over provisioning privileges and access.
• Privilege Access Compliance. There are users who need more access than others to perform their job (think of technology teams). It is critical that a team runs periodic access verifications to ensure that those with elevated privileges still need that access.
• Access Monitoring. Usually a security function, someone should be tasked with identifying and responding to access violations and incidents.
• Process Improvement. This is where the magic happens. Make sure you are continuously looking at your process as that is where you will likely identify areas of risk and innovation. Do this by making sure that you build solid partnerships with those stakeholders that you have identified and that they are listened to.
• Organizational Change Management (OCM). You are about to disrupt your users by changing the way they logon to systems (for example by introducing Multifactor Factor Authentication or MFA) in addition to the stakeholders and process identified so far. For example, a few years ago, MFA was the main causes for disruption in this area, but this technology is now mainstream at banks and online shoppingamong others. However, other technologies such as those that “remove” privileges from your people are often frowned upon and seen as disruptive. Furthermore, processes will change because of this program, which will make people uncomfortable. Partnering with an OCM team will bebeneficial to your program because they will help you identify the “What’s In It For Me” areas of attention that you will need to communicate often to different stakeholders. OCM will also help you determine what measurements you put in place to monitor and report program progress and status.
Your IAM program will introduce significant change to your enterprise. Focus on process and people in addition to technology to deliver solutions that can be applied at all levels of the organization. Finally, make sure that you communicate often and clearly in order to gain and maintain support from key stakeholder to ensure the success of the program.
