15 years of IAM: the end of an era?
IAM projects have blossomed since the early 2000’s and most large companies implemented one. Unfortunately, for most organizations, a significative gap appeared between what they hoped to get from their IAM projects, the expected benefits, and what they got, or should we say what they didn’t get in most cases. Many aspects of these projects initally planned weren’t implemented or requested specific developments that haver prevented any evolution or upgrading since because of these in-house specifications.
Companies initially launched IAM projects to provide an efficient answer to their risk and compliance challenges through automation. But unfortunately, this resulted in focusing on operational efficiency and leaving out risk mitigation on the long run.
Today, IAM domination is coming to an end with business and security needs evolving at a high pace, much faster than the rate at which massive IT projects, such as IAM projects, can evolve. Desillusion, constraining IT architectures inherited from these projects, lack of defined goals and perimeters from the start, all of these are some of the main reasons why IAM systems alone aren’t enough anymore.
Organizations need something else – something more – today to, not only ensure proper access management, but also implement access governance, continuous compliance and reduce security risks which continue to increase every year.
Getting rid of silos and connecting access management to the rest of the information system is essential. Making things simple and ensuring that technical and business internal actors are working together as much as possible are some of the key recommandations to start fresh. Working with silos is no longer possible. Services and departments within a company are more and more connected. Organizations now belong to a full network and need to communicate across the board. Silos are no longer accepted while IAM projects have most often been built that way, based on silos.
That is why it so hard to make them evolve, and in many cases impossible, because they cannot be connected and have often included in house specifications that prevent their upgrading. In many cases, making your IAM solution evolve amounts to as much work as implementing a new one.
Thus, when discussing IAM strategies and projects, it appears as if nothing has changed over the last ten to fifteen years. With the surrounding environment evolving – new risks, new ways of consuming IT – there is a need to reassess the way companies leverage their IAM programs, in terms of services, technology and organization.
Understanding why IAM projects often fail
If we consider a traditional Identity and Access management approach, a strong focus is set on connectors, meaning access fulfillment and automation. Other IAM services that should be included and implemented are too often considered as a secondary concern and never really implemented.
Companies’ experiences with IAM projects have many similarities for most of them: very long projects, weak visibility regarding the software’s adequacy with business users’ needs, budget and deadlines beyond pushed way beyond limits set at the start. The delivery value is most often not what was expected. For most organizations, the project’s scope has shrunk and very little automation has been implemented.
Other very important aspect: access-related risks aren’t taken care of by IAM solutions but they represent significative security risks for any company, regarding external and internal threats. Indeed, with the rise of access-related security risks, both through external and internal threats, companies now do not have the choice and need to mitigate these risks with an efficient access governance.
Knowing your information system as a whole – its users, their job positions and access righs, their usages and behaviors – is now necessary and IAM solutions cannot take this in charge.
What you need to succeed
Changing IAM solution, trying to make yours evolve according to your business needs or studying alternatives, all of these options require you apply best practices to make sure you chose the proper one.
What you need to pay attention to : ensure proper user experience, make sure that the solution is able to evolve according to your business needs, ensure data quality and controls automation as key components, and maybe try and see why you do not need IAM provisoning that much to ensure proper access management.
In addition, here are 3 key factors for success :
- a unique platform to process end users’ requests
- technical tools relying on standards
- transversal solutions for audit, reporting and control
These 3 key factors will enable you to brake silos and take in charge all necessary processes you need to ensure: information browsing, request input, validation workflows, provisioning and technical actions as well as reporting, audit and control.
This will enable you to operate transversal processes and brake 4 key silos: IT & logistics, IAM for application access, non structured data and, last, ERPs.
You may ask, is this really possible? Do cross system and cross application solutions already exist? Indeed, some organizations are currently studying and implementing alternatives to the traditional IAM approach and it is promising.
Studying alternatives: a new paradigm with Identity Analytics
There is adequate and proven technology on the market to support this approach and organizations can chose among several options, according to their business needs and environment.
Some companies are examining alternatives to the traditional IAM model such as replacing IAM by a meta repository. Nevertheless, what we should be paying attention to are the other components of these options. ITSM tools and Brainwave Identity GRC, as an Identity Analytics solution, are included in many alternatives, so of them which do not even include an IAM solution.
Usually, an IAM solution does not cover what is initially needed and access governance as well as access related risk mitigation are left out. With these alternatives, some companies are starting to see how to meet their evolving needs outside traditional IAM and costly projects.
Nevertheless, the point isn’t to conclude that IAM projects are all failures – which is far from being true – and that Identity Analytics coupled with ITSM is THE alternative. IAM and Identity Analytics are complementary and companies need to make them work together to attain both of their prime goals: operational efficiency and risk mitigation, on a continuous basis.