October 29, 2010

Common Pitfalls in IAM Implementations

Today many companies are leaping at the chance to reduce administrative costs in the workplace. Whether they choose automated account creation, single sign-on, self-service account administration or centralized and automated logging, most companies are looking for a way to improve or automate process. So the choice has been made to move towards IAM (Identity Access Management). IAM is a means of integrating all applications and identity repositories into a centralized, manageable system for authentication, authorization and reporting.  How can the pitfalls many other companies have made over the last decade in implementing an IAM solution be avoided? This is just a small list of some of the top reasons companies struggle during an IAM implementation.

Take time to discover your needs

Most think of Discovery as part of the planning portion of a new project or IAM implementation and they are partially correct. In a sense discovery means planning but in this instance it is about planning out details of the implementation strategy or planning out what resources will be working on this project. Take time to decide what you want out of an IAM solution. What is the high level reasons driving this project? Was it a “knee-jerk” reaction to a breach, an audit, or some other cataclysmic event? During discovery, identify your stakeholders, identify their goals in regard to IAM, collaborate and decide on some high level goals for the project. Most companies do not spend enough time in this pre-planning discovery phase and try to rush to the implementation stage for a quick patch solution.

Be wary of vendor promises

Unfortunately too many companies rely on vendor “best recommendations” for their IAM installation. Vendors tend to think their product is a best fit for every situation. In the real world this happens rarely. A good idea is to review your environment and concept of an IAM solution while trying to be vendor agnostic. Now this is not to say do not consider vendors while coming up with your plan, but just be cognizant of what your goals are and try to stick to them. Do not let your goals getting swept under the rug due to vendors selling their bells and whistles. Consider that “best-of-breed” might be an option for you and stay vendor neutral until you decide what you want for your environment.

Stay driven by strategic goals

Set strategic goals early and review them often. Set high level goals early and revisit them often to adjust and refine. Without a set of goals established early on business members may not see what it is they are getting into for IAM. Either IT has too many hands in the project without enough input from business or vice versa. Decide early on what your business is and stay true to what is best for your business. Early in the planning phase of an IAM project develop strategic goals that are agreed upon by business and technology then revisit these goals throughout the project as they may change as it develops.

Revisit the project plan

During all phases of an IAM project revisit the milestones and roadmap to make sure it is both on track and focusing on the original high level goals. Projects of this size tend to be living, breathing creatures that grow potentially out of control as the ground work commences. As one set of processes are completed you find more things to add and tack on to this project. Stay focused. Revisit the high level goals often. Remember to change objectives if they no longer make sense.

These are some of the surface items that hinder and or bring down man an IAM implementation. Keep in mind these key factors and an IAM implantation will be that much easier. No IAM project will be completed overnight and none should be. The process of integrating dozens or even hundreds of applications and their identity repositories is a great undertaking even for the small business. Stay focused on what is important and the results will improve.