Organizations rely on identity and access management (IAM) systems
to streamline the administration of identities, entitlements and
credentials and to enforce controls over access to critical systems,
applications and data.
This document is an introduction to modern IAM systems, to help
organizations plan for, prioritize, deploy and manage IAM process
automation. It covers:
-- reasons to deploy an IAM system.
Process optimization and automation
-- the kinds of processes that can be automated and
advice regarding best practices rather than
automating existing processes.
Data cleanup versus process automation
-- clarifying that cleaning up identity and entitlement
data or defining roles are not pre-requisite to
IAM process automation.
Architecture and integrations
-- the integrations between the IAM
system and other systems and applications and
the variables that should be considered to scale
the system up.
-- staffing required to deploy and operate an IAM
Selecting a vendor and product
-- advice for how to select a suitable product
from a helpful vendor without having to read
thousands of pages of RFP responses.
Program, not project management
-- a long-term commitment to
implement and expand the system.
-- prioritizing deliverables and expanding the
scope of the often, rather than trying to
implement all possible processes and integrations
Ongoing system management
-- roles and responsibilities for the IAM program
team once the system has been deployed.
The first step in an IAM project is to understand the problems that
automation is intended to address.
The business drivers for deploying an identity and access management (IAM) system include:
Internal controls and regulatory compliance:
Reliable access deactivation when users leave the organization.
Ensure that new access is granted in accordance with
business need and in compliance with policy.
Enforce segregation of duties policies.
Periodically review security entitlements and eliminate any
that are no longer business-appropriate.
Control access to privileged accounts and elevated privileges
Eliminate weak passwords and other credentials.
Require strong authentication wherever possible.
IT support cost:
Lower IT support call volume and help desk staffing.
Reduce the volume and cost of manual access administration.
Reduce the burden placed by auditors on system administrators.
Provision required access promptly.
Simplify access requests.
Reduce the number of passwords users must manage and enter.
Linking IAM to regulatory compliance
Regulatory compliance with legal requirements such as SOX, HIPAA,
GLB, FDA 21-CFR-11, GDPR (EU) and PIPEDA (Canada) have created
significant challenges for many organizations. At the same time,
many organizations wish to implement standardized security controls,
such as ISO27001/27002. While the focus of each of these is different,
they share common threads: strong internal controls -- especially
in relation to access to sensitive systems and data and privacy
protection. While it is organizations, rather than software products,
which must comply with these regulations, _PRODUCT provides a variety
of capabilities that help organizations to meet these objectives.
Both corporate governance and privacy protection depend on strong
security in applications and IT infrastructure. Without such
security, internal controls cannot be relied upon and regulatory
compliance cannot be assured.
IT security depends heavily on an infrastructure of user authentication,
access authorization and audit, commonly referred to as AAA. AAA,
in turn, depends on accurate and appropriate information about users --
who are they, how are they authenticated and what can they access?
It is in managing these entitlements where organizations have problems.
There are too many users, accessing too many systems and they keep
moving as a result of hiring, transfer and termination business
processes. The result is that users sometimes have inappropriate
access rights or weak credentials - which undermine the AAA
infrastructure in systems and applications.
_PRODUCT helps organizations to more securely manage
identities, entitlements and credentials, so that AAA systems (embedded
in systems/apps or shared infrastructure) can enforce the right rules
at the right times, in support of security, corporate governance,
privacy protection and ultimately regulatory compliance.
IAM process automation
An IAM system addresses the challenges of cost, security and user
Automation: grant or revoke access based on changes
in trusted data (typically HR).
Requests: users request changes to identity data or
access rights -- for themselves or for peers.
Certification: stake-holders review the status and access
rights of other users, to identify access which is no longer
Workflow: users are invited to approve requests, implement
approved changes or perform access reviews.
Analytics: examine trends, access rights, data consistency
and policy compliance to identify and remediate problems.