I talk to a lot of people about their IAM programs whether is through calls or through active advisory engagements. Some are just starting; some have mature programs. But I was asked recently what I look for when evaluating an IAM program, or lack thereof, that would raise red flags. Honestly, have always had a checklist of sorts when walking into an assessment or helping in an advisory role so this question had me thinking a bit. Given thought was a good question, figured would share my response when asked.
When being asked to evaluate, or help plan, an IAM program I’ll typically meet with the IAM and Security leadership to talk through their goals, plans, and overall strategy and requirements for IAM. This is usually red flag #1: Lack of IAM Strategic Plan, Structure, or Team Identity. Having team structure, leadership and some kind of overall goal is the only way to say you have an IAM program. What I’ll typically get when asked this question when there are issues is more a mix of redirection, sent to an administrator, etc. No clear team structure or goals will hurt your IAM program every time.
The second red flag I see, and is usually concerning, is a technology first solution. I’ll talk to leadership, and the team, and will hear about IGA or access product X they bought and how that is their IAM program. When digging a bit deeper, what I’ll find is it was brought in to address a specific compliance or recommendation and is focused on small set of applications and use cases. Not supporting an overall mission, is really a tactical product serving a specific need. Or, the product was brought in and is only addressing a small subset of the applications in the environment with no clear direction on integrating the entirety of the applications and identities for the organization.
The last red flag that I see, and ultimately is one of the harder to address, is having multiple teams that are not communicating and all building their own IAM capability. I see this largely in B2B, B2E, and B2C type of scenarios. But, ultimately, you have different teams, with different maturity levels, all building IAM capabilities, but in different directions. This can lead to serious security and compliance gaps as a person, or non-human, moves through these environments.
So, in summary, here are the primary red flags I look for when starting a conversation or evaluation of an organization.
- Lack of IAM Strategic Plan, Structure, or Team Identity
- Technology First IAM Programs
- Multiple, non-related, IAM Program and Teams.
So, the next question with all this is how do you fix these?
Depending on which red flag from the above, this is how I would approach each to maybe step back and align IAM capabilities / program.
- If you do not have a strategy, leadership, or team, then you need to step back and define the IAM need and identity. In years past, I would probably recommend some form of assessment or roadmap exercise, which are helpful, but think there are better approaches to achieving this need. Sit down with your consumers, leadership, etc. and document what IAM is serving in your organization and how it can enable security and/or organizational needs. This is usually the launching manifesto for starting to build out your IAM program and capabilities (see later article I have coming on easy steps for building this out).
- If you have a IGA Vendor X team and that is your IAM program, then you are limiting yourself to a specific function. IAM programs, are a combination of Governance, Access, and Privilege technologies and processes. If you start with a technology ‘team’, build a leadership structure around that capability and see how that can also integrate and/or enable another function of the IAM triad. E.g. you have a IGA team, how is IGA aiding Access and Privilege, how is Access using IGA / Governance, etc.
- Having multiple, non-related and/or coordinated, IAM programs is a challenge. I usually see this in either M&A or large organizations that have B2B, B2C, and Workforce IAM capabilities. The challenge here is security leadership says the requirements, each team addresses it their own way, and at different maturity levels. In these situations, I usually look at the primary function (more than likely security and Workforce Identity team) and how they can start sharing and or driving capabilities in the other teams. For B2B, workforce IAM may be able to help with governance or delegated administration. For B2C, workforce IAM may be able to help with SSO, MFA, etc. The goal here is to level the maturity field and knowledge across the teams to start building a consistent capability. Then, as the teams grow and mature, you can start looking to consolidate and/or build a unified IAM function.
If you are in any of the above situations, no big deal, is always a way to take a step back and re-assess and build your IAM capability. With year end, and new budgets starting for 2025, this is a perfect time to evaluate and see where your IAM program is going to take you in 2025.
