I was at #identiverse last week and had a ton of good conversations with attendees and vendors. While there is a lot of cool stuff going on in the industry, one thing kept nagging at me as I ventured around the show floor. Have we matured enough that we need all this new technology? I talked to several people why they were out there and what they were looking to achieve and heard a myriad of different technologies, but when I started digging into how they were going to use it, consistently I heard bolt-on technology or bandaids to current problems. And, in a lot of cases, the technology they were looking at depended on good foundational components that were not in place yet. The simple answers to this is technology will not fix source problems. At the end of the day, it just amplifies those problems for a later date. So, I wanted to go through some of the foundational items I talk with customers and peers about before they go and start looking at new technology to address current.
When starting an evaluation or building an IAM program, I look at a few key foundational elements. Those include:
- Data: This is key, you need good source data from HR and self-service requests to ensure accurate data is being presented to Governance and Access platforms. If you have bad source data, you’re going to have inconsistent results and have to fix a lot of problems on the fly. When looking at the data, define the inputs, outputs, data flows, etc. and what rules you are going to build based on this (e.g. JML operations, authorizations, etc.)
- Strategy / Roadmap: You cannot fly by the seat of your pants when building out an IAM program, you need to have a defined strategy and roadmap to realize that strategy or you’re always going to be chasing the next thing. Working from a defined strategy (that can be updated if / when needed) you can get buy-in, publish dates for functionality, and execute to build the foundational and improvements to the program.
- Leadership: Along with data and the roadmap, you need strong leadership (within IAM) to help execute the strategy. Additionally, you need leadership to support the IAM initiative across the organization. Without this, the first challenge you run in to, you’re going to be adding exceptions to policy with nullifies the intent of the IAM program.
- Partners: Is hard deploying IAM programs and technology, but there are people out there that do this constantly. Leverage the community and partners available to help get your feet under you, then can transition off to advisory roles to help you continue to build and improve your program. This will get you some fast wins and also help train resources on your team to build and support the program.
- Execution: I always say ‘Start Small, Execute Big’, meaning, look at the small / core technologies that are going to have big impacts. Identity Governance and Access Management / SSO programs can make immediate impacts, and give you a platform to execute from. This may seem small, but they have big impacts later when you want to make continuous improvements and grow the program.
- Communicate: Can’t say this enough, keep people updated on the vision and progress of the IAM program. Celebrate and communicate wins through go-live announcements, release notes, etc. Also, make sure you have an executive / board level update prepared for each meeting you can attend so can show the value of the IAM program and how it is improving the organization.
While not a complete list of initiatives, when I look at an IAM program, this is the foundation I look for. Starting with this, you can be assured you are building that strong foundation of which your house can sit comfortably and grow in the future.
