Introduction
Identity and Access Management (‘IAM’) is becoming an increasingly important part of digital transformation. With remote working (or hybrid) becoming a norm, people work from outside their usual office network, accessing organizational resources as remote workers. Eventually, all users have a digital identity, and this identity is at the heart of securing IT systems – by ensuring that the users have right access to right resources at the right time and from the right channel.
Essentials for a successful IAM program
IAM is all about managing identity and access lifecycle across diverse IT systems. It broadly consists of three domains – Identity Governance and Administration (‘IGA’), Access Management (‘AM’ – term generally used for Single Sign On (‘SSO’) and Multi Factor Authentication (‘MFA’) functionalities) and Privileged Access Management (‘PAM’).
These three together ensure that the digital identities are managed in a secure and controlled manner.
Apart from the trifecta of Cybersecurity, Productivity and User Experience, one of the other big drivers for IAM solutions is the complex and hybrid IT landscape. Most organizations have a large number of discreet IT systems – both on-prem as well as on cloud. Managing access across these IT systems is a huge challenge for any IT team – leave aside controlling the access, most organizations do not even have a clear visibility of these access.
These are the key factors behind an increasing trend of organizations putting IAM at the centre of their digital journey. With increasing cybersecurity attacks, security is paramount and a good IAM solution ensures digital identities are secure while the organization focuses on accelerating their digital transformation.
It is important that the outcomes of an IAM project are clearly understood. It is best to paint a picture of what the typical user journey will be like once the IAM solution has been implemented. Apart from considering the various capabilities of IGA, AM and PAM, it is important to understand how these three components will work with each other to provide a seamless user experience.
A sample is as follows:
- HR onboard a new employee
- A new identity is created in IGA
- IGA provisions birth right access including AD, Email account, etc
- AD account is synced with AM
- New joiner can now log in to IT systems through SSO provided by AM
- Access policies can be enforced using AM – may include adaptive MFA or restricting specific access to specific IT systems
- AM and IGA can be used to provide self-service password reset feature to users
- PAM can be used to manage privileged accounts/ entitlements including monitoring activities performed using such accounts/ entitlements
- User can request for additional access using self-service access request feature in IAG
- Policies such as Segregation of Duties (‘SoD’) can be enforced through IAG
- Approval workflows can be configured in IAG to approve access request before the access is provisioned automatically
- This includes access to privileged accounts/ entitlements through PAM
- IGA provides central and complete visibility of all identities and related accounts & entitlements including privileged accounts/ entitlements
- Compliance requirements such as access review/ certifications can be managed through IAG using this central visibility
- Various security and compliance reports such as risk score, rouge/ orphan accounts, user lifecycle, unusual access, privileged session, etc can be obtained using IAM solution
- IGA can provide value added services such as recommendations for access review/ request approvals, role modelling/ mining/ discovery using the comprehensive identity information.
Strategic objectives for a successful IAM program
It is important to clearly define the strategic objectives, guiding principles and KPIs for the IAM program. The existing maturity, tigger, challenges and expectations for various organizations are different and accordingly, these may vary across organizations.
An example is as follows:
KPIs provide a measure of success of the IAM project. These should also be clearly communicated to the IAM team. Where possible, these should be quantified, and trend monitored to ensure desired benefits are being realized. Some examples are as follows:
| S/N | IAM Goal | KPI |
1 | Reduce risks | Number of security incidents due to user and entitlement management |
| Number of security incidents due to SoD and privileged access | ||
| Percentage of access deactivated within agreed SLA | ||
| Number of inactive, dormant and duplicate accounts | ||
| 2 | Increased IT automation | Percentage of access granted through automated provisioning |
| Percentage of standard access granted to user on first day | ||
| Percentage of automated password resets | ||
| Percentage of automated account unlocking | ||
| Percentage of standard vs non-standard/ requested access | ||
| 3 | Improved data and process quality | Error rate within access management |
| Error rate within identity and account creation | ||
| 4 | Better compliance | Number of audit issues related to user access management |
| Access review completion within SLA | ||
| 5 | Others | User experience |
| Processing duration of user requests |
It is important that these aspects are carefully considered and planned for a successful IAM program.
