Many firms face the demands of achieving greater returns
from technology while decreasing IT spend, improving security and
controls, and meeting compliance requirements.
In response, identity and access management programmes enable
process improvements in the ways in which the identities of
customers, staff and suppliers are managed. But they are prone to
failure for two reasons – they try to do too much, too young.
Identity and access management programmes often start as
infrastructure projects, or as remediation projects intended to
address specific compliance requirements. In these cases, often
the scale of the change required within the organisation is
underestimated, and a company takes on too much and seeks to
achieve results too quickly.
This combination of complexity and demand for quick results can
mean that the customer-facing and operational functions – the areas
that have the most to gain and the most to invest – are not engaged
in the programme.
An effective identity and access management system will improve
the effectiveness of an organisation’s interaction with staff,
customers and suppliers. However, such a programme needs the solid
support of many functions and divisions. To succeed, a company has
to accept that this will take time and effort, often at senior
levels.
Perhaps the greatest hazard in taking on too much comes with
defining roles for users, otherwise known as role engineering. One
organisation introduced role-based access for 1,000 staff, and
determined 980 different possible roles. The effort involved in
managing this approach means that the intended benefits will
disappear as people seek to introduce their own uncontrolled
simplification.
As well as taking on too much, some firms adopt technology that
is still immature and unproven. There are plenty of easy wins that
can be achieved by focusing on areas of greatest payback using
mature technology. The real challenge comes if an organisation is
seeking to introduce an all-singing, all-dancing system for
identity and access management.
The market for identity and access management suites has
developed greatly over the past four years and although the
products are evolving rapidly and continue to improve, many
organisations have found that they were inadvertent early adopters.
It is important that the customer and the supplier know what they
are committing to before they sign.
Although the technology is only a small part, any serious
shortfalls against expectation can damage the programme and ruin
relationships.
There are three basic elements a company needs to
understand:
- The history of the product. Is it an integrated suite, or just
a portfolio of acquisitions sold under a common banner.
- European experience. Many products have a good reference from
US organisations, but a limited track record in the UK.
- The level of supplier commitment. Does the supplier have a
large and sustainable client base and established complementary
products? Or have they entered the market because the analysts have
told them it is hot?
Identity and access management can deliver substantial business
benefits, but it must be embarked on with a clear understanding of
the business, and an awareness of the potential pitfalls of taking
on too much, too young.
Malcolm Marshall is partner in charge of information
security services at KPMG.
KPMG will be exhibiting at stand 572 and hosting “Getting Identity
Management Right” at Infosecurity Europe at 11am on 25 April