Knowing who is accessing what on your network may seem like a fundamental prerequisite of security, but very few organisations have so far made a success of identity and access management (IAM).
According to new research from KPMG, which polled 235 senior managers in 21 European countries, only 11% of organisations reckon they have successfully implemented IAM. More than two thirds (68%) said projects were hampered because they put too much focus on technology and failed to deal first with organisational and procedural changes.
When asked why projects had failed, half the respondents said their organisations were not ready for the changes in culture and processes that IAM would have imposed. Budget restrictions and technology problems ranked much lower as impediments to success.
Drew Wagar, a principal advisor with KPMG, said many projects had failed because their business case was flawed from the start, with their focus on cost containment and competitive differentiation. In line with promises from suppliers, some companies had based their business case on better user provisioning, lower auditing costs, and other benefits such as making it easier to do mergers and acquisitions.
But Wagar said it was "probably more sensible" at this stage to take a risk-based approach and to focus on regulatory compliance, which was far more likely to get buy-in from senior management.
Too many companies had also relied on technology as a solution without first doing the necessary groundwork."Eighty percent of IAM is about people and processes," he said. Only when companies have understood and tidied up their processes can they expect to automate them through technology.
"People underestimate the number of places where user IDs end up, and the number of times where, in order to get the job done, people are given access to systems and no records are kept," he said. "That might just be done for expediency, and it is easy for organisations to drop into bad habits. Almost all organisations find themselves having to bypass a process in order to get a job done. Once it's happened once, it is easier to do it again. You can end up with a situation where all the user accounts are in disarray."
Even so, Wagar said IAM is a tough project to sell to higher management. "It doesn't stand up well as a business case in its own right. It is difficult and expensive, and arguably doesn't deliver very much in the short term."
He recommended wrapping IAM into a broader strategic programme of risk reduction or process improvement, often under the banner of PCI DSS compliance or ISO 27001 accreditation. And when tackling role-based access control, he said companies should be pragmatic. "Trying to get RBAC rolled out to 100% of the organisation is frankly naïve. You're better off aiming for 80% of your significant applications."
The report, 'KPMG's 2008 European Identity & Access Management (IAM) Survey', found that the financial services industry had the best examples of IAM implementation, while Government and healthcare lagged badly behind.