Identity and access management (IAM), once looked upon as an IT project, has now evolved. Earlier, many organizations were asking the CIO or CISO to drive an IAM implementation; now they are also asking the CRO or CEO. Indeed, many a time identity and access management becomes even a boardroom issue, since it assists control of fraud and meeting compliance needs.
In this piece we will look at a step-by-step approach to the implementation of an identity and access management solution. Taking small success steps at a time helps the organization to temper its cash flow. It also means that a big identity and access management investment is broken into smaller chunks, which are easier to digest.
Step 1: Build an IAM business case
Building a business case for identity and access management involves documentation of the current state of role management, provisioning and de-provisioning, current drivers and compulsions. Therefore:
- Identify the cost of the current work, which is expected to be automated via the IAM solution.
- Define the approximate cost of doing work via the identity and access management solution (we need not have the exact solution identified at this stage).
- Do a cost-benefit analysis for the required changes to process, technology and personnel skills for identity and access management.
- Present the IAM business case to stakeholders for approval.
Step 2: Build a roadmap for IAM
At this stage, the CISO would need to think about questions such as:
(i) Which application should be deployed first?
(ii) What will come in the second phase?
(iii) Should the identity and access management implementation be done location-wise or application-wise?
(iv) Will the identity and access management solution have centralized or decentralized control?
Next, based on stakeholder feedback, build an identity and access management roadmap. For this, you need to:
- Take into account access control, pilot requirements, application priority for IAM integration, and role design.
- Design a conceptual IAM architecture on the basis of functional requirements.
- Define the identity and access management implementation phase in terms of functionality deployment.
- Define identity and access management use cases.
- Define the IAM governance framework.
Step 3: Role definition for IAM
At this stage of implementing identity and access management, the organization has to identify several user roles, and decide which role needs access to what across the organization. The company will also have to build an exception handling policy for this. In addition, the CISO will need to take approval from various process owners for the roles identified and aligned to resource access.
Step 4: Pilot test
Build an identity and access management proof of concept for the various products being evaluated. To do this:
- Define use cases on the basis of a documented IAM roadmap and strategy, as well as the requirements of the various stakeholders in the identity and access management project.
- Define the scope of the IAM pilot (application inclusion, environment staging).
- Implement and run tests on the product.
- Carry out a comparative analysis in terms of the level of difficulty of implementation of a particular feature or test case.
As far as possible, the demonstration of the identity and access management product should happen in environments which are similar to the organization environment.
Step 5: IAM implementation and rollout
Now we come to the identity and access management implementation as decided in the IAM roadmap. Here you have to:
- Manage the IAM implementation and rollout with planning.
- Manage cost and time overruns.
- Implement identity and access management in a phase-wise manner.
- Train personnel to manage and implement IAM.
- Standardize the identity and access management configuration.
- Test the systems integration.
- Migrate to production.
- Establish an IAM helpdesk and set key performance indicators (KPIs).
- Monitor performance and KPIs via monitoring solutions and audit requirements.
Spending a good amount of time on the first three steps is the key to a successful implementation of an identity and access management solution. Organizations should be wary of jumping directly to step four, since it may not provide evidence of whether the product being evaluated fulfills the expectations and meets the requirements.
About the author: Navin Agrawal is an executive director of KPMG India. He provides advisory services in areas such as business requirement and strategy for IAM, as well as IAM product and vendor evaluation.
(As told to Dhwani Pandya.)