Infosecurity preview: Trying too much, too young

Many firms face the demands of achieving greater returns from technology while decreasing IT spend, improving security and controls, and meeting compliance requirements.

Many firms face the demands of achieving greater returns from technology while decreasing IT spend, improving security and controls, and meeting compliance requirements.

In response, identity and access management programmes enable process improvements in the ways in which the identities of customers, staff and suppliers are managed. But they are prone to failure for two reasons – they try to do too much, too young.

Identity and access management programmes often start as infrastructure projects, or as remediation projects intended to address specific compliance requirements.  In these cases, often the scale of the change required within the organisation is underestimated, and a company takes on too much and seeks to achieve results too quickly.

This combination of complexity and demand for quick results can mean that the customer-facing and operational functions – the areas that have the most to gain and the most to invest – are not engaged in the programme.

An effective identity and access management system will improve the effectiveness of an organisation’s interaction with staff, customers and suppliers. However, such a programme needs the solid support of many functions and divisions. To succeed, a company has to accept that this will take time and effort, often at senior levels.

Perhaps the greatest hazard in taking on too much comes with defining roles for users, otherwise known as role engineering. One organisation introduced role-based access for 1,000 staff, and determined 980 different possible roles. The effort involved in managing this approach means that the intended benefits will disappear as people seek to introduce their own uncontrolled simplification.

As well as taking on too much, some firms adopt technology that is still immature and unproven. There are plenty of easy wins that can be achieved by focusing on areas of greatest payback using mature technology. The real challenge comes if an organisation is seeking to introduce an all-singing, all-dancing system for identity and access management.

The market for identity and access management suites has developed greatly over the past four years and although the products are evolving rapidly and continue to improve, many organisations have found that they were inadvertent early adopters. It is important that the customer and the supplier know what they are committing to before they sign. 

Although the technology is only a small part, any serious shortfalls against expectation can damage the programme and ruin relationships.

There are three basic elements a company needs to understand:

  • The history of the product. Is it an integrated suite, or just a portfolio of acquisitions sold under a common banner.
  • European experience. Many products have a good reference from US organisations, but a limited track record in the UK.
  • The level of supplier commitment. Does the supplier have a large and sustainable client base and established complementary products? Or have they entered the market because the analysts have told them it is hot?

Identity and access management can deliver substantial business benefits, but it must be embarked on with a clear understanding of the business, and an awareness of the potential pitfalls of taking on too much, too young.

Malcolm Marshall is partner in charge of information security services at KPMG.
 KPMG will be exhibiting at stand 572 and hosting “Getting Identity Management Right” at Infosecurity Europe at 11am on 25 April

Read more on IT risk management