Gartner: How to succeed at identity and access management

This year's Gartner IAM summit featured few real identity management success stories.

Few other sectors of the IT security market can match identity and access management (IAM) in its track record of failure.

Certainly, the case studies that showcased IAM systems at the Gartner IAM Summit in London on March 23 and 24 were all still "works in progress," with the full benefits of their IAM frameworks still to be reaped at some point in the future. No one claimed to have a full working system up and running that delivered a high value to the organisation.

And yet, as one Gartner Research analyst, Tom Scholtz, reminded the audience, identity -- specifically knowing who is on a given network -- is the "cornerstone" of any security architecture.

The problem was tackled head-on in one talk entitled "Why your IAM project is doomed to failure," given by Perry Carpenter, a research director for Gartner. Carpenter formerly worked for Wal-Mart Stores Inc., as well as a telecommunications company, and brought with him practical experience of the difficulties IAM projects can encounter.

Carpenter said one of the big mistakes is to think that IAM is just a technology project. Companies, he said, tend to rush to choose a technology product without first considering the business context. They suffer from what he called "the tyranny of the urgent." Those projects were almost doomed to fail because they did not take into account business requirements and other teams involved within the organisation.

He compared IAM to the plumbing in a house. If you take time to plan it before starting the installation, then you will end up with a better system. But too many companies rush to build a system and end up having to make constant changes as problems arise.

Companies that change the scope or direction of their project mid-way through the programme are also doomed to fail, he said.

So what do you need to make a success of IAM?

Most of the success factors are the kind of things that "make IT professionals cringe," Carpenter said. For instance, it is essential to have effective governance throughout the project, with a proper steering committee that includes not just the IT department, but also representatives from HR, marketing, legal and all other affected sections of the organisation.

Strong channels of communication need to be established with each of the stakeholders, and regular scheduled meetings should be held to report on successes, and even failures.

He also urged IT people to tailor their language according to the person they are talking to. For instance, finance will want to know how IAM will save money on provisioning, while marketing will be interested that IAM will get new staff working more quickly, and help control the use of customer data.

"You need to learn how to put yourself into a political environment," Carpenter said. "It may be boring, but you'll have to get good at it."

According to the analyst, those relationships need to be made before any technology product is chosen, and they will determine what kind of approach, if any, is adopted.

Once the decision is made to go ahead, then make sure you develop before-and-after metrics to show success. "Also, develop milestones that will demonstrate benefits early and often," Carpenter advised.

That means prioritising and going for some easy wins early on, rather than trying to go for a giant all-encompassing implementation. For instance, if you can introduce password self-service early, and thereby show a reduction in help desk calls, he said, that will show a swift and tangible benefit.

Carpenter also advised that IAM should be integrated into the general software development lifecycle so that it becomes part of any upgrade or rewrite of systems.

And while IAM may eventually deliver real and tangible benefits to the organisation, Carpenter warned of making any firm prediction about the return on investment before the project. That would just raise false hopes, he said, and might be too difficult to prove.

Organisations fearing their IAM project will run over budget and over time may care to take up the challenge of one brave Masschusetts-based software supplier, Courion Corp., which is now offering to install its IAM system for a fixed price, and in a guaranteed timescale. Courion's U.K. country manager Stuart Hodkinson accused many systems integrators of over complicating IAM projects and stretching projects out in order to maximise their revenues.

Read more on Identity and access management products