Navin Agrawal, executive director, KPMG India, throws some light on Identity and Access Management (IAM) adoption, evaluation and deployment in India
IAM adoption in India
Organizations are slowly looking at IAM as something more than just a compliance enabler. It is now looked at as a cost-saving and security control solution. There are several existing dimensions of IAM which can help enterprises build a strong business case. For example, cost optimization (because it replaces a lot of manual effort with automated controls), policy enforcement (to control various security threats such as user access control), centralization of user profiles (to keep it in line with privacy policies, the protection of personnel records, the ability to grant/revoke access across applications uniformly, etc), and role management (to create roles and slot users and application modules for access vis-à-vis the roles created) are some of the prominent IAM dimensions with a direct business impact.
Popular IAM technologies
While the deployment of the full suite of IAM solutions is low in India, the deployment of single sign-on solutions is pretty much there. The technologies within IAM which are gaining most prominence are the role manager, central management console (for policy adoption and monitoring), audit management, and user self-service. Many organizations are adopting all the features of the IAM, and are looking at convergence with existing solutions in a more robust manner.
Critical factors to consider while evaluating IAM solutions
IAM has to be implemented in stages, and in a step-wise manner. At the outset, organizations should build a business case as well as a roadmap for implementation. Taking one small success step at a time helps the organization in tempering its cash flow; it also means that a big investment is broken into smaller chunks which are easier to digest. The evaluation of the IAM products has to be a combination of business as well as technology compliance factors. This cannot be a one-stop process, and has to be interactive and iterative. Prior to starting the evaluation, the CISO should have a documented roadmap and strategy, as well as the requirements of the various stakeholders in the project. These need to be translated into use(r) cases which can then be demonstrated by the solution provider. As far as possible, the demonstration of the product should happen in environments which are similar to the organization environment. The CISO should also be clear about which elements of the policies are to be automated as part of the solution, and which need to be manually-driven.
Major challenges in IAM deployment
The biggest challenge which IAM implementation faces is that it is perceived by a lot of business stakeholders to be an IT project, whereas it is actually a business project because rules are defined across business processes and the organization. Most of the time, after giving sign-offs for the project, business people may ask for exceptions, making the whole exercise futile. Selecting the right solution is also a major challenge because it depends a lot on the organization's current environment. One solution may offer better role definition, another may have better integration, while the enterprise needs the right mix-and-match. However, deciding the right mix-and-match is often difficult for an organization.
Navin Agrawal has advisory expertise in IAM strategy and product evaluation. He has advised some of India's top financial services and process manufacturing companies in the area of IAM deployment.