10 identity and access management (IAM) implementation mistakes

Identity and access management (IAM) solutions basically deal with the establishment of identity components in business processes and technology solutions to manage users’ identities and provide logical access to an organization’s application estate. Organizations initially implemented identity and access management services by building access permissions and privileges into applications. With the expansion of the application portfolio, building these access rights and privileges into applications led to increase in administration overheads, multiple passwords from users, and reduction in security.

To counter these access-related issues, centralization of user store and the deployment of a centralized identity and access management program became critical. Adoption of IAM solutions gained a boost with the need to demonstrate compliance. However, organizations that rushed to implement IAM solutions often faced stalled projects or fell behind schedule. Here are the common shortcomings that organizations encounter while deploying an IAM solution:

1. Lack of clear objectives: If the identity and access management program is to be successful, the IT architectural vision should be based on clear business objectives. Failing to comprehend the solution breadth also determines the fate of the identity and access management program.

2. Incomplete assessment of infrastructure components: Incomplete risk assessment, lack of comprehensive infrastructure planning, inadequate compatibility verification with existing IT systems, and failure to account for technology trends result in many scope-creeps.

3. Lack of planning: Failure to consider the identity and access management program as part of an organization’s overall IT strategy leads to different business divisions implementing discrete IAM solutions, making consolidation unnecessarily complex.

4. Improper IAM product selection: Not aligning IAM product capability with the overall business objectives makes the solution non-scalable as the business adapts.

5. Expectations for ‘over-automation’: Since the IAM solution assures automation of identity lifecycle management and streamlining of processes involving access management, there is a tendency to push all IT applications and platforms under it all at once. This could complicate the design, making program management difficult.

6. Insufficient focus on integration testing: Do not ignore the regression and integration testing efforts of the IAM solution along with integrated IT systems. Failing this, it’s not possible to assure the application estate’s secure functioning.

7. Not defining the post-production phase: The post-production phase should also be defined with users’ roles and responsibilities. Not considering this as part of the identity and access management project plan will impair the solution’s smooth transition to end-user community.

8. Failure to comprise the need for scalability: Mergers and acquisitions are now a business reality. The identity and access management project plan should account for scalability to accommodate the growing IT size and emerging technology trends. 

9. Not adhering to simple project management principles: Not following simple project management principles such as involvement of right minds and getting all stakeholders to have a common view, can delay the project schedule.

10. Lack of training, particularly in the business community: Users are usually unaware of the implemented IAM solution’s extent. Failing to educate users on the solution’s capabilities will hamper better work efficiency.

Many of the issues discussed above can be mitigated by having a strategic view. Keep business objectives in mind while making tactical adjustments, tick off short milestones, and execute the overall plan. 

A comprehensive deployment planning keeps the IAM solution aligned with the organization’s objectives. A phased identity and access management approach facilitates quick successes and gain self-belief to proceed in realizing true value from the investment. Educating users and executives on the solution’s capabilities will ensure the support necessary to fully appreciate the strategic vision.

Successful identity and access management programs serve as business enablers for organizations. Resolving issues early in the cycle will also improve an organization’s operating efficiency and security effectiveness.

About the author: Nilesh Shirke is the IAM practice head for security consulting at TechMahindra. He has more than 15 years of experience in project delivery as well as Security management roles in IT and business. He has a Masters Degree in Information Systems from Johns Hopkins University, USA and is a Sun Oracle IAM certified consultant. His areas of expertise include security consulting and project/delivery management in the identity and access management domain.