9 tips for a successful Identity and Access Management project implementation

Transcription

1 9 tips for a successful Identity and Access Management project implementation By Antonio TROGU, Technical Manager - Beta Systems White Paper

2 Introduction More and more IT security incidents impact businesses, regardless of sector, size or activity. Unauthorized access, usurpation of identities, data leakage... businesses can no longer afford to ignore the risk of cyberattacks, nor assume that attackers will never be able to penetrate the information system. This is why leading analysts (KuppingerCole, Pierre Audouin Conseil, Gartner...) emphasize the need to deploy an IAM system (Identity and Access Management) to complete the arsenal of security measures for the company's information system. The IAM projects are now a real priority for anyone who wants to strengthen its cyber security. However, it is clear that many initiatives are hampered by failures encountered by other companies. It is therefore essential to properly prepare the project implementation, both in its technical and business aspects. Here are some best practices that can contribute to a successful IAM project. 1. Build a mixed project team of IT and Business An IAM project is a transversal project that requires soliciting many stakeholders within the organization, typically the IT department but also HR and business managers. Underestimating the need to involve them may be enough to derail your project. Indeed, your project can not be driven solely from a technical perspective. It is necessary to obtain the support and cooperation of the business departments to mobilize knowledgeable parties around the project and be able to rely on their understanding of the company s business processes and organizational structure. 2. Define the project s governance and goals An IAM project with a poor governance process in place rarely succeeds. Firstly, you will need to determine the roles and responsibilities of each participant as well as the different steps of the deployment. Achieving your goals involves a rigorous monitoring and close collaboration between the project team and the vendor s IAM consultants. Make sure that the specifications and goals are mutually understood and documented before the start of the deployment. Any subsequent changes would disproportionately extend the project in time and implementation cost. 3. Reduce customizing to a minimum When choosing a solution, the standard and preconfigured IAM software represent the best strategy, especially because this approach takes advantage of other IAM deployments at other customers. Moreover, it greatly simplifies the integration of new functions as new software versions are released. Abandoning the standard offer for a highly customized system should be exceptional. Standard products from the vendor reduce the costs of implementation and maintenance, and accelerate the deployment. 4. Implement in phases Be pragmatic: deploying the IAM solution on a broad technical and functional scope can bog down the project. Prefer a quick-win approach, with a step by step implementation and achievable milestones. By voluntarily limiting the initial scope to a limited number of target systems, users and features, you'll get results more quickly, sometimes within months. These early returns on investment will help strengthen the adhesion of the company to obtain additional budgets and thus to extend the scope of the project.

3 5. Connect HR systems Staff movements (new arrival, departure, mobility...) can be reported to the IT department or human resources, with some delay, if at all. These complications may increase when the personnel administration tasks are performed manually or in a decentralized manner. Therefore, initially, the main HR data source must be connected to the IAM system in an automated way, with benefits rapidly measurable: simplified access, increased productivity, user satisfaction Clean up the data Data quality is key to any successful IAM project. But very often, access rights information are no longer maintained for a long time, and can be messy. As a result, links between accounts and users are missing, some accounts are orphans, others are wrong... This is why an IAM project necessarily begins with the consolidation of user identities (user-id). In this step, the user accounts are assigned to the corresponding persons in the repository of identities. Quickly, cleaning up the data shows a first advantage: the consolidation of user-ids reveals the orphan accounts. 7. Implement roles A role is a set of individual access rights that are necessary for a particular function or task in the company. It is intimately linked to the business processes specific to the company. "Groups" of access rights, called "roles", significantly reduce administration efforts. They are key to automate processes and to implement rules preventing accumulation of certain rights (Segregation of Duties - SoD). But the implementation of roles requires more than just defining groups of access rights. Roles are living objects. They need to be continuously updated and maintained. It is important to designate an "owner" for each role. It will be the responsible for the further evolutions of the role. Therefore, the roles should be reviewed periodically to adapt to changes in the organization or in the IT systems. 8. Introduce risk scoring IAM systems provide a considerable amount of data that needs to be processed to bring up the most risky elements. The identification and scoring of these risks is a powerful tool for sorting the access data, such as users, roles and accounts, depending on the level of potential risks. However, implementing a risk measurement for all of your access rights structure requires time and resources. Using a top-down approach, you can get quick first risk analysis, sorting them by category, and score. You will benefit from the project duration to gradually expand the scope of these evaluations. 9. Provide main features required by the department level Keep in mind that even if IAM systems are mainly sponsored by auditors and IT managers, business departments are also interested. Quickly present first concrete results to the Board helps you to win the support of the entire company. For that purpose, in the early stages of the project, focus on business features to make life easier for end users: for example, a web portal to re-certify the rights of some people, or a workflow to automate approval of rights requests. The satisfaction of business users is a key indicator to demonstrate the success of your IAM project.

4 Building on its 20 years of experience in the IAM field, Beta Systems offers a comprehensive software suite handling access management to IT resources based on user identities and roles. SAM Enterprise Identity Manager: Automated provisioning and identity lifecycle management. Centralization, consistency maintenance and management of access rights data. SAM Business Process Workflow: Automate business processes that imply access rights, with a powerful engine and a user-friendly interface. Garancy Access Intelligence Manager: Multidimensional analysis of access rights and evaluation of associated risks: business intelligence dedicated to access security. SAM Password Management: Secure and simplify access to applications. Garancy Recertification Center: Run review campaigns of the users access rights based on the risk-level.

5 About Beta Systems Beta Systems is a leading mid-sized, independent European software solution provider. Founded in 1983, the company develops software that secure data processing of large IT centers, as well as a suite of Identity Management and Access Governance (IAM/IAG) solutions. Beta Systems offering in the area of datacenters and cybersecurity ensures that its 1,300 customers worldwide optimize their IT processes, secure their information systems and meet Governance, Risk management & Compliance (GRC) requirements. Beta Systems clients are market leaders in Banking & Insurance, Finance, Industry, Transport, and Healthcare. Company headquarters are located in Berlin, Germany. Beta Systems has been listed on the stock exchange since 1997 and employs around 300 staff. The company, together with its 16 self-owned subsidiaries and numerous partners, has a strong domestic and international focus. Contact us! marketing-f@betasystems.com White Paper February 2016 Antonio TROGU, Technical Manager Beta Systems Software S.r.l. Via IV Novembre 92, Bollate (MI)