Bee-Consult - Stefan Lindner

Identity and Access Management is nothing new and everyone and every company is doing this from its first day.

As a private person you ensure that your home is locked and only authorized people get access to it with a key. The methodology is pretty effective, as you typically know, whom you gave a key or not. Why effective? Because it is easy, there are only a few people and you know all of them personally. The process of entering the home is even efficient, as it typically works using the key. New technologies make this even  more efficient and secure, using biometrical services, like finger print or face recognition.

As a company you also know, who is allowed to enter your office building, the factory or specific rooms within a building. Using keys with different access or badges is nothing new. But to be honest, most companies struggle to manage the access to their applications in a effective, efficient, secure and compliant way.

Do you know by hand:

  • who in your company has access to which applications?
  • if accounts got disabled at the day a person left the company?
  • how long it takes, until a new employee can perform the work that is expected?
  • if the access a person has, is still appropriate after being for several years in the company?
  • if privileged access is not combined with standard access?
  • how many access management processes and tools you are using?

Here again, I am sure every company can get this information and has controls in place to mitigate the risk – the question is often, with which effort?

If you are struggling to answer some of the questions above, you might be interested to read further…

IAM projects are “Change-Management-Projects” and not “Technology ones”

As mentioned above, you will probably have everything in place and under control and this will make every IAM project to a Change Management driven and not a technology related one.

Consider that all your application and service teams had to establish an access control for their offerings in the past. To do this, they invented and designed processes and setup support tools with great functionality. These might have a similar amount of complexity as the applications or services itself. There are people that are proud of this access control service and they are right – it is their honor that the service got delivered good results so far. And now, you are coming and telling them that you have a better choice – one new technology that will replace their beloved service, which helped the company to survive over many years. Your challenge is that each of them is right from a single service perspective, but mostly none of them has the overview from top of your company and can answer the questions above. You might be forced by SOX, GDPR, NIS2, ISO27001 or any other frameworks. Please play a little with this sentence in your head and you will understand the resistance you might face and understand, why an IAM implementation is not a technology driven project, but as it will have a huge benefit for your company, it needs a well managed Change.

Is there a business case for my IAM project?

Yes, there is always a business case. Some of them might need to be identified during pre-studies for such projects. They very often depend on the structure of your company and rely on different attributes:

  • how is your HR organized?
  • how many IAM tools do you use today?
  • are you centrally organized or distributed?
  • how do your ITSM services look like?
  • which business structures do you have?
  • do you need to officially show evidence for control execution?
these are only a few questions that might be of interest, and help to define potential savings. These savings could be:
  • reduction of # tools
  • simplification of controls
  • reduction of “Mean Time to Resolve” (MTR) of access related incidents
  • increasing usability

What is the right technology to use?

This is an easy question, but a difficult answer. To be honest there are many tools on the market and all of them do what they shall do. So generally nothing wrong to select one of them, but depending on your environment and your needs, the one might be better than the other.

Some selection criteria to be considered:
  • The amount of managed Identities
  • IT environment (on premise vs cloud)
  • SAP and or Non-SAP applications
  • ServiceNow integration useful?
  • HR systems (e.g. Workday?)
  • Windows with Single Sign On or Unix environments
  • Configuration vs. Customization
  • Flexibility vs. Out of the Box
again here, many more parameters to consider.

Project or Journey?

IAM is a Journey. Depending on your size of the company, it probably needs to start with a project, which leads into operation and is driven by a journey. Within the project you need to setup the fundamentals of IAM and establish the governance to run IAM as a Service – it is not only one of the processes within the ITIL or Cobit frameworks. Such journeys can take up to several years, whereas the project should be finished within a time between half year or maximum two years, depending on the size of your company.

Typical components of these projects are:
  • building the governance within the organization
  • building the process organization
  • setup of an IAM Framework
  • design and build an IAM organization to provide the service
  • reviewing and/or defining policies and standards
  • defining requirements and processes
  • prioritizing the requirements and selecting a tool
  • implementation of the tool
  • establish control framework and certify the service, if needed
  • rollout pilot applications
  • finish project and turn into operations

Are you interested to learn more?

Feel free to contact me.