Develop a Comprehensive IAM Improvement Strategy
A successful identity and access management program is built on solid foundational processes.
- Immature identity and access management (IAM) programs introduce significant vulnerabilities, which can lead to unauthorized access, data breaches, and compliance issues, threatening the security and integrity of organizational assets.
- IAM tools provide capabilities that can improve program maturity, report on identities, automate lifecycle management processes, and administer access to business functions. However, these tools require organizations to understand and adjust entitlements according to access policies and functional roles.
Our Advice
Critical Insight
- Security leaders find modernizing identity security daunting and focus instead on seemingly simpler challenges like implementing single sign-on, multifactor authentication, and privileged access management. However, this reactive approach can be more costly over time.
- Developing a comprehensive IAM strategy and roadmap is a proactive, high-value initiative that will drive the effective modernization of the identity management program.
Impact and Result
- Define a clear IAM strategy that aligns with the organization’s security objectives and regulatory requirements.
- Establish standardized processes for user onboarding, provisioning, deprovisioning, and access changes throughout the user's lifecycle.
Upcoming
Webinar
Wednesday, November 06, 2024
01:00 PM EDT
Develop a Comprehensive Identity and Access Management (IAM) Improvement Strategy
Register NowMember Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.2/10
Overall Impact
$12,755
Average $ Saved
12
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Flight Centre Australia
Guided Implementation
9/10
$17,810
8
Best part: Great to talk with a professional who completely understands the domain, able to impart real value to my Organisation in terms of allowi... Read More
University of Johannesburg
Guided Implementation
9/10
$13,361
10
Great guidance from Petar to take us through the process.
Kappa Delta Sorority
Guided Implementation
10/10
$6,850
20
Victor's attention to detail and guiding me through each area of the process was much appreciated since this is not my area of expertise. I appreci... Read More
Federated Co-operatives Limited
Guided Implementation
10/10
N/A
10
Best part is it made us take time and focus. The tool made it easy to keep in track, work through it logically and break it apparent as to what th... Read More
San Diego County Office of Education
Guided Implementation
8/10
$12,999
10
I understand you do not provide the technology side to this conversation which is a big piece of this project. However, that being said, It was he... Read More
Develop a Comprehensive IAM Improvement Strategy
A successful identity and access management program is built on solid foundational processes.
EXECUTIVE BRIEF
Analyst perspective
Build a foundation for success.
A comprehensive identity and access management (IAM) program can enhance an organization's security and operational efficiency. However, IAM programs are challenging to implement. Practitioners must collaborate with stakeholders to integrate systems, applications, and directories; address technical debt and outdated infrastructure; and balance robust security measures with a seamless user experience.
Automation and self-service are often seen as solutions. Automate user provisioning with predefined roles and automatically deprovision access when activity falls below a threshold or upon employment termination. Empower users with decentralized identity (DID) or self-sovereign identity (SSI) solutions.
These are solid options, but organizations must understand entitlements, access policies, functional roles, and how to adjust entitlements accordingly. Build a clear IAM strategy to evaluate existing processes, systems, and controls; identify strengths and weaknesses; and build a clear roadmap to prepare your organization for automation and self-service.
Michel Hébert
Principal Research Director, Security and Privacy
Info-Tech Research Group
Executive summary
Your Challenge
- Immature IAM programs introduce significant vulnerabilities, which can lead to unauthorized access, data breaches, and compliance issues, threatening the security and integrity of organizational assets.
- IAM tools provide capabilities that can improve program maturity, report on identities, automate lifecycle management processes, and administer access to business functions. However, these tools require organizations to understand and adjust entitlements according to access policies and functional roles.
Common Obstacles
- Complexity: Implementing IAM often requires integrating multiple systems, applications, and directories, which is particularly challenging in large and diverse IT environments.
- Collaboration: Implementing an IAM lifecycle requires coordination across different departments. Aligning the goals and processes can be challenging, particularly in complex organizations.
- Resilience: The IAM lifecycle should be scalable. As the organization evolves, IAM systems should support more users, changing access needs, and new technologies like cloud services and mobile devices.
Info-Tech's Approach
- Develop a comprehensive IAM strategy: Define a clear IAM strategy that aligns with the organization's security objectives and regulatory requirements. It should outline the goals, roadmap, and desired outcomes of the IAM program and consider user populations, existing systems, and scalability needs.
- Implement IAM lifecycle processes: Establish standardized processes for user onboarding, provisioning, deprovisioning, and access changes throughout the user's lifecycle. Align them with security, compliance, and business requirements, and automate them to reduce manual efforts, improve efficiency, and minimize errors.
Info-Tech Insight
Security leaders find modernizing identity security daunting and focus instead on seemingly simpler challenges like implementing single sign-on (SSO), multifactor authentication (MFA), and privileged access management (PAM). However, this reactive approach can be more costly over time. Developing a comprehensive IAM strategy and roadmap is a proactive, high-value initiative that will drive the effective modernization of the identity management program.
Your challenge
Immature IAM programs pose a direct risk to the enterprise.
Identity-related incidents are on the rise. They can lead to unauthorized access, data breaches, and compliance issues, threatening the security and integrity of organizational assets.
The 2024 trends report from the Identity Defined Security Alliance (IDSA) paints a jarring picture of the growing frequency and impact of identity-related attacks.
90% of organizations experienced at least one identity-related incident in 2023.
84% of identity stakeholders who incurred an identity-based breach in 2023 said they suffered a direct business impact as a result.
48% of organizations involved their security incident response plans more than once in 2023 for an identity-related incident.
IDSA, 2024
Your challenge
| Identity Provisioning |
Regulations and Compliance |
Data |
Organizational Change |
|---|---|---|---|
Managing user access becomes more complex as organizations grow, requiring synchronization across devices, deactivation of departing employees' accounts, and role-based access for sensitive data. |
Organizations must comply with various laws and regulations, such as GDPR and HIPAA. These regulations evolve, necessitating regular updates to IAM programs. |
IAM is vital for data security, controlling access by roles, devices, and data sensitivity. Challenges include managing password fatigue and ensuring strong authentication methods like SSO and MFA. |
IAM improvements often require process reengineering, user training, and cultural shifts. Effective change management is essential for overcoming resistance and ensuring successful adoption. |
Common obstacles
Common pitfalls can affect the value of IAM implementations.
- Lack of stakeholder support: Without strong executive support, IAM efforts may lack the authority to align departments and secure the necessary resources. Take a deliberate approach to modernizing your IAM program and discuss business, security, and compliance requirements with stakeholders.
- Viewing IAM as a project rather than a program: Organizations that view IAM as a one-time product implementation often struggle. IAM is a multiphase, multiyear initiative requiring continuity, context, and sustained effort. Build a strategic roadmap for the program and clearly communicate the priority and benefits of its initiatives.
- Identity sprawl: The proliferation of user identities across multiple systems complicates identity management and security. Design well-established, standardized processes for user onboarding, identity changes, and user offboarding as a foundation for the IAM program.
Info-Tech's approach
A successful IAM strategy must balance security and usability
- Security: Ensure that the IAM program protects the organization's systems, applications, and data from unauthorized access, breaches, and other threats. This includes implementing robust authentication methods, enforcing least privilege access, conducting regular access reviews, and maintaining comprehensive logging and monitoring.
- Usability: Ensure the IAM program is user-friendly and does not impede user productivity. This involves creating intuitive processes for authentication and access requests, minimizing the complexity of password requirements, providing efficient methods for password resets, and ensuring that the access management tools are accessible for both end users and administrators.
- To achieve this balance:
- Gather careful requirements.
- Conduct a comprehensive gap analysis.
- Design foundational policies and workflows.
- Communicate program priorities and benefits in a multiphase roadmap.
IAM Program Capability Model
IAM has evolved significantly in the last decade
The anatomy of an IAM program
Info-Tech's methodology for maturing IAM programs
Phase 1: |
Phase 2: |
Phase 3: |
Phase 4: |
|
|---|---|---|---|---|
Phase Steps |
|
|
|
|
Phase Outcomes |
|
|
|
|
Insight summary
Be Proactive |
||
|---|---|---|
Security leaders find modernizing identity security daunting and focus instead on seemingly simpler challenges like implementing SSO, MFA, and PAM. However, this reactive approach can be more costly over time. Developing a comprehensive IAM strategy and roadmap is a proactive, high-value initiative that will drive the effective modernization of the identity management program. |
||
| Discover | Evaluate | Standardize |
Time spent on reconnaissance lays the groundwork for informed decisions and strategic action. Gather requirements for your IAM program, including roles and responsibilities, regulatory needs, and the risk scenarios that matter most to your organization. |
Don't leave anything to chance. A comprehensive assessment of existing IAM processes, systems, and controls will allow you to assess strengths and challenges, bridge significant gaps, and position your IAM program for future innovations. |
Understanding is the key to automation. First, define and implement standardized processes for user onboarding, access changes, and deprovisioning, ensuring they align with security, compliance, and business requirements. This foundation is essential for future program improvements. |
Build an IAM roadmap |
||
IAM is a multiphased program, and it may not benefit all stakeholders immediately. Without clear communication about prioritization and planned capabilities, stakeholder support can fragment. Build a roadmap to outline how and when the IAM program will address specific capabilities. |
||
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
IAM Program Requirements
IAM RACI, Identity Architecture, and Information Security Pressure Analysis tools
IAM Gap Analysis Tool
Current- and future-state gap analysis, initiative prioritization, and roadmap
Identity Lifecycle Workflows
IAM joiner, mover, and leaver workflows
IAM Improvement Strategy
IAM roadmap, strategy, and communication deck
Key deliverable:
IAM Improvement Roadmap
in the IAM Gap Analysis Tool
IAM is a multiphased program that may not benefit all stakeholders immediately. Without clear communication about prioritization and planned capabilities, stakeholder support can fragment.
Build a roadmap to outline how and when the IAM program will address specific capabilities.
Keep your organization safe
Measure the benefits of a robust IAM program
- Baseline your organization's performance against key metrics before proceeding with the IAM program improvement project.
- Organizations with a successful IAM program:
- Reduce security risks to the organization.
The number and severity of identity-related risks decrease over time. This includes tracking resolved vulnerabilities and mitigated threats. Expect an initial increase in the number of identity-related risks identified. - Improve end-user experience.
The effectiveness of IAM processes improves over time, including the average time to onboard a new hire, the number of stale accounts, and the average time to deprovisiona user. - Are more likely to be compliant.
Regular audits and assessments are more likely to show the IAM program adheres to relevant security and regulatory standards.
- Reduce security risks to the organization.
Measure the value of the IAM improvement project
Info-Tech's approach will accelerate your success. Estimates reflect advisory and workshop experiences.
With Blueprint |
Without Blueprint |
||
|---|---|---|---|
Phase 1: Assess Requirements |
1 to 5 people |
1 day |
1 week |
Phase 2: Conduct Gap Analysis |
1 to 5 people |
1 day |
1 week |
Phase 3: Develop IAM Policies and Workflows |
1 to 5 people |
1 day |
1 week |
Phase 4: Build IAM Roadmap |
1 to 5 people |
1 day |
1 week |
Time Saved: 1 to 4 weeks
$ Saved: $6,499 to $16,899
The project's value comes from the initial strategy and roadmap design, but you will experience benefits over time as you implement IAM initiatives on the roadmap and communicate your approach more effectively.
Executive brief case study
INDUSTRY: Manufacturing
SOURCE: Info-Tech Workshop Engagement
Anonymous
The client organization was a parent company specializing in manufacturing petroleum additives through a network of subsidiaries.
Identity and access management drove this company's maturity in information protection. The company required an assessment to better understand its current IAM landscape, reduce business risk, and ensure the cost of its program aligned with industry best practices.
In addition to the security standards driving best practices, the organization also wanted to ensure that its IAM processes were usable and allowed its diverse workforce to receive the appropriate access they needed from any device.
Results
Info-Tech Research Group developed a comprehensive strategy that identified core areas for IAM maturity improvement and aligned them with the company's vision and business drivers. Furthermore, Info-Tech ensured that the strategy, recommendations, and roadmap supported the organization's identity management lifecycle.
The IAM Maturity engagement included the following components:
- Program Requirements
- IAM Program Gap Analysis
- Identity Lifecycle Workflows
- IAM Program Roadmap
- Next Steps
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
Guided Implementation
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
Workshop
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
Consulting
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical GI on this topic look like?
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 8 to 12 calls over the course of 4 to 6 months.
Develop a Comprehensive IAM Improvement Strategy
Workshop Overview
Contact your account director for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
|---|---|---|---|---|---|
Activities |
Assess IAM Program Requirements |
Gap Analysis |
IAM Lifecycle |
IAM Strategy Review |
Next Steps and |
1.1 Identify program scope and goals. 1.2 Identify program roles and responsibilities. 1.3 Inventory repositories and identities. 1.4 Conduct a pressure analysis. |
2.1 Review the current state of the IAM program. 2.2 Identify gap closure actions. 2.3 Identify IAM initiatives. 2.4 Review and improve key IAM policies. |
3.1 Map the IAM joiner workflow. 3.2 Map the IAM mover workflow. 3.3 Map the IAM leaver workflow. 3.4 Review IAM tools and identify gaps. |
4.1 Review IAM improvement initiatives. 4.2 Prioritize IAM initiatives. 4.3 Build buy-in for IAM initiatives. 4.4 Prepare final presentation. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
|
Deliverables |
|
|
|
|
|
Recommended workshop participants
Day 1 | Day 2 | Day 3 | Day 4 | |
|---|---|---|---|---|
Senior Management | ✔ | ✔ | ||
Senior IT Team Members | ✔ | ✔ | ✔ | ✔ |
IT Security | ✔ | ✔ | ✔ | ✔ |
IT Infra & Ops | ✔ | ✔ | ✔ | ✔ |
Risk Management | ✔ | ✔ | ✔ | ✔ |
Human Resources | ✔ |
Phase 1
Assess IAM Program Requirements
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Identify program goals and scope. 1.2 Identify program roles and responsibilities. 1.3 Inventory repositories and identities. 1.4 Conduct a pressure analysis. |
2.1 Review the current state of the program. 2.2 Identify gap closure actions. 2.3 Identify IAM initiatives. 2.4 Review and improve key IAM policies. |
3.1 Map the IAM joiner workflow. 3.2 Map the IAM mover workflow. 3.3 Map the IAM leaver workflow. 3.4 Review IAM tools and identify gaps. |
4.1 Review IAM improvement initiatives. 4.2 Prioritize IAM improvement initiatives. 4.3 Build buy-in for IAM initiatives. |
This phase will produce the following deliverables:
- IAM program requirements
- IAM program RACI
- IAM repository inventory
- IAM program target state
This phase involves the following participants:
- Senior Management (CIO, CRO, CISO)
- Senior IT Team Members
- IT Security
- IT Infrastructure & Operations
- Risk Management
Build a solid foundation for the IAM program
Time spent on reconnaissance lays the groundwork for informed decisions and strategic action. Gather requirements for your IAM program, including roles and responsibilities, regulatory needs, and the risk scenarios that matter most to your organization.
The following exercises will help you assess the goals and scope of your identity and access management program, identify process roles and responsibilities, inventory identity repositories, and assess your threat landscape.
At the end of the phase, you will have a completed gap analysis of the IAM program, including a set of improvement initiatives for further consideration.
Upcoming
Webinar
Wednesday, November 06, 2024
01:00 PM EDT
Develop a Comprehensive Identity and Access Management (IAM) Improvement Strategy
Register Now
Michel
Hébert
Info-Tech Research Group
Fred
Chagnon
Principal Research Director
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 4-phase advisory process. You'll receive 9 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Assess IAM program requirements
- Call 1: Review challenges and scope advisory engagement.
- Call 2: Gather IAM program requirements; identify IAM roles and responsibilities.
Guided Implementation 2: Conduct an IAM program gap assessment
- Call 1: Inventory repositories and identities.
- Call 2: Conduct pressure analysis.
- Call 3: Review the current state of the IAM program.
- Call 4: Identify improvement initiatives; discuss stakeholder engagement tactics.
Guided Implementation 3: Develop IAM policies and lifecycle workflows
- Call 1: Review the IAM policy; develop IAM lifecycle workflows.
- Call 2: Develop IAM lifecycle workflows.
Guided Implementation 4: Prioritize IAM initiatives and build a roadmap
- Call 1: Finalize strategy and roadmap; identify IAM program KPIs.
Contributors
- Chen Heffer, CEO, CyTech
- Vijay Bhatt, Senior Manager, Simeio Solutions
- Rob Marano, Co-founder, The Hackerati
- Dave Millier, CEO, Sentry Metrics
- Sheldon Malm, Vice President – Business Development, Sentry Metrics
- Jennifer Hong, Independent Management Consultant
- One anonymous contributor
Assess and Govern Identity Security
Develop a Comprehensive IAM Improvement Strategy
Simplify Identity and Access Management
Passwordless Authentication
Modernize Your Identity Authentication Practices
