Implementation of IAM program – a Challenge

- Nilesh Shirke

The Identity & Access Management (IAM) solution is a technology solution with relevant
business processes interwoven to manage users’ identities and their accesses to application
estate of the Organization. Access journey of any IT application begins with authenticating a
user and granting right access privileges based on his/her role. Prima facie it looks like a
standard set of activities are needed by most; hence automating them becomes pertinent
which is crafted by the IAM solution. But if we don’t consider it to be a well-thought program
driven by IT architectural vision then we end up having multiple silo IAM solutions
implemented in business divisions across the Organization. It then becomes a task in itself to
maintain them. Implementation of a strong authentication, federating identity, risk based
authorization and role management enhances the IAM solution’s canvas & adds to
implementation challenges.

Best Practices for IAM solution implementation

The IAM solution is indeed becoming an integral part of growing business, yet enduring the
implementation program is not simple. Most programs tend to drift away from project
schedules due to implementation oversights. But by adhering to best practices listed below,
an IAM program can achieve its intended business objectives.

Embrace the overall IT Vision

Organizations should clearly state their long term objectives by deliberating IAM solution as a
business solution; not just a mere tech- solution. Architecting it as a common capability
involving technology solution with business processes and tying all ends up would realize true
business value. This requires meticulous planning, aiming towards eliminating the need for
implementation of similar solutions elsewhere in the Organization. Following points should be
considered while the IAM solution is being conceived:

1. Current IT architecture of Organization & future roadmap – Along with existing IT &
network architecture, due consideration should be given to current/future IT
transformation programs such as laying of service oriented architecture (SOA) or
private/public cloud infrastructure etc. This will influence IAM solution architecture &
design.

2. Reflection on consolidation of business roles – Role engineering which is a cornerstone of

RBAC implementation includes mapping access privileges to common business roles.
Identifying rogue accounts, excessive privileges and redundant user groups is also part of
 this exercise. The below depicts Role Engineering which will in future aid in simplifying
IAM solution implementation.

Figure 1: Role Engineering that should precede IAM implementation

e.g. Role Engineering will help craft 50 feasible roles & their entitlements for the
Organization of 500 employees. Thus, using these 50 roles as subjects for authentication &
authorization would streamline the business process framework and simplify security
governance.

3. Conformance to Audit & compliance requirements - Requirements to be fulfilled for

compliance with standards, privacy policy & legislation and providing governance
dashboard to aid management team’s decision making process, should be thought of
along with IAM solution requirements.

Providing enterprise-wide, integrated authentication and authorization services (such as

single sign-on), support for web services security & management, support requirements for
inter-operability and integration between trust domains should be part of the overall IAM
solution architecture. A shared IAM solution cutting across organization is as depicted below:

Figure 2: Enterprise Identity & Access Management Framework

This would also enable integration with other security interfaces to improve the overall
security posture of the organization.

Structure the Foundation

An organization needs to structure a solid foundation by undertaking comprehensive

infrastructure planning. This would include risk assessment of all applications/platforms,
technology trend-analysis & business plans of the Organization. The key step of this exercise is
evaluating the IAM technology. The criteria for evaluation should include completion of
product capability portfolio & its strategic alignment with the Organization’s IT roadmap. The
product compatibility mapping with current IT Infrastructure needs to be prepared in
advance. The sample guidelines for performing this comprehensive assessment are as follows:

1. A list of standard vs home-grown applications with version details

2. Listing operating systems, user stores, third party applications & web servers being
used. Mapping them against OOTB (Out-Of-The-Box) functionality provided by IAM
product
3. Assessment of the amount of customization required if the product functionality is not
supported
4. Understanding of technology limitations and its capability roadmap

The product selection should be based on business needs compiled from all facets of business
functions. Apart from this, following activities will be equally important in laying a concrete
foundation for the IAM solution:

 Involving business SMEs to standardize processes

 Involving Business/Technical SMEs to define policy enforcement procedures
(especially authentication & authorization policies)
 Immaculate deployment planning that includes activities starting from defining right
directory structure & logging mechanism to responsibility matrix & change
management procedures

This entire exercise would ensure the smooth implementation of IAM program. It will also
improve the solution’s adaptability & maintainability.

Undertake Staged Implementation

As discussed earlier, authentication & authorization is the beginning of application access.

Hence, when we think of automating the process, there is a tendency to employ the big-bang
approach & include all IT applications, platforms in one-go. The expectation of over-
automation needs to be carefully managed. To simplify the management of IAM
implementation program, it should be undertaken in multiple stages. We should begin with
small programs, i.e. scope of stage-1 should include one that is relatively simpler deployment;
that brings quick-wins & tangible benefits. The most recommended starting stage is
implementation of self service module with password reset functionality. This would bring
immediate commercial benefits. Subsequent stages should focus on adding more
functionality & inclusion of more complex integrations. Examples of stages are as follows:

Stage 2 - Implementation of Organization-wide User Repository – Virtual or Meta directory

solutions
Stage 3 - Implementation of role management
Stage 4 - Automation of Identity lifecycle business Processes – Implementation of Identity
Management solutions
Stage 5 – Designing the Access Management Framework – includes internal/external users
Stage 6 - Implementation of Web Single Sign-On – includes only web applications

And so on. This would facilitate quick adoption of IAM solution across the user community.

At the same time, each stage should include proper mix of SDLC phases with implementation
of multiple proofs of concepts to arrive at the overall feasibility of IAM solution. The
compatibility verification of the IAM technology with current network and IT applications
would aid in defining the scope of each stage. Typical steps that would include in this
approach are as follows:

1. Clear Scoping of each Proof of Concept – Limited IT systems / applications / platforms

with limited number of users
2. Scalability planning – Design to respond quickly to business & technology changes
3. Pilot Runs – Stage deployment & implementation
4. System Integration – Integrate to stretch it as common solution eliminating lot of
redundancy
5. Regression testing – Strictly perform regression testing to verify the functional
integrity of IT applications & platforms

Figure 3: Staged Implementation of IAM program

Consolidating all stages to stretch IAM functionality as a common capability cutting across
heterogeneous IT systems & platforms spanning multiple business divisions will be easier to
tackle from program management point of view.
Educate the user community

Mostly, we see that IT trainings consider implementation part of technology products with
the cook-books detailing each step. The training program lacks discussion on base technology,
product capabilities, extendibility, etc. Educating the different stakeholders on the IAM
technology & capability portfolio holds equal importance. It should be an integral part of the
IAM program. Different user communities necessitate education on different aspects of the
solution.

The IT staff would need to be educated in advance to exploit the product capabilities. Let’s
take an example of an organization where identity management solution had been
implemented but identity synchronization between different user repositories was not
enabled or not known to the IT staff. A separate solution covering this aspect is being
implemented using some other technology solution. So, 20% of the product capability has
gone unutilized, plus there is additional CAPEX as well as OPEX for the separate solution. The
education would ensure that the implementation of IAM solution would be complete,
underpinned with fundamental principles.

Business SMEs should also be educated on product capability offerings so that the right mix of
manual & automated processes can result in more business efficiency.

Operations should be educated on what capabilities have been implemented vs what have
been left unattended, in addition to the know-hows of the solution. This will bring in
efficiency in tackling user as well as system administration issues.

This education should not be considered as one-time endeavour. Users need to be refreshed
to keep up with induction of new processes and emerging product capabilities. More you
educate more would be exploitation of the technology. This would follow successful
adaptation of the IAM solution as common capability within user community.

Summary

The IAM solution plays a key role in enabling interactions and transactions in prevalent digital
world. Some IAM capabilities are required for providing end-to-end security, thus aiding
determination of the security posture of the organization. Hence, success of IAM
implementation programs has become one of the business imperatives. But majority of IAM
implementations have suffered road-blocks & have ultimately been stalled; mostly due to
failure to manage the program well. By following best practices, it is possible to implement
the IAM projects to realize business value. The discussion can be summarized as follows:

 Embrace the Identity Vision: Having consistent IT architectural vision, keeping present/future goals,
short/long term business perspectives & aligning IAM vision along with it would help in stretching the
solution as common capability

 Structure the foundation right: Getting the business principles in-place before implementing the
technology controls would make IAM solution implementation more flexible to sustain frequent
technology evolutions

 Undertake Staged Implementation: Implementing the IAM program in stages, starting small to result in
The successful IAM program improves security posture of the Organization. It also acts as
business enabler by providing a secure work environment to develop, offer services to its end
customers and provide opportunities for new business initiatives. The compliance with
industry regulations, reduction in IT administration costs and improvement in user
productivity along with realizing user-delight are some of the benefits recognized with the
successful implementation of IAM program.

(Nilesh Shirke is the IAM practice head in Security Consulting at Tech Mahindra. He has 15+
years of experience in Project Delivery & Security management roles in IT and Business. He has
completed his masters in Information Systems from Johns Hopkins University, USA & is SUN as
well oracle IAM certified consultant. His areas of expertise are Security Consulting and
Project/delivery management in Identity & Access management domain.)