This is Part 3 of a three-part series on identity governance and administration. Be sure to read Part 1 and Part 2 for the whole story.

I frequently receive calls from identity and access management (IAM) leads at companies that just purchased an identity governance and administration (IGA) tool. They say, “I just bought this tool so I can automate the access recertification process, but where do I start? The pressure to succeed with this project is already starting to get out of control.”

The amount of wish list items received from various stakeholders, coupled with the promises left by the vendor sales team, can be overwhelming. The ink has barely begun to dry on the purchase order for the tool and the stakeholders are already asking for results. The IAM lead tries to explain the journey to the stakeholders, but they are not interested. They only feel the increasing pressure to rectify the audit deficiency. At minimum, the stakeholders want to see something right away to make sure the purchase was not wasted.

The IAM lead starts making phone calls for advice. The major technology integrators are happy to provide proposals, but the price for the implementation is shocking, especially since there is still uncertainty about what this tool can do. The key question finally comes up: “Where can I start to quickly demonstrate the value of this purchase without having to ask for another seven-figure budget from stakeholders who just approved the purchase of the tool?”

Start With B-2-C-12

When I consult with these companies, I provide a simple formula: B-2-C-12. The B stands for baseload of the tool, the 2 stands for two applications integrated, the C represents one cycle of the access recertification campaign and 12 signifies the number of weeks it will take to complete this work.

I recommend keeping the scope simple to get the tool running in the environment and demonstrate quick value to stakeholders. Let’s take a closer look at how these processes contribute to a stronger IGA program.

Baseload of the IGA Tool

Install and load the basic configuration to ensure that the IGA tool is running properly in the environment. There is no special configuration or customization involved — just keep the factory setting. If the vendor provides the tool in a virtual appliance, the baseload can be done even more quickly and simply. Additional time savings can be gained if the IGA tool is delivered as a cloud-based service.

Integrate Two Applications

Start with only two applications. It’s tempting to try to increase the number of applications for integration into the IGA platform. However, to stay on track, it’s important to start with two low-complexity applications for integration. An example of a low-complexity application is one that can easily export access entitlement data into a CSV file.

Most IGA tools in the market provide standard connectors for lightweight directory access protocol (LDAP) servers. In contrast, a medium-complexity application could be using relational database management systems (RDBMS) with a defined access control model. High-complexity applications include Resource Access Control Facility (RACF) and SAP modules, which may have a hierarchy and a nested access control relationship model.

Launch One Cycle of the Access Recertification Campaign

Once the two applications are loaded, prepare to launch an access recertification campaign. Prior to launching the campaign, define a set of processes. The following is a focused set of actions for this quick start method.

  1. Identify the reviewers in scope. You have the option to select the application owner as either the main reviewer or the users’ manager. Configure the campaign based on the reviewer scope.
  2. Provide training to the reviewers. The reviewers will need to learn how to perform the access recertification using the tool. They must be trained on the user interfaces and the end-to-end process of completing the campaign. They also need to be trained on the roles and responsibilities of various parties in the campaign, as well as the consequences of not completing the campaign or making poor decisions.
  3. Refresh the data. Prior to taking the snapshot of the data to be used for the campaign, the access data from the two applications needs to be refreshed. This ensures that the latest data is used.
  4. Communicate. The access recertification manager will need to send out clear communication on the start and end of the campaign. This should include related rules and policies for awareness.
  5. Launch and follow through. Once the campaign is launched, the access recertification manager is required to follow up with reviewers to ensure timely completion. If any questions come up, the access recertification manager needs to respond quickly. Plan to run a daily report of the campaign progress and make necessary escalations to avoid delays.
  6. Provide campaign closure and a final report. Upon completing the campaign, gather the results and provide final reports to the management. Also follow up on the remediation actions and access revocations. Send an email to alert stakeholders of the campaign’s completion and archive the results for future audits.
  7. Transition the operations to the internal team. Finish the project with the proper transition to the permanent operations team.

Achieving Identity Governance Success Faster

If security professionals follow this process, the IGA tool can start demonstrating functionality within a few short weeks. This helps build trust in the identity governance program with a fast return on investment and a successful implementation. It also makes the case for more resources to expand future functionality.

Once this is complete, follow an IGA strategy to extend the capabilities for advanced integration across the business areas and key business applications and systems.

Join the webinar: Climb the Mountain to a Successful Identity Governance and Administration Program

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today