This is Part 3 of a three-part series on identity governance and administration. Be sure to read Part 1 and Part 2 for the whole story.

I frequently receive calls from identity and access management (IAM) leads at companies that just purchased an identity governance and administration (IGA) tool. They say, “I just bought this tool so I can automate the access recertification process, but where do I start? The pressure to succeed with this project is already starting to get out of control.”

The amount of wish list items received from various stakeholders, coupled with the promises left by the vendor sales team, can be overwhelming. The ink has barely begun to dry on the purchase order for the tool and the stakeholders are already asking for results. The IAM lead tries to explain the journey to the stakeholders, but they are not interested. They only feel the increasing pressure to rectify the audit deficiency. At minimum, the stakeholders want to see something right away to make sure the purchase was not wasted.

The IAM lead starts making phone calls for advice. The major technology integrators are happy to provide proposals, but the price for the implementation is shocking, especially since there is still uncertainty about what this tool can do. The key question finally comes up: “Where can I start to quickly demonstrate the value of this purchase without having to ask for another seven-figure budget from stakeholders who just approved the purchase of the tool?”

Start With B-2-C-12

When I consult with these companies, I provide a simple formula: B-2-C-12. The B stands for baseload of the tool, the 2 stands for two applications integrated, the C represents one cycle of the access recertification campaign and 12 signifies the number of weeks it will take to complete this work.

I recommend keeping the scope simple to get the tool running in the environment and demonstrate quick value to stakeholders. Let’s take a closer look at how these processes contribute to a stronger IGA program.

Baseload of the IGA Tool

Install and load the basic configuration to ensure that the IGA tool is running properly in the environment. There is no special configuration or customization involved — just keep the factory setting. If the vendor provides the tool in a virtual appliance, the baseload can be done even more quickly and simply. Additional time savings can be gained if the IGA tool is delivered as a cloud-based service.

Integrate Two Applications

Start with only two applications. It’s tempting to try to increase the number of applications for integration into the IGA platform. However, to stay on track, it’s important to start with two low-complexity applications for integration. An example of a low-complexity application is one that can easily export access entitlement data into a CSV file.

Most IGA tools in the market provide standard connectors for lightweight directory access protocol (LDAP) servers. In contrast, a medium-complexity application could be using relational database management systems (RDBMS) with a defined access control model. High-complexity applications include Resource Access Control Facility (RACF) and SAP modules, which may have a hierarchy and a nested access control relationship model.

Launch One Cycle of the Access Recertification Campaign

Once the two applications are loaded, prepare to launch an access recertification campaign. Prior to launching the campaign, define a set of processes. The following is a focused set of actions for this quick start method.

  1. Identify the reviewers in scope. You have the option to select the application owner as either the main reviewer or the users’ manager. Configure the campaign based on the reviewer scope.
  2. Provide training to the reviewers. The reviewers will need to learn how to perform the access recertification using the tool. They must be trained on the user interfaces and the end-to-end process of completing the campaign. They also need to be trained on the roles and responsibilities of various parties in the campaign, as well as the consequences of not completing the campaign or making poor decisions.
  3. Refresh the data. Prior to taking the snapshot of the data to be used for the campaign, the access data from the two applications needs to be refreshed. This ensures that the latest data is used.
  4. Communicate. The access recertification manager will need to send out clear communication on the start and end of the campaign. This should include related rules and policies for awareness.
  5. Launch and follow through. Once the campaign is launched, the access recertification manager is required to follow up with reviewers to ensure timely completion. If any questions come up, the access recertification manager needs to respond quickly. Plan to run a daily report of the campaign progress and make necessary escalations to avoid delays.
  6. Provide campaign closure and a final report. Upon completing the campaign, gather the results and provide final reports to the management. Also follow up on the remediation actions and access revocations. Send an email to alert stakeholders of the campaign’s completion and archive the results for future audits.
  7. Transition the operations to the internal team. Finish the project with the proper transition to the permanent operations team.

Achieving Identity Governance Success Faster

If security professionals follow this process, the IGA tool can start demonstrating functionality within a few short weeks. This helps build trust in the identity governance program with a fast return on investment and a successful implementation. It also makes the case for more resources to expand future functionality.

Once this is complete, follow an IGA strategy to extend the capabilities for advanced integration across the business areas and key business applications and systems.

Join the webinar: Climb the Mountain to a Successful Identity Governance and Administration Program

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…