This is Part 3 of a three-part series on identity governance and administration. Be sure to read Part 1 and Part 2 for the whole story.

I frequently receive calls from identity and access management (IAM) leads at companies that just purchased an identity governance and administration (IGA) tool. They say, “I just bought this tool so I can automate the access recertification process, but where do I start? The pressure to succeed with this project is already starting to get out of control.”

The amount of wish list items received from various stakeholders, coupled with the promises left by the vendor sales team, can be overwhelming. The ink has barely begun to dry on the purchase order for the tool and the stakeholders are already asking for results. The IAM lead tries to explain the journey to the stakeholders, but they are not interested. They only feel the increasing pressure to rectify the audit deficiency. At minimum, the stakeholders want to see something right away to make sure the purchase was not wasted.

The IAM lead starts making phone calls for advice. The major technology integrators are happy to provide proposals, but the price for the implementation is shocking, especially since there is still uncertainty about what this tool can do. The key question finally comes up: “Where can I start to quickly demonstrate the value of this purchase without having to ask for another seven-figure budget from stakeholders who just approved the purchase of the tool?”

Start With B-2-C-12

When I consult with these companies, I provide a simple formula: B-2-C-12. The B stands for baseload of the tool, the 2 stands for two applications integrated, the C represents one cycle of the access recertification campaign and 12 signifies the number of weeks it will take to complete this work.

I recommend keeping the scope simple to get the tool running in the environment and demonstrate quick value to stakeholders. Let’s take a closer look at how these processes contribute to a stronger IGA program.

Baseload of the IGA Tool

Install and load the basic configuration to ensure that the IGA tool is running properly in the environment. There is no special configuration or customization involved — just keep the factory setting. If the vendor provides the tool in a virtual appliance, the baseload can be done even more quickly and simply. Additional time savings can be gained if the IGA tool is delivered as a cloud-based service.

Integrate Two Applications

Start with only two applications. It’s tempting to try to increase the number of applications for integration into the IGA platform. However, to stay on track, it’s important to start with two low-complexity applications for integration. An example of a low-complexity application is one that can easily export access entitlement data into a CSV file.

Most IGA tools in the market provide standard connectors for lightweight directory access protocol (LDAP) servers. In contrast, a medium-complexity application could be using relational database management systems (RDBMS) with a defined access control model. High-complexity applications include Resource Access Control Facility (RACF) and SAP modules, which may have a hierarchy and a nested access control relationship model.

Launch One Cycle of the Access Recertification Campaign

Once the two applications are loaded, prepare to launch an access recertification campaign. Prior to launching the campaign, define a set of processes. The following is a focused set of actions for this quick start method.

  1. Identify the reviewers in scope. You have the option to select the application owner as either the main reviewer or the users’ manager. Configure the campaign based on the reviewer scope.
  2. Provide training to the reviewers. The reviewers will need to learn how to perform the access recertification using the tool. They must be trained on the user interfaces and the end-to-end process of completing the campaign. They also need to be trained on the roles and responsibilities of various parties in the campaign, as well as the consequences of not completing the campaign or making poor decisions.
  3. Refresh the data. Prior to taking the snapshot of the data to be used for the campaign, the access data from the two applications needs to be refreshed. This ensures that the latest data is used.
  4. Communicate. The access recertification manager will need to send out clear communication on the start and end of the campaign. This should include related rules and policies for awareness.
  5. Launch and follow through. Once the campaign is launched, the access recertification manager is required to follow up with reviewers to ensure timely completion. If any questions come up, the access recertification manager needs to respond quickly. Plan to run a daily report of the campaign progress and make necessary escalations to avoid delays.
  6. Provide campaign closure and a final report. Upon completing the campaign, gather the results and provide final reports to the management. Also follow up on the remediation actions and access revocations. Send an email to alert stakeholders of the campaign’s completion and archive the results for future audits.
  7. Transition the operations to the internal team. Finish the project with the proper transition to the permanent operations team.

Achieving Identity Governance Success Faster

If security professionals follow this process, the IGA tool can start demonstrating functionality within a few short weeks. This helps build trust in the identity governance program with a fast return on investment and a successful implementation. It also makes the case for more resources to expand future functionality.

Once this is complete, follow an IGA strategy to extend the capabilities for advanced integration across the business areas and key business applications and systems.

Join the webinar: Climb the Mountain to a Successful Identity Governance and Administration Program

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…