This is Part 3 of a three-part series on identity governance and administration. Be sure to read Part 1 and Part 2 for the whole story.
I frequently receive calls from identity and access management (IAM) leads at companies that just purchased an identity governance and administration (IGA) tool. They say, “I just bought this tool so I can automate the access recertification process, but where do I start? The pressure to succeed with this project is already starting to get out of control.”
The amount of wish list items received from various stakeholders, coupled with the promises left by the vendor sales team, can be overwhelming. The ink has barely begun to dry on the purchase order for the tool and the stakeholders are already asking for results. The IAM lead tries to explain the journey to the stakeholders, but they are not interested. They only feel the increasing pressure to rectify the audit deficiency. At minimum, the stakeholders want to see something right away to make sure the purchase was not wasted.
The IAM lead starts making phone calls for advice. The major technology integrators are happy to provide proposals, but the price for the implementation is shocking, especially since there is still uncertainty about what this tool can do. The key question finally comes up: “Where can I start to quickly demonstrate the value of this purchase without having to ask for another seven-figure budget from stakeholders who just approved the purchase of the tool?”
Start With B-2-C-12
When I consult with these companies, I provide a simple formula: B-2-C-12. The B stands for baseload of the tool, the 2 stands for two applications integrated, the C represents one cycle of the access recertification campaign and 12 signifies the number of weeks it will take to complete this work.
I recommend keeping the scope simple to get the tool running in the environment and demonstrate quick value to stakeholders. Let’s take a closer look at how these processes contribute to a stronger IGA program.
Baseload of the IGA Tool
Install and load the basic configuration to ensure that the IGA tool is running properly in the environment. There is no special configuration or customization involved — just keep the factory setting. If the vendor provides the tool in a virtual appliance, the baseload can be done even more quickly and simply. Additional time savings can be gained if the IGA tool is delivered as a cloud-based service.
Integrate Two Applications
Start with only two applications. It’s tempting to try to increase the number of applications for integration into the IGA platform. However, to stay on track, it’s important to start with two low-complexity applications for integration. An example of a low-complexity application is one that can easily export access entitlement data into a CSV file.
Most IGA tools in the market provide standard connectors for lightweight directory access protocol (LDAP) servers. In contrast, a medium-complexity application could be using relational database management systems (RDBMS) with a defined access control model. High-complexity applications include Resource Access Control Facility (RACF) and SAP modules, which may have a hierarchy and a nested access control relationship model.
Launch One Cycle of the Access Recertification Campaign
Once the two applications are loaded, prepare to launch an access recertification campaign. Prior to launching the campaign, define a set of processes. The following is a focused set of actions for this quick start method.
- Identify the reviewers in scope. You have the option to select the application owner as either the main reviewer or the users’ manager. Configure the campaign based on the reviewer scope.
- Provide training to the reviewers. The reviewers will need to learn how to perform the access recertification using the tool. They must be trained on the user interfaces and the end-to-end process of completing the campaign. They also need to be trained on the roles and responsibilities of various parties in the campaign, as well as the consequences of not completing the campaign or making poor decisions.
- Refresh the data. Prior to taking the snapshot of the data to be used for the campaign, the access data from the two applications needs to be refreshed. This ensures that the latest data is used.
- Communicate. The access recertification manager will need to send out clear communication on the start and end of the campaign. This should include related rules and policies for awareness.
- Launch and follow through. Once the campaign is launched, the access recertification manager is required to follow up with reviewers to ensure timely completion. If any questions come up, the access recertification manager needs to respond quickly. Plan to run a daily report of the campaign progress and make necessary escalations to avoid delays.
- Provide campaign closure and a final report. Upon completing the campaign, gather the results and provide final reports to the management. Also follow up on the remediation actions and access revocations. Send an email to alert stakeholders of the campaign’s completion and archive the results for future audits.
- Transition the operations to the internal team. Finish the project with the proper transition to the permanent operations team.
Achieving Identity Governance Success Faster
If security professionals follow this process, the IGA tool can start demonstrating functionality within a few short weeks. This helps build trust in the identity governance program with a fast return on investment and a successful implementation. It also makes the case for more resources to expand future functionality.
Once this is complete, follow an IGA strategy to extend the capabilities for advanced integration across the business areas and key business applications and systems.
Join the webinar: Climb the Mountain to a Successful Identity Governance and Administration Program
Executive Consultant, IBM
Johnny Shin is a seasoned information security consultant with two decades of experience in Identity and Access Management (IAM) and Insider Threat Protectio...