Identity governance comes along after organizations have already begun implementing identity and access management (IAM) tools and processes. Because it comes later in the IAM project, you are forced to organize and establish a new order to a working environment. It also means you will have to pull some people out of their comfort zone to create a better process for the company.

This may be a challenge, and the disconnect can lead to project failures. A good communication plan, with a clear timeline and project goals, can help. But how can you avoid a project failure altogether?

From Nothing to State-of-the-Art

You may want to spearhead a legendary identity and access project. You demand that everything be perfect and aligned to best practices — and then you fail.

But you would probably be successful if you evolved at each step. Start with the core systems where fraud can drastically affect your company. Once you have established a framework to better understand the target system, collect and mine system roles. This allows you to establish access roles and apply all the changes to an environment to increase your odds of success.

Some Rules Aren’t Set in Stone

Most of the time, operating under the “need-to-know” rule of information security is the right call: Give people the minimum level of access they need to do their jobs. But with identity governance strategies, you probably need to be more flexible.

It is common to have a role that will fit multiple employees, which will likely grant some rights that an employee truly doesn’t need to have. You must find this normal. If you can’t do that, it is better to have individualized roles for each employee and assign access to only that one person.

A word of warning: If you are not flexible, you will work hard. I’ve seen companies with 3,000 users and 5,000 roles.

Collaborate More

As you may have already discovered, you cannot do this project alone. Since the system in question is already working and integrated into existing IAM solutions, you have to operate as an organized society.

You will need to ask — and in some cases beg — to managed systems like your SAP to have access to their roles. This is like asking Gollum to hold his ring. So be careful in this interaction; explain you are not trying to take their precious but instead are helping them better manage access to the asset.

Think Practically for Identity Governance

I have noticed some failed strategies were doing well up to moment where you turn the key for daily operation. The roles were well-established, but the world is unstoppable. Organizational changes, as well as systems arriving and leaving, made excellent work disappear.

Even more than access review, when you check who has permissions, you should establish some cycle of role review to make sure that role makes sense for the organization and is still working from an information security standpoint. Don’t forget to nominate role owners to raise any relevant changes or questions to the information security team.

Build Toward Separation of Duties

Closer to the end of your implementation will be the holy grail: separation of duties (SoD). Most project goals include achieving this status, but sometimes we are so excited for it that preliminary tasks are forgotten. Don’t let the final goal break everything. Be patient and keep calm. SoD success depends on a very good access model implementation.

Look to the Future

The future of access modeling looks good. New initiatives such as user-managed access (UMA) were described by Gartner’s Hype Cycle for Identity and Access Management Technologies, 2015. According to UMA specifications, in the future, users will manage access by themselves by simply fulfilling requirements from target systems. In other words, the system has minimum requirements that users must meet to gain access.

Imagine a world without roles — or imagine a world where the expansion of cognitive computing provides a way for a computer to evaluate access and roles. Future technologies may help you, but you’ll need some kind of workaround for today.

Keep It Simple

Identity governance tools should be used to help you to achieve your goal — not to explore all possible product features. Most of the time, the features available don’t fit all your needs. However, some people believe they need to have everything working. If your roles are stable, you won’t need all these capabilities.

This should be your project vision: Keep it as simple as possible. Fewer roles lead to better management and operations. If some systems at your company are secondary, leave it for a second phase or keep it out of your scope.

Read the white paper: Protect your critical Assets with Identity Governance

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…