June 8, 2016 By Fabio Sobiecki 3 min read

Identity governance comes along after organizations have already begun implementing identity and access management (IAM) tools and processes. Because it comes later in the IAM project, you are forced to organize and establish a new order to a working environment. It also means you will have to pull some people out of their comfort zone to create a better process for the company.

This may be a challenge, and the disconnect can lead to project failures. A good communication plan, with a clear timeline and project goals, can help. But how can you avoid a project failure altogether?

From Nothing to State-of-the-Art

You may want to spearhead a legendary identity and access project. You demand that everything be perfect and aligned to best practices — and then you fail.

But you would probably be successful if you evolved at each step. Start with the core systems where fraud can drastically affect your company. Once you have established a framework to better understand the target system, collect and mine system roles. This allows you to establish access roles and apply all the changes to an environment to increase your odds of success.

Some Rules Aren’t Set in Stone

Most of the time, operating under the “need-to-know” rule of information security is the right call: Give people the minimum level of access they need to do their jobs. But with identity governance strategies, you probably need to be more flexible.

It is common to have a role that will fit multiple employees, which will likely grant some rights that an employee truly doesn’t need to have. You must find this normal. If you can’t do that, it is better to have individualized roles for each employee and assign access to only that one person.

A word of warning: If you are not flexible, you will work hard. I’ve seen companies with 3,000 users and 5,000 roles.

Collaborate More

As you may have already discovered, you cannot do this project alone. Since the system in question is already working and integrated into existing IAM solutions, you have to operate as an organized society.

You will need to ask — and in some cases beg — to managed systems like your SAP to have access to their roles. This is like asking Gollum to hold his ring. So be careful in this interaction; explain you are not trying to take their precious but instead are helping them better manage access to the asset.

Think Practically for Identity Governance

I have noticed some failed strategies were doing well up to moment where you turn the key for daily operation. The roles were well-established, but the world is unstoppable. Organizational changes, as well as systems arriving and leaving, made excellent work disappear.

Even more than access review, when you check who has permissions, you should establish some cycle of role review to make sure that role makes sense for the organization and is still working from an information security standpoint. Don’t forget to nominate role owners to raise any relevant changes or questions to the information security team.

Build Toward Separation of Duties

Closer to the end of your implementation will be the holy grail: separation of duties (SoD). Most project goals include achieving this status, but sometimes we are so excited for it that preliminary tasks are forgotten. Don’t let the final goal break everything. Be patient and keep calm. SoD success depends on a very good access model implementation.

Look to the Future

The future of access modeling looks good. New initiatives such as user-managed access (UMA) were described by Gartner’s Hype Cycle for Identity and Access Management Technologies, 2015. According to UMA specifications, in the future, users will manage access by themselves by simply fulfilling requirements from target systems. In other words, the system has minimum requirements that users must meet to gain access.

Imagine a world without roles — or imagine a world where the expansion of cognitive computing provides a way for a computer to evaluate access and roles. Future technologies may help you, but you’ll need some kind of workaround for today.

Keep It Simple

Identity governance tools should be used to help you to achieve your goal — not to explore all possible product features. Most of the time, the features available don’t fit all your needs. However, some people believe they need to have everything working. If your roles are stable, you won’t need all these capabilities.

This should be your project vision: Keep it as simple as possible. Fewer roles lead to better management and operations. If some systems at your company are secondary, leave it for a second phase or keep it out of your scope.

Read the white paper: Protect your critical Assets with Identity Governance

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today