Vote For IAM!
by Paul Jones, Technical Manger
PathMaker Group
I’m your IAM program and I approve this message.
We have been bombarded by political ads of late, but there are lessons to be learned from these political campaigns. There are many reasons why Identity Access Management initiatives tend to fail. Treating your IAM program like it is running for office can give you a much better chance of success.
Vision & Beliefs
Create your program vision with guiderails for how to focus your program. What are the drivers for this program? Where do your priorities lie between security efficiency, security effectiveness, and business enablement? Develop a high-level roadmap with the initial problems you want to solve.
Garner Support From Your Constituents
Meet with business leaders, architects, and organizations across your company to go over your IAM program road map and get feedback from them. Doing this will expose your program to new perspectives and will highlight opportunities which are mutually beneficial. You will get visibility of the project and gets the business involved. Ask them how they want to be communicated with on the project status to keep them informed and involved.
Campaign Promises
With the new insights you have gained into the various business units needs, create some program KPIs and metrics. Exploit the pain points of the stakeholders to show value beyond your security directives. Here are some examples of metrics:
- Account and Access Provisioning time and resource cost:
- Number of requests which were auto – provisioned vs manual provisioning tasks or service request tickets
- Time comparing average manual task completion vs automated tasks
- Number of resource hours spent involved in manual provisioning vs automated
- Delays on zero-day access:
- Days after hire until birthright access is automatically granted vs manually requested and granted
- Costly and difficult application integrations
- Number of systems integrated
- Number of days average to onboard application
- Audit certifications process being tedious and expensive
- Number of resource hours spent on administration of certifications
- Average length of time to complete reviews
- If access is revoked how long does it take for access to be removed on average
- Attestation Risk
- Time to have access removed & accounts disabled for departures and scheduled terminations
- Time to have access removed & accounts disabled for an immediate / unplanned termination
- Inherited access
- Access & Accounts removed as part of a mover lifecycle event
- Orphan Accounts
- Number of human accounts with no owner
- Number of Service account with no owner
- Dormant accounts
- Number of accounts which haven’t been used in a reasonable period
- Number of accounts disabled / deleted from non-use policy process
Congrats! Armed with your vision, roadmap, and metrics, you won your election bid. Now go on your re-election campaign tour. Like listening to the polls, continually measure and get the impact of the program. Communicate your successes. Become your own marketing department. Go to town halls, tech talks, team meetings or wherever you can talk about status of the projects and what is up next.
You have my vote!