Many are familiar with the popular television show Drive to Survive. For those who are not acquainted with the show, it is a behind the scenes look at the world of Formula One (F1) racing.
You may wonder what does F1 have to do with the Identity Access Management (“IAM”) space? There are many commonalities between the two, some more nuanced than others. The obvious parallels are:
1. They are in it for the long run. IAM is a program not a project. Formula One is a series with multiple races over the course of the year generating points toward a championship.
2. They require teamwork – an F1 requires drivers, engineers, pit crews and so on. A strong, mature identity team requires developers, analysts, and operations people. Each job has its own set of skills and lessons learned and must have the ability to work well with other groups within the larger team. Attempting to have anyone fill too many roles will lead to lower performance and static thinking.
3. They require Strategic and Tactical thinking. Any given F1 race weekend contains multiple mini events – practice rounds, qualifying rounds, and race day. Each phase lays a foundation for the next and consumes time and materials from a finite pool of resources. All of this is with the aim of contributing to the larger goal. A tactical decision that is solid in the moment can be catastrophic in the long run. Conversely a strategic decision that sounds good without the resources or support to make it a reality is a sure way to hit the wall. Sound familiar?
This brings us to less obvious similarities between F1 and IAM – the Drive to Survive. Every good team in any endeavor understands their success drivers.
F1 teams design their cars with success drivers in mind. Some teams are faster on the straight aways, others on the curves. Some focus on reliability and asset management to gain some points every race. Others win a big once or twice and seldom score the rest of the year. There is no wrong answer; it’s about the team’s personality and resources that establish their “success drivers.”
In the IAM world this means program business drivers. These drivers lay the foundation for what your program is all about and lead to the way you design your systems and processes, and prioritize your work. Without adherence to a driver focused program development, teams end up with an assortment of nice but disjointed features, a collection of unsupportable processes and conflicting priorities, which makes everyone unhappy.
What does a driver focused program management mean? In the Identity world, the primary drivers are Security, Compliance and Business Enablement. Each of these have variations and subsets but they boil down to one of the three. Each has arguments to support why they are number one.
• The business will say, “We should be the primary driver because we make the money”.
• Security will respond, “That may be true but we make sure we get to keep it”.
• Compliance will say, “We prevent regulatory fines and hits to stock prices”.
All three are correct and must be addressed in your program.
The way to a successful race is to identity your drivers, determine the value of each, spot the point of diminishing returns and establish a ranking system for each driver. When you have competing requests for your limited resources, a well understood prioritization tool allows you to focus your efforts and gives the customer a realistic view of the “finish line.” Attempting to make everyone happy at once leads to hitting a wall and losing a chance for a win.
So in conclusion, establish your drivers, start your engine, and enjoy the race to success!
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2022-12-01 09:33:102022-12-05 12:24:16Drive to Survive
Changing Identity Governance Vendors Can Be a Difficult Decision
Your organization has already spent a lot of time and money trying to make the current solution work. You’ve invested a lot to integrate the solution into your application environment. You’ve trained your IT staff and end users on how to use the solution and don’t want to face retraining them.
But some situations make it almost mandatory to change identity governance vendors. At the end of the day, this is a business decision based on the facts. You invested in your identity solution to
solve specific business problems, strengthen security and improve operational efficiency. If your current solution is not addressing these core needs, you need to move to a solution that will. How do you know when it’s time to make a change?
Your Return on Investment (ROI) is Unacceptable
When it comes to assessing the business value you’re getting from your current identity solution, don’t pull any punches. Take the time to compile a realistic measure of how you’re doing vs. your initial goals for the project. Many companies never get close to their original goals as identity programs get bogged down with cost, complexity and customization. Begin with simple metrics: How many applications are being managed by your current solution? Does this include all your missioncritical applications? Are you able to systematically provision birthright accounts, entitlements, and roles for every on-boarding user? Are you automating password management for the majority of your end user applications?
To get to the real ROI, you’ll need to dig a little deeper: What is the total cost of ownership of your identity solution system?
To calculate this, you should consider:
• Licensing costs
• Maintenance and upgrades
• Consulting fees
• Professional services
• Internal identity staff
What quantifiable benefits have you achieved? Consider areas such as:
• Lower cost of compliance
• Reduced IT and helpdesk costs
• Improved end user productivity
If you don’t know the answers to these questions, then it’s time to find out. Look at staffing trends, on-boarding and off-boarding metrics and compliance metrics. You’ll learn a lot about how your identity program is performing. Lastly, don’t forget opportunity cost. If you stay with your current identity solution and you’re unable to address pressing business needs, what is it costing you? Is the cost to renew, maintain and potentially even upgrade your existing solution higher than what it would cost to switch to a better alternative? Are there real benefits that you could gain by changing vendors; what are they worth? If your current identity solution is under-performing, that opportunity cost could be a very big number.
Your Current Identity Provider Has Been Acquired or is Merging with Another Company
While the announcement of a company acquisition or merger can be exciting for some, it often can bring a feeling of anxiety for a customer of either company. The future becomes unclear as to what will happen: whether either company’s product will be available or maintained, or if you’ll be forced to migrate to another product altogether. Your organization’s security shouldn’t be up in the air. If your current provider can’t tell you what’s happening in the next few months, how you’ll be supported as a customer, and what the merger means for both you and the product, it’s time to start looking for a more stable option
Your Current Vendor Doesn’t Provide the Integration and Innovation Needed to Future Proof your Identity Solution
While many vendors include a base list of third-party integrations and connectivity for their solutions, they can sometimes charge exorbitant fees for the development and deployment of additional integrations that you need for your identity governance program. Other vendors may leave you to your own devices, forcing you to have your own development team create a connection point and hope that it works successfully with your system. Does your current identity solution integrate with all of your key systems, applications, file shares and cloud infrastructures across your hybrid environment so that your business can take confidence in a complete identity governance solution?
You should also ask your existing vendor how important identity governance is to their product line and go-to-market strategy. Is it something that they are heavily invested in, or is identity governance just a small product line that is offered in addition to other products and services that take a higher priority in terms of development and innovation? Does your current provider have a laser focus and broad innovative view of what identity governance encapsulates including data files, RPAs/bot identities and a rapidly growing AI identity governance capability? Is this the solution that is going to take your organization into the future and feel safe getting there?
Your Existing Vendor is Forcing You to Migrate to a New Architecture
When your identity governance vendor has “re-architected” its solution and all future investment will be allocated to this new offering, it’s a tough dilemma to face. Unfortunately, implementing the new architecture will require an expensive and timeconsuming migration project. You will, in essence, have to start over: rebuilding and re-implementing functionality such as custom user interfaces, policies, workflows and resource connectors.
The reality is that migrating to your existing vendor’s new architecture will require a “rip-and-replace” of your current identity solution. Instead, reevaluate your options and make the best choice for your business going forward by not assuming the best decision is sticking with your current vendor. In many cases, you will be better off switching to an identity governance vendor with a proven product and satisfied customers, rather than risking your business on new architecture.
Your Vendor’s Customer Satisfaction and Retention Ratings Are Very Low
It’s important to remember that when you choose an identity solution, you don’t just buy a product, you buy a company. If you’re not getting the level of service you expect from your current vendor, the causes could be many. Perhaps your vendor is reducing its investment in identity governance in favor of other products in its portfolio. Maybe the vendor is overwhelmed with product quality problems or the company is suffering from internal issues such as high employee turnover or layoffs. Whatever the reason, the bottom line is that your vendor is not investing in your – or other customers’ – success.
You should broaden your perspective by doing some research on your current identity vendor. Talk to other customers that you’ve met at user conferences or trade shows and ask about their satisfaction levels. Make use of analyst firms like Gartner or Forrester. In the Gartner Magic Quadrant for Identity Governance and Administration (IGA), Gartner shares customer satisfaction ratings for the major vendors. To go deeper, schedule an analyst consultation and get more details about each vendor’s customer satisfaction and retention scores.
Bottom line: don’t accept poor customer support as the norm. Your company deserves better and other options are out there.
You Don’t Have Visibility into All Your Systems
Legacy identity solutions are limited in their availability to integrate with all the systems you use in the organization. In order for you to be the most secure and know exactly “who has access to what,” you need to implement a governance-based solution. This type of system can holistically see all data about your identities to make decisions easier, more efficient and most importantly, mitigate risk to the business.
Your Solution Has Been Moved to “End-of-Life” (EOL) Status
This may seem like a no-brainer, but it’s not uncommon for organizations to stick with an identity solution for months, sometimes years, after it has been moved to “EOL.” Many organizations are reluctant to sign up for the migration effort and are worried about business disruption. At the end of the day, though, you need to ask yourself: what is the strategic price you are paying to stay with software that has no future?
At a minimum, you’re giving up software updates and upgrades. Your software, which may already be a few years old, won’t keep pace with today’s changes. Identity requirements are constantly evolving, so how will you cope when your solution can’t manage cloud apps or unstructured data, handle mobile and social requirements, or meet new security and privacy mandates? At a more tactical level, to whom will you turn when your vendor no longer supports new releases of managed applications?
While you paid maintenance for all those years (and may still be paying for extended support), no one is going to respond to your requests for enhancement. While you may still get defect fixes, they will be few and far between.
The time to change is now.
Don’t let inertia keep you trapped in a sub-optimal identity program. It’s time to step forward with predictive identity governance solutions that can get your organization back on track. You can achieve big results that will improve end user productivity, strengthen compliance and security, all while reducing IT and helpdesk operational costs.
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2021-09-28 08:46:262021-09-28 08:48:31How To Know It’s Time To Change Your Identity Vendor
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2020-02-18 09:57:082020-02-18 10:28:477 Tenets of Successful IAM (webinar)
Strategic Identity and Access Management projects can be difficult and the new challenges with mobile, social, and cloud compound the problem. Protecting the perimeter is not enough anymore. Safeguarding identities are the key to a truly secure enterprise.
The industry has seen way too many train wrecks with IAM. To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan. Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports. But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.
IAM in the Cloud is all the rage in the press these days. Surely this approach will fix the problems! Although some aspects of managing an IAM solution can be improved by outsourcing the infrastructure, many other areas within the organization need to line up to make it work. IAM in the Cloud is no silver bullet. A company still has to fix broken business processes. Trying to define, streamline or automate these processes simply brings many current flaws into focus.
Foundational capabilities, architectures, and processes take time to get right. And even when you get it right, organizational adoption is not guaranteed. A company needs CIO-level support, a champion who really understands and advocates for improvement, and a support staff that can really execute to make it happen. And even when everything lines up, unfortunately we’ve seen management changes frequently upset a plan well before it takes hold.
Many companies may decide to choose a perceived safe route and hire the software vendor to also implement the solution. This can work, but we’ve also seen plenty of attempts end with less than stellar results. Does the vendor have a strong, proven implementation methodology, experienced architectural skills, long-term resource teams who have a history working well together? More often than not, a client expecting an experienced cohesive team ends up with a quickly assembled group of contractors from any number of staffing agencies. And even if a strong group of technical resources is assembled, they must also have the analytical skills to identify and solve broken business process issues.
PathMaker Group has been working hard as a systems integrator since 2003. Those early years we spent some time learning and shaping the way we approached these projects. The next few years we worked hard to hire, train and build a long-term staffing model. The last few years we have hit a stride where we have done some of the best work in our history. I would venture to say some of the best work in the industry. Our recent projects have been some of the most involved, complex, and yet still successful, in our ten years of helping our clients.
We have had our hands in almost every IAM vendor solution. These solutions continually evolve with the market and the needs of the customer. New vendor products continually emerge. These market leading products from SailPoint, IBM, Oracle, Centrify and others are extremely capable and complex. Staying current requires the committment to continually train our people. It takes significant investment to learn new vendor products, but this is what our customers require of us as a great partner with the right professional skills.
But implementation problems can occur even with good software solutions. Long-term planning, strong architectural guidance, proven implementation skills, a company champion with management backing these are all essential in the success of a strategic IAM program. If your company can get there, the benefits of a foundational, strategic IAM solution will be clear and your organization will line up to get on board.
The regulatory push toward formal recertification of entitlements and privileges finds many enterprises in new compliance territory. PathMaker Group Chief Architect Jerry Castille shares six critical best practices to ensure strong governance.
1) Identify Target Applications: Collecting an inventory of applications that fall within the scope of a certification campaign’s requirements is the first step in a successful certification process. This inventory will detail application information relevant to the execution of your campaign.
2) Gather Accounts & Grants: For each application identified, I work with your team to determine the optimal approach for the extraction of accounts and group/role memberships from each target. If necessary, we will work with your team to develop a process for the normalization of this data into machine consumable output.
3) Entitlement Definition Workshop: Using our guided workshop format, we will work with your team of application and business process owners to define the set of entitlements within each application that will need to be certified. At the end of these workshops, your team will be enabled to define and maintain an inventory of items within each application that require access certification.
4) Gather Authoritative User Data: At this step of the process, PathMaker works with your organization to identify the individuals that will be included in the certification process. This includes individuals whose access is being certified, individuals approving access, as well as system owners that will be approving accounts that can not be directly associated with a human user (orphan and service accounts.)
5) Import Campaign Data: All of the work up to this point has been to develop a reusable set of processes that can be re-used to facilitate the adoption of a robust enterprise governance product. During this step, import the data gathered during previous exercises into the PMG Certification Toolkit for analysis. Upon completion, execute your certification campaign.
6) Execute Campaign: Using the parameters defined during our workshop, a good toolkit will produce actionalble analytics for approvers and system owners within your organization. Participants will then “Certify”, “Revoke”, or “Modify” each entitlement that requires their approval. Once an approver completes their certification tasks, the data is imported back into the toolkit.
7) Measure Results: After importing analytics into the toolkit, a report is generated with any entitlements that will need to be revoked or modified. This report can be used by your organization to drive administrative activities required to remove any unnecessary entailments from your user population.
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2017-08-08 09:52:442017-08-08 11:21:07Recertification Health Check – 6 Steps
5. Robust Access Policies and Multi-factor Authentication (MFA)
Today you live with the risks of users accessing many more services outside the corporate network perimeter as well as users carrying many more devices to access these services. Users have too many passwords and the passwords are inherently weak. In fact passwords have become more of an impediment to users than they are protection from hackers and other malevolent individuals and organizations. In short, in many cases, passwords alone cannot be trusted to properly and securely identify users.
Consequently, you need a better solution that incorporates strong authentication and one that delivers a common multi-factor experience across all your apps — SaaS, cloud, mobile, and onpremises. The solution also needs to have access policies that take into account the complete context of the access request and helps to overcome these new security risks. In addition, you need the capability to establish flexible access policies for each app for more granular and adaptive control. For example, if a user is accessing a common app from a trusted device on the corporate network from his home country during business hours ,then simply allow him silent SSO access to the apps. But if that same user is accessing an app outside the corporate network from a device that is not trusted, outside of business hours, and from a foreign country then deny them access — or at least require additional factors of authentication.
Specifically, you need an IDaaS solution that ensures security authentication by combining multi-factor authentication (MFA) and rich, flexible per-app authentication policies.
Multifactor authentication methods should include at least:
• Soft token with one-button authentication to simplify the experience
• One Time Passcode (OTP) over SMS text or email
• Interactive Phone Call to the user’s mobile device and requirement for a confirmation before authentication can proceed
• User configurable security question to act as a second password
Per-app authentication policies should allow, deny or step up authentication based on a rich understanding of the context of the request based on any combination of:
• Time of day, work hours
• Inside/Outside corporate network
• User role or attributes
• Device attributes (type, management status)
• Location of request or location of user’s other devices
• App client attributes
• Custom logic based on specific organizational needs
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2017-05-02 07:48:372017-05-09 08:12:37Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 5 of 6
Mobile has become the de facto way to access cloud apps requiring you to ensure security and enable functionality of users devices. This includes deploying appropriate client apps to the right device and ensuring an appropriately streamlined mobile experience. Unfortunately, most existing Identity and Access Management as a Service (IDaaS) solutions fall short when
it comes to mobile support because they were built and architected before it became clear that mobile devices (smart phones and tablets) were going to become the preeminent means to access apps. Instead, they are very web browser centric—i.e. their mobile IDaaS experience just supports web-based apps vs. also supporting rich mobile apps and device security. They also
provide no means to ensure that the user’s mobile device is trusted and secure, and while they may provision a user in the cloud service, they ignore giving the end user the corresponding app on their device.
Consequently, you should look for an IDaaS solution that allows your users to enroll their mobile devices and deliver strong authentication mechanisms (using PKI certificates). The solution should let you apply mobile device-specific group policies to ensure the underlying device is secure (e.g., ensure that a PIN is required to unlock the phone, etc.), detect jailbroken or rooted devices, and allow you to remotely lock, unenroll or wipe a lost or stolen device. Once you associate the device with a user and can trust the device you can leverage the device as an identifying factor for the user in cases where additional factors are required for multifactor and step-up athentication.
The solution should also provide unified app management for both web-based and mobile client apps. This ensures that users are not left with partial access or access defined and managed in separate silos of access management such as separate mobile device management solutions (MDM). Both app and mobile management should share the same roles, identities, management tools, reports and event logs. This unification of mobile and app access management reduces redundant tools, processes and skillsets.
Mobile has quickly become the de facto way to access apps. Centrify uniquely unifies app and mobile access management.
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2017-04-27 12:39:582017-04-27 12:39:58Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 4 of 6
An IDaaS solution also needs to be flexible, providing robust access to corporate identities managed on-premises (e.g., Active Directory or LDAP), a directory service in the cloud for non-AD users such as partners or customers, and when appropriate, a hybrid of the on-premisesand cloud directories. This is in stark contrast to other startup IDaaS vendors who only allowyou to store identity data in their cloud directory. In order to leverage user data stored andmanaged in Active Directory, they first require that a portion of this data be replicated to their cloud and out of your control.
This cloud-only approach may not appeal to some organizations that — rightly or wrongly —
have concerns about losing control of the proverbial keys to the kingdom. Organizations may
also have reservations of creating another silo of identity to manage, unique security or privacy
concerns, or legitimate concerns about the long-term viability of the vendor.
To enable this “identity where you want it,” a well-engineered IDaaS solution should deliver
robust integration with on-premises Active Directory or LDAP, should support cloud-only
deployments consisting of non-Active Directory or LDAP -based user identities, as well as a
hybrid of Active Directory, LDAP, and / or cloud deployment.
Active Directory support should offer built-in integrated windows authentication (IWA) without
separate infrastructure and should automatically load balance and failover without any
additional infrastructure or configuration. Most importantly, it should not replicate Active
Directory data to the cloud where it is out of the organization’s control — even if you choose to
manage some of your users via a cloud model.
The diagram below shows the deployment options an IDaaS solution should support. As you
can see, this hybrid approach gives you the best of both worlds in terms of flexibility.
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2017-04-20 08:58:182017-04-20 09:13:55Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 2 of 6
Single Sign-On (SSO) is the ability to log into an app (cloud-based, on premises, or mobile app)
every time using a single/federated identity. For consumers this identity can be their social
media identity, such as Facebook or Google, while an enterprise identity is typically the user’s
Active Directory ID. Without SSO, users need to remember complex passwords for each app.
Or worse, they use common or easily remembered (i.e. weak) passwords. For users, the result
is a frustratingly fragmented workflow, which can include signing into dozens of different apps
during the workday. For IT, the problems of too many passwords, or insecure passwords, are
obvious—with a costly data breach ranking at the top among concerns. A properly architected
SSO increases both user productivity and corporate app security.
So what should you look for when deploying SSO? At the simplest, a solution should enable
you to improve end-user satisfaction and streamline workflows by providing a single identity
to access all business apps — whether the apps reside in the cloud, or on-premises behind
your firewall. It also needs to unify and deliver access to apps from all end-user platforms—
desktops, laptops and mobile devices.
In a properly architected system, once users authenticate by logging in with their enterprise ID
(e.g., Active Directory) they should enjoy one-click access to cloud, on-premises or mobile apps.
Remote access to on-premises apps should be just as simple as accessing cloud apps: without
requiring VPN hardware or client software. This type of SSO — using standards like SAML — will
not only reduce user frustration and improve productivity but also enhance security. Federated
SSO is better because it does not transmit the user name and password to the app over the
network, but instead sends a time-limited and secured token verifying that the user who
is attempting access is known and trusted. In addition, by eliminating the use of passwords
and their transmission across networks, you can reduce the likelihood of users locking their
accounts and calling the helpdesk, eliminate password risks such as non-compliant and usermanaged passwords, and make it possible to instantly revoke or change a user’s access to apps
without an admin having to reach out to each and every app.
https://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.png00Howard Mahoneyhttps://www.pathmaker-group.com/wp-content/uploads/2023/02/SimeioPMG_square.pngHoward Mahoney2017-04-18 08:21:582017-04-20 09:12:56Top Six Things to Consider with an IDaas Solution – Blog 1 of 6