Client Solutions Advisor
Dusty Anderson is a client solutions advisor for Optiv’s identity and access management (IAM) practice. In this role she leverages her in-depth IAM experience to assist clients in developing comprehensive strategies and solutions to their real-world problems.
Customization of IAM Solutions: Risks of Having it Your Way
Forty years ago Burger King launched a revolution in customization, declaring that they could provide you the power of creating your perfect burger combo. Made to order, fresh, fast and no extra cost. The slogan “Have it Your Way” (replaced now by “Be Your Way”) has more than impacted our drive thru satisfaction, it has become a way of applying customization to anything and everything. However, I know the limitations of my BK order. I understand what BK offers out of the box/bag and what they are designed to provide. I know I cannot order a grilled salmon salad with champagne vinaigrette dressing on the side.
Similarly, we’ve come to expect ultimate flexibility from identity and access management (IAM) solutions because leadership, end users, or business processes push the “Have it Your Way” mentality. IAM solutions are designed with out of the box functionality that provides efficient processes and security best practices. Bringing the mindset of customizing everything into the IAM world holds several risks, for example:
- Customization of any IAM tool creates more work to maintain it, both short and long term;
- Costs money via resources and time
- Slows down application or system upgrades, as customizations have to be closely watched for code changes that could break
- Isn’t typically supported by the product vendor, so if you customize it and it breaks, it’ll be a costly fix
- Expanding any tool beyond what it was designed for puts your processes on thin ice. If Burger King did suddenly offer salmon, I wouldn’t take my chances
- The current processes may not fit well with the out of the box functionality, so “your way” should be evaluated before considering customizing the solution
The final risk is crucial for businesses to consider prior to implementing IAM solutions. When evaluating customizations, dare to ask “why?” There may be diagrams of current business processes, but why is it that way? Answers typically sound like something from the drive thru window - “The owner of this system left the company and didn’t document the process. Then the owner of the next system wrote a script and the reviewer wanted a report formatted like this. Then this manager wanted to verify or approve using X method, while another liked Y method better.” And so began the request for a Burger King solution, because everyone wanted it “their way.”
If this sounds like your culture or system complexity, look for the logic in the processes. To lead a successful IAM program, you’ll have to weed out the comfort of “that’s how it’s always been” vs. real system or process complexities. The goal should be a holistic, centralized solution with opt-in capabilities that focuses on solving the real pain points of all business lines in the best way possible and minimizes custom configuration. However, some scenarios may require more effort to fix, than can be resolved through a customized IAM solution. Remember that out of the box functionality is your friend, not your foe. As much as feasible to your business, try to mold your processes to fit the tool, not the other way around. Don’t be afraid to challenge the status quo, reducing the risk of creating a custom IAM burger recipe that will quickly lead you to timeline and budget heartburn.