MythBusters: Debunking Five Common Identity and Data Management Myths
April 17, 2019
Because there are many moving parts to an Identity and Data Management Programme (IDM) a handful of common misconceptions exist around staff, cost and scope. Believing these misconceptions can lead you down the wrong path. This blog digs into and debunks the five most common myths surrounding IDM.
Myth 1: An IDM programme should be highly customised.
Truth: If you adopt the Pareto Principle, 80% of the functionality in the deployment should be out-of-the-box features.
IDM can sometimes be a complex facet of an organisation’s security structure. Access requirements change with every business decision, creating identity and credential mapping changes as well. So, while IDM is essential, it can be challenging to implement. Policy design, role-mapping, identity and data controls, planning and operations need to be well thought out before an IDM can be deployed.
Adding customisation to the already complex nature of an IDM isn’t always the best route to take. While there is a place for it, more customisation does not necessarily equal better functionality in an IDM programme. Investigate “out of the box” solutions to save time and budget. If someone already has an answer that is proven, take advantage of that data. Define the areas of your programme that need to be customised and why (justify). And remember not to assume that more is better – often this is not the case. Every organisation has its own set of goals and business objectives, yes, but when it comes to identity and data management, the concerns are often the same. Out-of-the-box functionality can reduce complexity, time and money.
Myth 2: IT teams cannot support IDM evolution.
Truth: IDM could play a pivotal role in a wider digital transformation strategy for your organisation.
A business-first approach, involving representatives across all parts of the organisation, reduces risk and protects sensitive data. Involving all departments in the programme planning, seeking ongoing input, and keeping stakeholders informed of strategy and tool changes before implementation ensures cooperation and buy-in. Listen and obtain input from those business owners within your organisation.
Do not be in a hurry – you cannot solve every problem at the same time. Starting with an assessment, workshop and roadmap strategy, prioritise and define short- and long-term milestones. A gradual implementation will help you identify gaps as well as support the evolution of your IDM strategy. By delivering incremental business outcomes, stakeholders will understand the value more quickly. Security and IT staff will have time to become proficient and knowledgeable enough to properly build out the IDM programme. And remember, IDM deployments are never finished. IT and digital transformation initiatives are constantly evolving, creating ever-changing identity requirements.
Myth 3: When company data/IP is on-premise, a project-based IDM is sufficient.
Truth: Project-based IDM equates to getting manually provisioned access for projects. Successful IDM deployment is not a project; it’s an ongoing journey.
Data is exploding, especially unstructured data. Data is created faster than we’ve ever experienced, and it resides in more places and is accessed by more people, in more ways, and on more devices than ever before. On top of this, data, user access requests and the current network state all change at a faster rate than we’ve ever witnessed. Once any new system (cloud-based or on-prem) is introduced, human error occurs and, inevitably, some individuals will have unauthorized access. The more unauthorised user access, the greater the risk. This could be catastrophic, especially for more regulated organisations (financial institutions, healthcare, etc.) where access to all systems must be tightly controlled.
Project-based manual provisioning contributes to potential user error and greater risk. To help mitigate this risk, organisations can implement auto-provisioning tools, time-limited access to data and file permissions. Strike a balance between allowing necessary access for employees to do their jobs, whilst staying within the confines of compliance and regulation requirements, as well as being aware of personal privacy issues. From there, tackle more advanced strategies and controls.
Myth 4: Identity is solely an IT function.
Truth: Identity impacts an entire organisation. Therefore, the responsibility for protecting it is cross-departmental.
While IT is heavily involved in managing access to information, organisations must recognise that people are data custodians and must understand its purpose and use. Many times, personal data falls under the human resources umbrella. While IDM programme management and protecting data integrity are indeed an IT function, the responsibility for ensuring that appropriate access is allowed and that accurate data is provided falls to business units and the data owners. Who has access to what information comes from the managed systems and controls users access within a system.
For the IDM system to provide a single view of an individual’s allocated access, the business alignment of this data and the regular sharing of accurate, up-to-date and consumable data feeds is required. Alignment allows business owners to regularly recertify all access and ensure they understand and approve all user access levels to the data for which they are responsible.
Myth 5: Employees should be the only consideration when creating an IDM strategy.
Truth: Third parties (contractors, vendors and customers) and applications need access to company assets. You need to think far and wide when it comes to identity and data access.
In today’s global digital economy, more and more companies rely on outside collaboration. Often these less security-minded third parties require access to specific data to complete the work they are assigned, and – as non-employees – they aren’t part of internal HR protocols. So how do you prevent a breach?
First, take stock of your assets. Your organisation should have an in-depth understanding of the data (structured and unstructured) and services (on- and off-prem) that you need to protect. Second, identify how and by whom those assets will be accessed. Policing this access with similar tools to the ones used for employees, such as time-limited access and file/folder permissions, will allow access only to the information needed for a specific time frame.
While IDM can be challenging, taking a hard look at common misconceptions can remove roadblocks that could cost you time and money. Having the facts also allows your organisation to be strategic, simplify and save time and money on your IDM programme.
Maximise the value of your identity programme and streamline operations in your business. Download our eGuide to learn more.