Senior Director, Strategic Consulting and Access Management
Janel Schalk is the senior director of strategic consulting and access management for Optiv’s identity and access management (IAM) practice. In this role she focuses on building client and vendor relationships, providing strategic oversight to engagements, and building excellent teams through people leadership for North America and India based consultants and managers.
What to Consider Before Starting an IAM Initiative
Anytime an organization implements a new solution or program, there are a number of things to understand and prepare in order to maximize success. Identity and Access Management (IAM) initiatives are complex and can have some of the largest organizational impacts of any program or service at a company. IAM programs involve people, processes and technologies from across the business. This includes Human Resources, IT, users to audit and more. IAM integrates with other systems and applications through connectors to databases, aggregated flat file feeds, APIs and opened tickets.
Many things are necessary to be successful in an IAM system implementation. Below are some key areas to consider prior to the start of your IAM project:
- Define your application landscape. What applications does your organization currently have on premise? What about in the cloud? Do you provide software as a service (SaaS) to any business partners or clients?
- Define your data classifications. What types of data are stored on your systems and in your applications? Do you house information you do not want your competitors to see? Are you an open book with no trade secrets or other confidential information to be concerned about? Do you have different zones established on your network for different data classifications? Do you now or will you in the future require multi-factor authentication for certain data classifications, zones or systems, and what drives these rules?
- Understand your risk tolerance. When thinking about enterprise or application roles, what is the organization’s risk tolerance for assigning access on a “fit the needs of the many, not the few” scale? If 70% of the users in Job Code 123 need access, should you give it to the other 30% and call it good? Not all access or information needs to be locked down to the nth degree, and security should be balanced with accessibility in accordance with your risk tolerance.
- Know your vendor relationships. Does your organization have strong allegiance to particular vendors or strong aversion to others? Do you prefer boutique products or industry giants? Do you have established sales and support contracts with certain vendors?
- Know your existing IAM landscape and licensing obligations. Do you have an existing IAM solution that supports some or all of your user population and application landscape? What functionality does that solution support? Does it have any of these capabilities: user lifecycle management, single sign-on, federated sign-on (service provider or identity provider), password synchronization, self-service password management, elevated account password vaulting, AD bridging, elevated account session management, certifications, role based access control on applications or across the enterprise, reporting or other functions? Do you have existing contractual obligations relating to licenses on your IAM solutions that may preclude you from implementing a new solution right away?
- Understand your prioritization. Does your organization have key pain points that it needs to address that may be prioritized over other pain points? Has Privileged Access Management (PAM) been identified in an audit, but you’re getting by on your existing provisioning processes? Are you changing your business model, becoming a service provider to other organizations, therefore making federation the most important?
Ultimately, assessing your organization and its needs upfront is vital to ensuring that the appropriate projects and products are selected and implemented and that value is being provided to the business as a whole.