Identity and access management (IAM) is fast securing its position as a cornerstone of information security, with many businesses recognising the potential benefits of an effective IAM programme in terms of cost savings, better service levels, tighter IT governance and improved regulatory compliance. However, appreciation of the concept itself has not yet translated into practical adoption of IAM across the board. A recent survey by Gartner showed that three quarters of companies still have no major technical IAM implementations underway. We speak to Tony Ball, senior VP of sales for Identity and Access Management at HID Global, about how a sensible approach to IAM can deliver maximum value.
BCW: What are the main barriers to IAM adoption?
TB: Wide-scale implementation of IAM is still being hindered by misconceptions. Some false but common assumptions are that it’s a technical rather than a business process challenge and that it is expensive and difficult to implement.
BCW: How should organisations approach IAM?
TB: IAM should be approached in the same way you would approach any other business challenge. First of all you need to be very clear on the challenges you are trying to address and your end goals. It’s important to match the needs of your organisation with those of your end users – whether internal or external.
An IAM solution should be appropriate to the level of risk for your specific company. Many organisations make the mistake of over-investing in areas where people actually need very simplistic access rights to log on to a network or to enter a door. At the other end of the scale, a trader conducting a multi-million-dollar transaction will certainly require multi-factor authentication to do so.
When considering any large-scale deployment, it also makes sense to look at a converged solution for both your physical and logical and access. This means employees have a single device that gives them access to the office building, as well as convenient and secure access to the corporate IT network.
Typically, organisations will have already invested in physical access control and have some form of access rights management in place. The challenge is to bring logical and physical security together through combined technology rather than starting from scratch when faced with the task of tightening logical security.
BCW: Who within the organisation should be involved in an IAM implementation?
TB: At the early planning stages, it’s vital to involve the people who deeply understand the business challenges, making sure that you’ve got the support you need from the top down. Typically, this group will include executive stakeholders from IT, compliance and legal.
A key part of securing buy-in from the business users themselves is to make sure that all stakeholders understand the IAM business benefits and the associated business risks of not implementing IAM. A common misconception is that IAM is viewed as a ‘technical exercise’ only. This kind of misconception makes it harder for non-technical stakeholders to engage with the programme.
BCW: What is the biggest barrier to IAM success?
TB: Commonly, the biggest barrier to achieving a successful IAM implementation is a cultural one. Getting people to change their behaviour and getting your organisation aligned behind the business goals is not a straightforward process. For business areas outside of IT, IAM can often seem like a complicated and nebulous area with intangible benefits.
BCW: How can organisations ensure their employees embrace IAM?
TB: One of the key challenges with any IAM implementation is to educate key stakeholders in your business about what IAM is and why it is important. The best way to get people engaged is to start small. Think about using a pilot-type approach with a particular business area. It’s far easier to gain people’s trust and support through getting a functional system in place than trying to deploy a large-scale system straightaway. Once the system is up and running and adding value to the way you do business, the chosen department can then act as evangelists to the rest of the company.
BCW: Are there any other technical challenges organisations need to consider when deciding to roll out IAM?
TB: One significant challenge is having multiple identities for the same user. If employees are using several identities to access information stored in multiple locations, it can be complicated to bring this information together into a single format once systems are combined. Compliance can also present some thorny problems. New regulations – particularly in healthcare and government sectors – require that data must be accessed from information systems according to strict guidelines.
In these times of telecommuting, another challenge is that employees are now as likely to be mobile as they are to be office desk-based, and are therefore accessing information in multiple locations using methods including credentials, PDAs or mobile phones. Furthermore, the global nature of many organisations means that any IAM system must be implemented in multiple locations, time zones and languages.
BCW: How long should an IAM implementation take?
TB: This really depends on the size of the organisation and the complexity of the solution being introduced. It is important to be realistic about your timeframes: a proper IAM implementation takes longer than most people think. This makes it very important to establish achievable milestones.
BCW: So if an organisation takes all the advice you have given, what kind of benefits can they expect to see?
TB: A converged solution enhances efficiency by streamlining user access to physical and IT resources, which reduces help desk calls. Better access management translates into improved security and enhanced compliance with various regulatory requirements since users only access the resources they are authorised to, and no more. Properly implemented, IAM can simultaneously strengthen the security of your physical assets and your data, while making it far easier for users to access the information they need.
BCW: What kind of ROI can organisations expect from their IAM investment and how can this be measured?
TB: This really depends on your original business objectives; you need to monitor the improvements that you make by measuring your problems today and use these same indicators to measure the benefits. For example, if your goal was to reduce the number of helpdesk calls your company receives, reduce the costs of security breaches or to lower your number of compliance breaches, you should start with comparing post IAM implementation numbers to historical measurements of these things.
BCW: Do you have any final piece of final advice?
TB: I think the best advice I can give is not to bite off more than you can chew. If you can be disciplined enough to walk before you run, you will see tangible improvements where risk evolves into reward and convenience ultimately replaces frustration.