Getting started with IAM pt. 1: How to approach an IAM initiative

Identity and Access Management (IAM) has recently undergone rapid adoption as organizations seek to enhance their security, compliance, and data privacy. 

The rise of cloud technologies over the past decade has made traditional perimeter-based cybersecurity strategies nearly obsolete, calling for a new approach to protect sensitive IT assets. For example, a recent study discovered that approximately 80% of all data breaches involve poor or reused passwords — a problem IAM is ready to solve.

Coinciding with new technologies is the explosion of non-human entities found throughout the modern enterprise, such as service accounts, bots, APIs, and IoT devices. Each of these entities requires access to internal systems while creating a new potential attack vector. The SolarWinds Hack exemplifies the risk involved with non-human entities and how enterprises often fail to mitigate these risks.

Additionally, organizations need an effective Governance, Risk, and Compliance (GRC) program to maintain compliance with new regulations and meet industry expectations. GRC and IAM are two distinct disciplines, yet they intertwine to create and enforce processes for the overall protection of the business.

IT security spending on IAM-related technologies and services reflects the growing interest and adoption of the framework. As a result, global IAM spending grew from US$12.04 billion in 2020 to US$19.02 billion in 2022, a 57.9% increase. 

Now, enterprises worldwide are considering adopting IAM. But how can your organization get started? How do you know the right time to begin? What’s the base starting point? Keep reading to learn the answers to these crucial questions to help you strategically approach IAM.

What Exactly is Identity and Access Management (IAM)?

Before we dive into how to approach IAM, let’s first define the term. IAM is not a technology but a framework of policies, processes, and technologies working together to ensure that only authorized people and non-human entities can access your systems and data — and that they’re restricted to only what’s necessary.

Generally, IAM is composed of five overall domains:

  1. Identification
  2. Authorization
  3. Authentication
  4. Accountability
  5. Access governance

It’s essential to view IAM as an overarching mindset rather than considering it as any specific technology. 

For example, multi-factor authentication (MFA) is often a core technology involved with IAM. However, as cyber attacks continue to evolve, so does the state of cybersecurity — which might mean new technologies beyond MFA in the future. Emerging technologies will still fall under the IAM umbrella if they are within one of the above domains.

Additionally, it’s worth highlighting that the IAM framework can also be applied to external identities, known as Customer Identity and Access Management (CIAM). We’ll be focusing on IAM today, but keep in mind that CIAM may be a necessary next step after IAM if it makes sense for your organization.

Start by Embracing the Right Mindset for IAM 

Before you start planning for IAM, you’ll need the right perspective about undertaking the initiative. The framework is not a one-off project with a clear start and end date but an ongoing lifestyle change that ripples throughout organization-wide processes, policies, and technologies.

You’ll still approach IAM similarly to other IT projects. Yet, the crucial difference is that after deployment, you’ll require ongoing support, evaluation, and evolution as your tech ecosystem and requirements change.

Due to the ongoing nature of IAM, it’s vital to have executive buy-in, practical tools and technologies, and skilled IT staff. Take the long-term vantage point and approach IAM tactfully to fully benefit from all it has to offer.

GRC is Not the Starting Point

A common goal of adopting IAM is to improve the GRC program, but don’t make the mistake of starting with GRC. You need to walk before you can run, and IAM is your first few steps.

GRC comes later after you’ve mapped out the right processes, data architecture, identity consolidation, and defined ownership over each. Make GRC your long-term goal to help focus on the business benefits of IAM.

Understand Your Business Drivers

You need the correct business drivers in place to develop, deploy, and maintain a successful IAM program. Building a foundation with the right processes, people, and systems will help you take those first few steps. Let’s review the critical business drivers to consider while you plan.

Data Architecture

Building and maintaining effective data architecture is a vital business driver for the overall success of IAM. IAM focuses on which identities can access your systems and data. Therefore, understanding and optimizing your IT ecosystem is essential to effective IAM.

Map out your complete data architecture, including all cloud platforms and other third parties with access to sensitive data. You must fully understand every IT asset in your organization and where your data lives.

Is data centralized or scattered throughout disparate systems? Evaluate opportunities to bring your data back into one place. Centralized data allows for more effective access management and reduces potential attack vectors.

Ownership

IAM is not just about technologies; it relies on effective and enforced processes and policies. Proper sponsorship is necessary for meeting these goals; otherwise, IAM will likely fail.

You need leadership and stakeholders aligned with specific aspects of IAM. So who will drive the initiative? A C-suite executive leading the charge will help keep IAM aligned with business objectives; Chief Technology Officer, Chief Information Officer, or Chief Digital Officer are common choices.

Workforce

Do you have the right teams in place to deploy and manage IAM technologies? Evaluate your current IT staff and determine if you’ll need to bring on specialists or identify opportunities for upskilling. 

You’ll also need to consider a GRC team accustomed to how to shape policies around IAM. This team will also need to understand how to use IAM to report required information to regulatory agencies. Existing team members will likely need additional training, or new employees will need to be added to the workforce.

High-Level Overview of Getting Started with IAM

Going from deciding to adopt IAM to deployment is a detailed, intricate process. First, it’s worth taking a high-level look at what you’ll be signing up for without diving too deep. We can split up the entire process into four overarching steps:

  1. Planning: All successful IT projects begin with thorough planning. Determine the technologies for user repositories (identity) and granting access to applications (access). Which authoritative sources can you use to build out your user directory? Which technologies can then enforce permissions and give access to systems? Planning also includes determining stakeholders and project managers and revising or creating security and privacy policies. You’ll need to find the answers to other important questions during the planning phase.
  2. Configuration: You’ll next need to configure your chosen IAM technologies to meet security policies and guidelines. Every app and system in your tech stack needs permissions mapped to new identities, while your access management system needs authority to grant, deny, and enforce these permissions.
  3. Deployment: You’re ready to launch once the technologies, workforce, stakeholders, and policies are all in place. Roll out in phases to catch any issues that were missed during configuration testing.
  4. Support: Be ready to train employees on using new tools, such as Single Sign On (SSO) and Multi-Factor Authentication (MFA). Train your help desk in managing user identities. Support also includes continually evaluating and evolving the IAM program as your ecosystem and needs change.

You can see how IAM is no small undertaking. However, you’ll improve security, data protection, and user management once deployed. In addition, integrating new applications, managing user permissions, and reporting compliance information will become significantly easier. 

Indigo Consulting is Your Partner in Tactfully Approaching IAM

Adopting IAM can provide immense, ongoing benefits to your organization. However, IAM must be approached strategically to become a successful component of your enterprise. Running full speed will create more issues than carefully taking your first few steps. Choosing the right partner to help your organization successfully build and support your IAM program is important.

Indigo Consulting is an industry leader in helping organizations effectively embrace IAM. Our GRC experts and developers are ready to help you begin your IAM journey. Ready to begin? Contact our IAM experts today to get started.

Read the other blogs in this series

Interested in learning more about Agile Development for IAM Solutions? Download our eBook today!