Gaining buy in for implementing IAM is not a simple journey. It requires good knowledge of the generic benefits of IAM, but also a strong understanding of your business and the specific benefits they will see. You need to not just build a case at the outset but keep momentum up by delivering and communicating those benefits as you go.
When asked to do this article, I thought about what I wished I had been told in advance of implementing my first Identity and Access Management (IAM) Solution. What words of wisdom could I share for others setting out on this journey?
Firstly, make sure you understand the standard benefits of IAM:
· Introduction of Role Based Access Control - what business roles require what levels of access to which applications, think segregation of duties – this is the keystone to IAM, and must be delivered to get full benefit. But start small, and don’t try to map every role out to the Nth degree first.
· Simplification of Joiners, Movers and Leavers processes
· Control and governance of access provisioning with an audit trail
· Password policy enforcement
· User login / access experience improvement
Bearing these benefits in mind, each implementation of IAM is individual to each company, and it is not the answer for every company. Given the amount of effort required to just understand and standardise your business roles, you need to be sure you are going to achieve a substantial Return on Investment (ROI).
"It is vital that you have commitment from application owners and senior management to introduce IAM"
There are 5 considerations, that I use to help ensure project success. If you can answer these questions with clarity and conviction, you have a great chance of implementing IAM successfully. If you cannot answer these questions, then spend some time analysingwhy you are trying to implement IAM.If you cannot deliver substantial ROI, then you need to spend some time on the groundwork before implementing IAM.
1. What are the benefits to your customers?
a. To answer this, you need to know your customer. To succeed in gaining buy in for your solution, you must demonstrate the positive impactsto their day to day. Provide real world worked examples of how things will be simpler, faster, and consistent going forward. Remember who are you delivering for and how you will remove their pain points.
2. How will youbuild momentum for the cause?
a. Don’t try to do everything at once, don’t service all customers at once. Pick a friendly customer group with some smaller simpler apps to work on first. To keep up momentum for what will be a tremendous effort, you need to have these benefits as your mantra, and be able to articulate these to anyone without notice and celebrate the success.
3. What is the scope of your project?
a. Common issues are never-ending project. There are always more apps being introduced to an organisation or changes in security models per app. So, you must deliver a BAU process for managing these changes outside of the project, so once you have delivered your proof of concept and your remaining scope (core applications per business unit) then any other application changes, additions or deletions must be managed by a robust BAU process. Once people see the benefits, everyone wants on board. From the outset, you need to build BAU onboarding process so applications not included in your original scope, can take advantage of the benefits the IAM solution brings.
4. How will you phase your delivery?
a. The phrase “there is only one way to eat an elephant: a bite at a time” applies. Think about how you can do a proof of concept with 1 simple application which has a small number of users first.Don’t go for the biggest bang for your buck first. You need to create a streamlined simple process that is repeatable. You need to pick something easy to get you started to help build your migration process. Create your base role that can be built on (core applications that everyone has). You need to look at your application access and think about how you identify whether all users of the app need to be added to your IAM solution at once, or if it can handle migration of part of the user community. This determines your approach, by app,by role, or by business team.
5. Minimise Customisation
a. Keep your process as close to the out of the box functionality as possible. Challenge your sponsor to tell you why the standard model won’t work. Remind them that the more customisation, the more effort to support, and the higher thecost to manage longer term.
In summary, there is a lot to consider before you start your introduction of IAM. It is vital that you have commitment from application owners and senior management to introduce IAM. Without this, you will find your project starts to get derailed. Obstacles are raised by these very people as they feel control of their application slips away from them. Reality is that IAM will strengthen control, and improve user experience with single sign on. Show stakeholders and then lead them on this journey.