Do you want to successfully plan and deploy an identity and access management (IAM) program? If this is your goal, then ignore your multiple stakeholders at your peril. Yes, the challenge of stakeholder engagement can be daunting. After all, the various stakeholders across an enterprise bring a range of diverse and divergent interests, capabilities, and values to an IAM implementation. These stakeholders all have significant--even if differing--interests in IAM. This is because IAM variously supports (a) rapid, dynamic growth within enterprises, (b) the expansion of boundaries to the cloud and mobile, and (c) the complex incorporation of multiple entities. As with most large scale projects, it is worthwhile engaging with these stakeholder interests sooner rather than later.
Engagement will ensure that there is a clear perspective of stakeholder interests as your company develops its IAM strategy. It will also ensure that there is appropriate institutional buy-in across all business units. This buy-in is an essential element of a successful implementation process. Buy-in will be based on the engagement of coalitions of diverse stakeholders. These include only those stakeholders with high influence and high levels of engagement (the “Champions”), but also those stakeholders who must be drawn into the process as they have low levels of initial engagement but significant potential influence (hence they are referred to as “Wild Cards”). Good stakeholder engagement with Wild Cards shifts them out of this category.
Good process, leading to a good understanding of stakeholder needs, will also help mitigate the risk that an IAM project will have more detractors than supporters as it is developed and deployed. A good stakeholder engagement effort will ensure a sufficient level of input: (a) from those with knowledge of the existing identity management related processes (from both a technical and business perspective), and (b) from those with decision-making authority to make changes to existing processes. Involving those with knowledge of the process without the ability to make changes may result in a plan that cannot be executed, while only including those with authority without the knowledge of what exists can result in aspirations without a plan of execution.
Early C-level engagement
Another point to keep in mind is that data security is now a “boardroom problem,” as executives are increasingly held accountable for breaches that damage their corporate brand. To put some hard numbers to this, the Ponemon Institute’s “2015 Cost of Data Breach Study: Global Analysis,” puts the average cost per stolen record at $154, while the cost tops $300 per record in healthcare and education. If a third party is the cause of a data breach, the cost is pushed up an average of $16 per record. For example, US retailer Home Depot incurred a reported $232m in related costs, with a net expense of $132m after a $100m cyber insurance payout. This level of risk calls for a higher degree of C-level involvement. This involvement is best sought at the inception of an IAM planning and deployment and not when things go awry.
It is clear that HR stakeholders represent a critical domain for engagement, with successful IAM systems supporting the friction-less onboarding and offloading of employees (ensuring Authorizations for employees are removed as appropriate). In this context, engagement with HR is frequently tied to discourse around role engineering that can help to simplify IAM program implementation. Such role engineering includes mapping access privileges to common business roles, identifying dead accounts, excessive privileges and redundant user groups. All of these can be significantly streamlined with automated processes that improve employee productivity and reduce helpdesk costs.
Good IAM processes and tools serve to enhance employee and customer satisfaction by letting users log in faster. These processes and tools also help users to be more effective by offering self-service for resetting passwords and updating user profiles – phone numbers, email addresses and other preferences. Automated self-service also reduces the cost of fielding IAM-related calls at the helpdesk.
Furthermore, IAM platforms can also provide invaluable information about how employees and customers have accessed applications – who logged in when and what data they accessed. Firms can use this information not only for security and forensics purposes, but also to understand usage patterns.
Compliance can be a driver for IAM success
IAM solutions are also essential for satisfying stakeholders responsible for auditing requirements. These stakeholder concerns include ensuring compliance with standards, privacy policy and legislation. Failure to ensure compliance can have devastating effects on business. For example KuppingerCole senior analyst Matthias Reinwarth points out that EU’s General Data Protection Regulation (GDPR), due to come into force in early 2018, “will be a massive game-changer for many organizations because they are currently not fulfilling many of the new requirements – particularly organizations doing customer identity and access management.” But used wisely, coping with compliance needs can be turned into an additional driver for the success of an IAM project.
It should be clear from the above that IAM should be embedded in business processes and the underlying policies stretching throughout all domains of an enterprise. Good practice offers clear suggestions on how to cope with the challenge of doing this, starting with gaining a clear understanding of stakeholder needs. In addition to this, good practice also argues strongly for the careful selection of an appropriate IAM strategy, that includes all of the IAM building blocks, identity, authentication and authorization where PlainID fits perfectly in.
PlainID works to simplify AuthZ to one point of decision, one point of control and one point of view, providing an elegant, agile, standards-based platform that lets business owners control and fine-tune access by providing a clear view and understanding of every authorization level. This facilitates and significantly eases engagement with the various stakeholders across an enterprise while also serving to mesh emerging authorization standards with existing technologies.
Furthermore, PlainID separates the business logic, the Authorization policy, from the technical implementation, and it has a dynamic rule engine to “calculate” authorizations based on time, place, event and other attributes, thus making authorization smarter. Smarter authorization makes satisfying stakeholder needs simpler, faster, and less expensive--so enterprises can focus on their business.