Gartner: How to succeed at identity and access management

By Ron Condon, U.K. Bureau Chief 30 Mar 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Certainly, the case studies that showcased IAM systems at the Gartner IAM Summit in London on March 23 and 24 were all still "works in progress," with the full benefits of their IAM frameworks still to be reaped at some point in the future. No one claimed to have a full working system up and running that delivered a high value to the organisation.

And yet, as one Gartner Research analyst, Tom Scholtz, reminded the audience, identity -- specifically knowing who is on a given network -- is the "cornerstone" of any security architecture.

The problem was tackled head-on in one talk entitled "Why your IAM project is doomed to failure," given by Perry Carpenter, a research director for Gartner. Carpenter formerly worked for Wal-Mart Stores Inc., as well as a telecommunications company, and brought with him practical experience of the difficulties IAM projects can encounter.

Understanding multifactor authentication features in IAM suites  Enterprises often make the mistake of assuming that IAM suites come with tightly integrated multifactor authentication features, but in reality making sure they work together well can be a challenge.

Carpenter said one of the big mistakes is to think that IAM is just a technology project. Companies, he said, tend to rush to choose a technology product without first considering the business context. They suffer from what he called "the tyranny of the urgent." Those projects were almost doomed to fail because they did not take into account business requirements and other teams involved within the organisation.

He compared IAM to the plumbing in a house. If you take time to plan it before starting the installation, then you will end up with a better system. But too many companies rush to build a system and end up having to make constant changes as problems arise.

Companies that change the scope or direction of their project mid-way through the programme are also doomed to fail, he said.

So what do you need to make a success of IAM?

Most of the success factors are the kind of things that "make IT professionals cringe," Carpenter said. For instance, it is essential to have effective governance throughout the project, with a proper steering committee that includes not just the IT department, but also representatives from HR, marketing, legal and all other affected sections of the organisation.

Strong channels of communication need to be established with each of the stakeholders, and regular scheduled meetings should be held to report on successes, and even failures.

He also urged IT people to tailor their language according to the person they are talking to. For instance, finance will want to know how IAM will save money on provisioning, while marketing will be interested that IAM will get new staff working more quickly, and help control the use of customer data.

"You need to learn how to put yourself into a political environment," Carpenter said. "It may be boring, but you'll have to get good at it."

According to the analyst, those relationships need to be made before any technology product is chosen, and they will determine what kind of approach, if any, is adopted.

Once the decision is made to go ahead, then make sure you develop before-and-after metrics to show success. "Also, develop milestones that will demonstrate benefits early and often," Carpenter advised.

That means prioritising and going for some easy wins early on, rather than trying to go for a giant all-encompassing implementation. For instance, if you can introduce password self-service early, and thereby show a reduction in help desk calls, he said, that will show a swift and tangible benefit.

Carpenter also advised that IAM should be integrated into the general software development lifecycle so that it becomes part of any upgrade or rewrite of systems.

And while IAM may eventually deliver real and tangible benefits to the organisation, Carpenter warned of making any firm prediction about the return on investment before the project. That would just raise false hopes, he said, and might be too difficult to prove.

Organisations fearing their IAM project will run over budget and over time may care to take up the challenge of one brave Masschusetts-based software supplier, Courion Corp., which is now offering to install its IAM system for a fixed price, and in a guaranteed timescale. Courion's U.K. country manager Stuart Hodkinson accused many systems integrators of over complicating IAM projects and stretching projects out in order to maximise their revenues.

Tags: Secure User Authentication and Authorization,  User Identities and Provisioning,  User Password Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Trojan virus attack using hijacked Web browser sessions hits UK banks Single sign-on technology for health care helps medics roam securely Two-factor authentication service launched for emergencies SMS two-factor authentication for electronic identity verification How to configure IIS authorization and manager permissions Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust User Identities and Provisioning Data security in financial services, IT security jobs in UK on the rise Using Windows software restriction policies to stop executable code Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap User Password Security Researchers find 1.5 million stolen social networking passwords Microsoft, security firms warn of password meltdown Single sign-on system removes password chaos at East Kent NHS Trust Brute force attacks target Yahoo email accounts The consequences of poor Microsoft SharePoint security permissions policies Unpatched vulnerability discovered in Microsoft SQL Server Supplier's problems with passwords solved by single sign-on technology Social networks and spear phishing attacks How effective are password hack tools? How to protect employees' personal information and passwords

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary