AmeriGas: Five Lessons Learned for an Effective Identity Deployment
Whenever I’m at a conference (and I sure hope they return soon), I always seek the sessions led by end-users. Minute for minute, these talks tend to be the most information-dense. During Navigate 2019, I had the pleasure to attend Christopher Martin, identity and access security manager at AmeriGas, presenting on the propane company’s IdentityNow deployment. His talk certainly did not disappoint. We covered their success story in great detail in our post from last fall, With SailPoint, AmeriGas Moves Identity to the Cloud.
That case study is worth your read. However, as I was reading my notes from the presentation, I realized Martin delivered a wealth of advice in the form of lessons learned during their identity implementation. I found these lessons too valuable not to share.
As part of his presentation, Martin offered lessons he and his team gleaned from their SailPoint deployment. These lessons would be of help to any organization currently looking to embark on their identity deployment.
Here are the lessons learned for an effective identity deployment:
Plan for adequate levels of training
According to Martin, relying upon on-the-job training wasn’t adequate for his team. He explained that to get the team rapidly up to speed, it’s crucial to take advantage of IdentityNow training made available. “There are multiple tiers of [IdentityNow] training available, and I plan to send my team to them as they become available. We want to know how it works in even more depth,” Martin said.
The more thoroughly the identity team is trained, the more rapid and smooth the deployment and management will go.
Find the right implementation partner
With a tight five-person team, Martin knew to try to complete the deployment on their own would not have been ideal. “A lesson for us was that we absolutely needed an implementation partner. There are five of us. We’re lucky to have five people on our team, yet it just would not have been possible for us to do our regular day jobs concurrently with our deployment. There is no way we could have gotten to where we are without such support,” he said.
Plan beyond the initial deployment
While most organizations that embark on their identity implementations plan for their initial deployment, many neglect to consider the ongoing operations. Martin detailed how the initiative required more operational maintenance than they initially expected. That’s not just because the program must be maintained over time, but also how much more they wanted to get out of SailPoint. “We want to keep pushing things forward. There’s a desire to keep refining old roles, creating new roles, and adding new things, and the need arises,” he said.
It’s not that the maintenance tasks are time-consuming or difficult. The efforts tend to add value to the organization. “It turned out to be more than we planned for because we didn’t realize that we would be doing as much as we are with IdentityNow this quickly,” he said.
Line up your application security expertise
Martin advises organizations to team with their internal application security experts early in the process. “You have to get your application security expertise lined up,” he said. “I’m grateful that the application security team reports to me. If that wasn’t the case, I think we would have spent much more time going back and forth between teams. Because, as we progressed, we found that we needed expertise in many different applications, including SAP, Microsoft Exchange security, Active Directory, and others,” he said.
Scripting for success
Martin explained, as part of their testing applications for provisioning, his team began to test every application that fell under Sarbanes-Oxley, as well as within a number of their Active Directory groups. It was proving time-consuming. “It took a while because we had to develop scripts that would complete the connection. Fortunately, we have several people on our team who are very good at scripting,” he said.
For any organization getting ready to deploy, they must get the right workflows in place and be prepared to create the scripts they’ll need to succeed. As Martin explained, none of these tasks are especially difficult or expensive to perform individually: they’re not. But to have a fruitful beginning, it’s important to know what to be ready for and how to prepare best the resources that will be needed to succeed.