In this chapter
- Learn why it is important to have a strategic roadmap
- Review suggestions about how to assemble a steering group and develop the roadmap
- Explore ideas for training, communication, implementation, and measurement
Table of Contents
- Identity Moves to the Center of Security
- The Power of Identity Governance
- Identity Governance in Action
- Identity Governance and the Cloud
- Building your Strategic Roadmap
- Selecting the Right Partners
A strategic roadmap can help you present to the organization your vision and goals for identity governance. It gives you a vehicle to identify needs and prioritize projects. It can guide you through the initial implementation, and provide a basis for adjusting plans when new opportunities and challenges arise.
In this chapter we give you advice on developing a strategic roadmap. We also explain why activities like training, communication, and measurement should be continued over time.
Assemble the Team(s)
The steering group
Identity governance cuts across every function and every business unit in an enterprise. It is also constantly evolving to support new business initiatives and to respond to new cyber.security threats. For these reasons, most organizations need a core group that works as a long-term steering committee to assess business needs for identity governance, set priorities, develop a roadmap, build support throughout the organization, measure progress, and periodically update the roadmap.
The steering group should include representatives from:
- Top management (an executive sponsor)
- IT management (ideally a CIO or CISO)
- Security and IT operations teams
- Legal and audit or compliance staffs
- Major business units (senior executives)
The steering group needs business knowledge to set priorities and justify programs, as well as technical expertise to under.stand how identity governance can support various business initiatives and security needs.
The steering group must include an executive sponsor and senior executives who have credibility and clout. These business leaders will play an indispensable role in explaining to managers, supervisors, and employees why their active participation in identity management processes is so important for security and productivity.
The European Union’s General Data Protection Regulation (GDPR), which takes effect in 2018, requires enterprises to designate a data protection officer (DPO). The DPO is responsible for ensuring compliance with rules related to privacy and controlled access to personal information. If your organization already has a DPO, you should have that person participate in, or possibly lead, your identity governance steering group.
Individual identity governance projects should have their own project teams. In addition to selected members of the steering group, these teams should include:
- Business managers from the groups directly affected by the project
- IT administrators and application owners
- HR managers
- Helpdesk staffers
People in these roles understand how employees work, what computing resources they need to do their jobs, where they are struggling with identity processes, and the potential impact of the program on security and productivity.
If you have only one identity governance project going at a time, instead of creating separate project teams, you can expand the steering group with appropriate temporary members during the life of each project.
Another reason for having business managers play a major role in the steering group and on project teams is to promote business accountability.
Most managers assume that the IT staff “owns” identity management. Working on identity governance teams exposes them to the reality that only business users and application owners can fully understand what access employees need to do their jobs, and what policies and controls are needed to minimize risk. Help them understand that identity governance will only succeed when business people assume responsibility for managing user privileges and ensuring effective access control in their areas.
Assess Capabilities and Perform a Gap Analysis
To begin developing a strategic roadmap, you should assess your current identity governance solutions and processes, and measure them against desired capabilities.
Weaknesses in identity governance processes
Identify weaknesses in your current identity governance processes. Clues include:
- Processes that are manual, error-prone, and costly to administer
- Long wait times to provision and de-provision employees and contractors
- High volumes of service requests to technical support to provide access to resources and reset passwords
- High costs to prepare for audits, and failed audits
- Large numbers of orphan accounts, evidence of overentitled users, and accounts created outside of authorized processes
- Managers “rubber stamping” access and certification requests without considering real access requirements
- Inconsistencies across business units and geographies, indicating inadequate tools or poor training in some of them
Determine if upcoming business initiatives will place demands on identity governance solutions. Is the enterprise integrating its supply chain? Making greater use of contractors and virtual teams? Expanding into new product markets or geographies? Making acquisitions and integrating the acquired companies into existing processes? Will existing identity governance tools and processes slow down any of these initiatives, and can they ensure adequate security?
What requirements will be placed on identity governance solutions by planned IT projects, such as deploying mobile applications and making increased use of SaaS applications? Do new security analytics or incident response tools require identity information, and if so, are current systems able to provide complete, accurate data?
Build Business Cases
After you assess the weaknesses in your current identity gov.ernance solutions and determine requirements for upcoming business initiatives and IT projects, you are in a position to build business cases for individual projects. This boils down to estimating the value of each project, minus the cost of implementing and managing the solution.
In identity governance, most of the justification will come from four areas.
Reduced operational costs
Estimate the value of improvements such as:
- Automating processes for requesting, approving, and provisioning access rights
- Reducing technical support calls related to access issues and password resets
- Speeding up and simplifying certification processes
- Speeding up and simplifying audits
Improved employee productivity
Calculate the time savings for employees related to:
- Streamlining onboarding and provisioning
- Accelerating approval of new access requests
- Enabling employees to use self-service portals to request changes and resolve issues themselves
Reduced security risk
Project the probable decrease in the annualized loss expectancy (ALE)1 from data breaches resulting from:
- Fewer orphan accounts, overentitled users, and accounts created outside of authorized processes
- Faster deprovisioning of terminated employees and contractors
- Stronger and better-protected passwords
- Accurate and granular enforcement of security policies by MDM, DLP, and other security tools
- Faster detection and more accurate analysis of attacks by SIEMs and security analytics products
- Consistent operation of identity governance processes across business units and geographies
Faster delivery of value from business initiatives
Solid identity governance solutions can accelerate the roll out of business initiatives and IT projects. For example, they can make management more confident that it is safe to integrate business partners and virtual team members into corporate processes, and to allow employees to use more cloud-based services. You can approximate this benefit using cost of delay methodologies.
A SailPoint white paper offers detailed advice on justifying identity governance projects. You can obtain a copy at: Building a Business Case for Identity & Access Management. This note from industry analyst firm Gartner is a bit dated, but it includes useful suggestions on how to relate identity management to top business and technology priorities.
Create the Roadmap
Communicate your vision
Your roadmap should show when major identity governance projects will be started and completed, looking out 18 to 24 months. It should communicate your vision and business direction for identity management, and inform the organiza.tion when new capabilities will be available.
Plan to deliver value early and often
The project business cases you have built are important input for your roadmap, because they show which projects have the greatest potential benefits. However, when it comes to sequencing projects, you should consider applying Agile principles. In particular:
- Break projects down into increments that allow you to deliver value early, demonstrate initial successes, and build momentum (see the How to avoid big bang projects text box, below).
- Inspect and adapt: at regular intervals, solicit feedback, evaluate progress, and adjust the roadmap based on lessons learned and changed business needs.
How to avoid “big bang” projects
Many IT projects fail when organizations take a “big bang” approach, trying to roll out comprehensive, feature-rich solutions across the entire enterprise in one long process. It can take months or years to add features, configure workflows, set up accounts, and train hundreds of users. During that time the organization receives little or no value from the project, raising the risk that it will be cancelled due to lack of results.
There are several ways to break up mega-projects so they can begin producing value early, and so that organizations can learn from and build on the initial iterations:
- Launch a project in one business unit or geographical area, and gradually roll it out to additional locations
- Begin with a base set of features, and gradually add functionality that users need (but not bells and whistles that may have been available in the past but don’t produce real value)
- At first integrate with a limited number of data sources and applications, and then gradually add new connectors
Train and Communicate
Identity governance solutions affect managers on a regular basis, and touch almost every employee. Yet in most organizations, very few people outside of IT have any appreciation for the importance of identity governance. Not surprisingly, they also have little patience for using identity governance tools the way they were designed. For these reasons, training and communications need to be a central part of your organization’s identity governance strategy.
Consider providing training at three levels:
- Everyone in your organization needs to understand its policies related to identity governance, their own responsibilities for following approved procedures, and the possible consequences of ignoring or circumventing the rules.
- Managers and supervisors need to be trained on how to use the organization’s tools for requesting and approving access, and for reviewing and certifying entitlements.
- Security and IT operations staff need training on identity governance tools, and how to work with managers and employees to ensure that policies and procedures are followed.
Do not focus identity governance training only on “how to.” It must give equal emphasis to “why.” Employees, managers, and even IT staff should understand why it is important to use strong passwords, resist the temptation to approve access rights “just in case they might be needed someday,” pay close attention to certifications, and refrain from circumventing standard processes and creating unneeded superuser accounts.
Training is available from identity governance solutions vendors and consultants. There is even an organization that offers courses for a security professional to become a Certified Identity and Access Manager (CIAM)®. However, for employee training, you should consider developing your own instructors, or creating custom online courses.
Build a communication plan into your roadmap. Communication serves to:
- Let people know what to expect
- Reinforce training
- Increase acceptance and enthusiasm by promoting identity governance successes inside the organization and at peer enterprises
Don’t think of communication as a one-time task to announce your identity governance strategy. It should be an ongoing program to build awareness and active participation over the long haul.
Consider communication in broad terms. It’s fine to start with an official announcement and an article in the company news.letter. But how about creating a message forum on your internal portal to keep people informed? Could you send e-postcards or start a blog to give advice and communicate progress? Is there a file share or wiki where you could post materials so employees and managers can educate themselves and find success stories? Why not be creative and produce videos that dramatize the need for data security and identity governance?
Implement and Measure
We mentioned earlier that you should break projects down into segments so you can deliver value early, demonstrate initial successes, build momentum, and adjust the roadmap based on lessons learned from the initial efforts. To do this successfully, you need to measure progress and solicit feedback.
Measurement should be tied to the business cases you developed as part of the strategic roadmap. For example:
- If you justified projects based on reduced operational costs, then measure savings from automat.ing processes, reducing technical support calls, speeding up certifications, and simplifying audits.
- If you justified projects based on employee productivity, then measure times required to onboard new employees and approve access requests, and track the percentage of requests handled through self-service.
- If you justified projects based on security, then measure the reduction in orphan accounts, the speed and completeness of deprovisioning, and the reduction in security events detected.
You can also track employee and manager satisfaction with identity-related processes. This exercise will give you early warning signals if user confusion or apathy are threatening the success of your programs. It will also give you valuable information on how to refine and improve your identity governance solutions and processes.
To optimize the value of user input, combine online surveys, which are fast, inexpensive ways to reach large audiences, with selective one-on-one interviews that go into depth. Another technique is to create “user councils” so you can obtain employee feedback throughout a project.
Maintain the Momentum
An identity governance strategic roadmap should plan explicitly for the long term by allocating resources for:
- Ongoing planning, training, communication, and measurement
- Upgrades to the software tools and integration with new applications
- Support for new business initiatives and IT projects currently on the horizon, or as yet unknown
- The ALE is the probability of a breach during one year multiplied by the likely cost of the breach.
You might also be interested in:
Find out how SailPoint can help your organization.