The problems and benefits of identity and access management

Top 10 IAM Tips

1. Don't start by looking at technology solutions. The first step is to understand your business needs and establish how far down the road you need to go - one size does not fit all here. Ensure that the various phases of your IAM project are tied to quantifiable business results.

2. Review risk and policy. Conduct a thorough review of business risk factors and existing security policies before beginning to spec an IAM system. A solid base will enable a measured and realistic outcome. Check that internal policies, and department responsibilities are correct and up-to date, as minor changes can render them obsolete.

3. Check your manual identity processes. Ensure that your existing manual processes are right and that they work. Establish from the first what problem you are trying to solve, and ensure that the processes you are automating and streamlining actually fit the bill. Simply automating failing processes will result in an expensive volte-face in the future.

4. Don't rush in. Successful IAM implementations can take up to three years - don't try and cut corners, as clearing up the mess may be difficult and protracted.

5. Don't bite off more than you can chew. If there is an existing business case for a small, localised implementation, gain an easy win with that first, rather than taking on a major task straight off. An early win is essential to ensure buy-in stays strong.

6. Work together. Co-operation is the key to a successful deployment, and getting the right people across the business onboard is essential. Involve application owners, executives and marketing personnel as well as end users. Also be very sure that you have executive level buy-in, and that you keep it that way. A siloed approach will not succeed.

7. Educate, educate, educate. Provide targeted education to both users and IT staff, as with any major IT project, and ensure that regular refreshers are scheduled.

8. Pay attention to maintenance. An IAM system needs regular maintenance to keep pace with standards and product updates, internal technical changes and process optimisations. In addition, business realignments will require reassessment of their responsibilities and/or other requirements.

9. Complexity can be deadly. Match protection to your environment, and be sure that the problems you are seeking to solve are clearly quantified. Excessive complexity will result in a system that will alienate users and IT alike - so don't use a hammer to crack a nut...

10. Future-proof your plans. Don't fall into the trap of vendor-lock in, and look for the most flexible solutions. The best will allow future integration without too much pain. Also be wary of too much detail in a tender response - is it likely that all that time and effort is just for your benefit?

CASE STUDY

Irish Life & Permanent is Ireland's largest life assurance company, and also provides personal financial services. The company has grown rapidly, both organically and through acquisition, and this resulted in the organisation's 5,000 staff facing a diverse number of systems, user IDs and passwords.

Alongside a variety of other IT-related changes, it was decided that there was a requirement for enhanced security and simplified passwords for a specific user group of around 1,800.

Aaron Slater, IT manager, Irish Life, explained: "The staff in the branch network were dealing with several different systems on a daily basis and needed to keep track of a combination of IDs, which was becoming a bit of a burden."

The solution needed to be transparent to the end user and easy to use, as well as automating logon and managing password changes and error conditions for a variety of application types.

Slater continued: "We looked at a variety of solutions, some of which were more practical than others, including password synchronisation." Of the 12 market candidates approached, eight presented proposals and from that two companies were asked to arrange site visits to existing customers. Passlogix was judged the winner of the beauty contest, with its single sign-on VGO 5.03 SP12 product.

Stephane Fymat, VP strategy and product management, Passlogix, said: "Our product has been resold by IBM and Sun and white labelled by Oracle. In the past, BMC and Citrix have also resold it, while RSA's Sign on Manager combined other technology with it. Lesser-known benefits include account reconciliation and true visibility across the enterprise about who is using what, and when, useful when planning other IAM projects."

Slater said "a key point in Passlogix's favour was that no changes to the backend were required, and the system is pretty transparent to the end users, so minimal training was required - only one person per branch was trained."

On the actual day of migration, all of the branch staff came in 15 minutes earlier than usual to register, and most were positive about the new system, according to Slater. "Staff are certainly more efficient, and the overall environment is more secure, as passwords are now randomised. We've found the whole implementation to be pretty bullet-proof."

Slater summarised the experience: "There's a certain amount of due diligence when adding new applications to a system of this type, and some can be easier than others. For example, web apps aren't all built with single sign-on in mind, so might have the same logon and logoff URLs, and these don't work well. We built a separate test area to ensure that there were no major problems, and this has stood us in good stead. Any changes to any of the products in the system could change the reaction of the single sign-on component, so you need to maintain close relationships with the various developers."