Starting Your IAM Journey: A Practical Guide to Implementation Success
Part 2: Beginning the journey toward good Identity and Access Management (IAM) can seem overwhelming. However, with a structured approach and clear priorities, organizations can build a solid foundation for their IAM program. Here’s how to get started:
Begin with an IAM Assessment and Discovery
Start by understanding your current state. Conduct a comprehensive inventory of:
– Identity stores and systems
– Authentication methods
– Access management processes
– Privileged accounts
– Critical applications and data
– Manual processes and pain points
– Compliance requirements
– Security incidents related to identity
This discovery phase should also include interviews with stakeholders across IT, Security, HR, and business units to understand their challenges and requirements.
Define Your Initial Focus Areas
Rather than trying to solve everything at once, identify your highest-risk areas and quick wins:
1. Privileged Access Management (PAM) – usually the highest risk
2. Contractor/Vendor/3rd Party Access Management – often poorly controlled
3. Access Request and Approval Processes – frequent pain points
4. Password Management and Reset Procedures – immediate user impact
5. Joiners/Movers/Leavers Process – fundamental control requirement
Create a Realistic Roadmap
Develop a phased approach that considers:
– Resource availability
– Budget constraints
– Technical dependencies
– Business priorities
– Change management requirements
Your roadmap should typically span 18-24 months, 36 months maximum, broken into quarterly deliverables, preventing executive fatigue and realising benefits regularly.
Start with Foundation Building
Begin implementing basic controls and processes:
1. Establish a single authoritative source for identity data
2. Implement basic automation for user provisioning
3. Deploy multi-factor authentication for privileged access
4. Create standardized access request workflows (custom flows can be considered enhancements once a common approach has been established
5. Develop basic access governance processes
Focus on Quick Wins
Look for opportunities to demonstrate value early:
– Automate password resets
– Implement self-service access requests
– Clean up inactive accounts
– Establish basic access reviews
– Deploy MFA for remote access
Build the Right Team
Ensure you have the necessary skills and resources:
– Dedicated program manager
– Identity architecture expertise
– System administration capabilities
– Process development skills
– Change management support
Establish Governance Early
Create the framework for ongoing program success:
– Form an IAM steering committee
– Define roles and responsibilities
– Establish key metrics and reporting
– Create policy frameworks
– Define operational processes
Manage Change Effectively
Remember that IAM is as much about people as technology:
– Communicate clearly and frequently
– Provide adequate training
– Address resistance proactively
– Show benefits to users and administrators
– Celebrate successes
Monitor and Adjust
Implement monitoring from the start:
– Track key metrics
– Gather user feedback
– Monitor security incidents
– Assess process effectiveness
– Adjust plans based on learnings
Starting your IAM journey doesn’t require solving everything at once. Focus on building a solid foundation, addressing high-risk areas first, and demonstrating value through quick wins. Remember that good IAM is an iterative process, and each step should build upon previous successes while moving toward your long-term goals.
Success in the early stages of your IAM journey comes from balancing pragmatic implementation with strategic vision, ensuring that tactical improvements align with your overall security and business objectives.
In the third part of the series we discuss “Beyond Good IAM: Advancing to World-Class Identity Security”