Manage Learn to apply best practices and optimize your operations.

Using an IAM maturity model to hone identity and access management strategy

Forrester Research’s Andras Cser discusses how to use an IAM maturity model to assess your identity and access management strategy.

Two of the most common questions we receive at Forrester are, “How are we doing as an organization compared to...

our peers?” and “What is the next step for us as we build out our IAM infrastructure and strategy?”

Every IAM project needs a business justification, so demonstrating its value will help convince naysayers of the importance of IAM.

Answers to both of these questions are critical when recruiting or maintaining support for enterprise IAM projects from the CISO or CIO, but these questions can be hard to answer. That’s why many organizations look to maturity models, guidelines that enterprises can use to help evaluate the current maturity of the organization, and that help build a comprehensive identity and access management strategy.

At Forrester, we’ve created an IAM maturity model that is effective and easy to use. The model divides aspects of IAM into three major domains: governance and value, access management and identity management. Within each domain are evaluation categories that encompass people, process and technology and the model easily scores each category by evaluating “yes” and “no” responses to specific criteria. (Scoring with other models where criteria are not clear has traditionally been a problem for Forrester’s customers.)

Governance and value focus on the organizational aspects and strategy of IAM

There can’t be a working IAM process without demonstration of the appropriate executive support, governance and business value. When evaluating the governance and strategy category, the model seeks to examine whether there is already executive sponsorship, and whether a well-defined IAM strategy already exists. Without this, organizations run the risk that IAM projects will be never-ending and will result in rework, confusion and battles between departments as to who should own IAM. Forrester recommends completing the maturity assessment at the beginning of the IAM projects and at least every year to update the company’s IAM strategy.

Every IAM project needs a business justification, so demonstrating its value will help convince naysayers of the importance of IAM. IAM is beneficial to the business because it allows it to reduce IT administration costs, improve security and achieve continuous and cost-effective compliance.  Understanding current costs and blending those costs into the maturity model to build a better IAM strategy and prioritize areas is critical. This category also evaluates how organizations are tracking call center metrics, IAM project costing and IAM-related employee and business partner satisfaction. The risks of failing to demonstrate IAM’s value include losing the attention of executive stakeholders and a future inability to secure funding for IAM.

Access management keeps your assets secure

Security concerns are one of the biggest motivating factors for IAM projects. Security and risk professionals need to make sure current and former employees, as well as business partners, don’t have access to sensitive information. There are several areas that will therefore need to be included in the IAM maturity model to insure access is secure across the organization. For example, the model evaluates desktop single sign-on, which provides an easy entry point into IAM implementation. The single sign-on (desktop SSO) requires no application customization, and often provides support for password reset self-service, so many organizations start with this category. Without desktop SSO, organizations run the risk of allowing users to spend extensive time on finding passwords, providing diminished levels of customer service, and paying excessive costs to integrate multifactor authentication with applications.

This domain also includes categories such as privileged identity management, which controls how administrators gain access to systems. Without implementing proper controls for privileged users, there is a risk of service-level degradation, audit remediation costs, developers accessing sensitive data, and disgruntled employees taking down the infrastructure and holding it hostage. This can happen when a system administrator leaves the company and no one else knows administrative passwords to domain controllers, UNIX servers and network equipment. The recent case of the rogue administrator for the city of San Francisco is a prime example.

Identity management helps with regulatory compliance and improves service delivery

Managing access recertifications and processes for employees who are joining, moving or leaving the company is important, not only from a security standpoint, but also from a compliance perspective. In fact, Forrester regularly hears from companies that can’t support their growth or M&S activity without the right blend of identity management services, such as provisioning, access recertification and job-role management. This means it is necessary to evaluate categories such as the directory infrastructure, password management, and job-role management. For example, appropriate password management can help eliminate the need for users to remember too many passwords, and reduce time wasted calling the help desk to reset a password. The risks of not having a robust password management infrastructure include too many unenforceable password policies, too many password change cycles and compromised passwords being hard to detect.

The goal of the IAM self-assessment is not only to benchmark current maturity, but also to gain objective input into which categories need the most improvement when updating an IAM strategy. Creating an effective IAM strategy can be relatively easy, as long as organizations follow key steps, like working on no more than three immediate, short-term IAM projects at one time, and evaluating and tracking IAM maturity every year.

About the author:
Andras Cser is Principal Analyst at Forrester Research, serving security and risk professionals. He will speak at Forrester’s IT Forum EMEA 2011, June 8-10 in Barcelona.

This was last published in June 2011

Dig Deeper on Privileged access management