There's no need to go back over the need for protection against cybercrime - everyone knows it's crucial. The number of cyberattacks continues to rise, year after year, and no sector is spared.
However, there is still one area that remains poorly addressed: that of employees and their accounts: identities and access. Why is this? Because for many years, it was not considered a potential vulnerability, and today, companies are realizing that this point needs to be addressed, but since it's not a blocking factor either, they're putting it off...
When I talk to IT decision-makers, I often hear:
- We have to anticipate new arrivals many weeks in advance, with mediocre results: a lot of back-and-forth with managers and human resources, and not all the software is ready on D-day.
- Offboarding is either not processed, or is processed on a bi-annual basis by cross-checking the HR and IT files... A long job.
- Setting up an IT IAM project is often on the drawing board, but it's terrifying because it's seen as too complex, time-consuming to implement, costly and requires setting up a team to manage the project.
Despite these misgivings, an identity & access management project is seen as a necessary step towards strengthening corporate security.
Before getting started, if you're not very familiar withIAM, I suggest you take a look at this article.
What are the requirements for a successful IAM project?
Before looking at the imperatives for a successful project, I suggest you take a look at the 7 pitfalls to avoid when setting up an IAM solution.
What are the requirements for a successful IAM project?
You may hear or read as #1 involving HR, but the most crucial aspect is not the involvement of third-party departments, but the involvement of the IT department in the first place. If you don't have a core group of people who believe in and are committed to the IAM project, the rest won't work, no matter how committed and well communicated the others are.
The decision-makers, the people who will validate the project, are not always the platform users. It's the latter who must be motivated AND interested in the project, and it's through them that everything will be built.
It's also crucial that the people in charge of the project are familiar with the company's issues. This will make it easier to determine which workflows need to be set up and which pain points need to be resolved.
Even if the skills aren't there at the outset (everything can be learned anyway), the team in charge will quickly get to grips with the platform and start using it (hence the importance of not choosing something technically off-putting). If you want to recruit the right skills, you're going to face a real difficulty (shortage) and, above all, the person who arrives won't have a detailed knowledge of the company, which can also be a disadvantage.
The service provider should therefore provide support on the access management platform at the start of the process, as well as assistance and customer service.
Of course, it's crucial that another person understands the operation, principle and basic use of the platform, so as to be able to replace the main person in the event of illness, leave or departure.
At the time of departure, it will take several days for the two people to carry out a proper handover.
Involve HR and explain the benefits internally, especially to managers
In 2nd place, I'd put the involvement of the company's various departments. Indeed, an identity management project is a decision that will have a major impact not only on IT, but also on other HR departments and managers.
Does their degree of involvement in the project have to be the same as that of IT? Clearly not. For HR, the benefits of an IAM are clear: saving time, better communication with IT and easier onboarding, which will increase the satisfaction of new arrivals. The aim is to reassure them from the outset that their HRIS will be involved in data sharing. IAM should be seen as a way of simplifying users' lives.
At Youzer, as with other providers, the strength of the platform lies in the primary integration of two elements: HRIS and AD or similar. This is how you'll find your users and their accounts in the same place. It's easy to see why HR might be afraid to share their information. Make sure your service provider is RGPD compliant. Youzer, for example, is read-only on the HRIS, and you define which fields you want to appear in the IAM solution.
So don't hesitate to communicate clearly with other departments, so that they too can understand the difficulties IT may encounter in managing users, accounts and corporate security.
Managers will also benefit from this, as they will be able to enter the newcomer's information via a form, and thus have all accounts ready for his or her arrival. They will also be able to define with IT which software package applies to their team. Time, satisfaction and security will all be saved.
Defining your objectives: requirements and pluses.
As we saw in the previous section, one of the sticking points can be the personalization of the AMI project. So set precise, realistic objectives. Above all, don't set objectives that are of no interest to anyone. Your users, HR departments and IT departments have specific needs. Ask these people, see what they need and base your project and objectives on these precise requests. This will prevent you from spreading yourself too thin. This is especially important in your processes and workflow creation.
- I need to find all my users and accounts in one place, and in a legible way
- I would like to know the status of my IS, what are my current licenses, my active and inactive accounts...
- I'd like to secure my IS and therefore combat ghost accounts (active accounts of users who have left) and user rights misalignments.
- I would like to save time and resources when creating and suspending accounts.
- I need to connect SaaS and on-premise software
...
Prioritize your objectives. For example, knowing who has what is at the top of the list, whereas checking the alignment of rights, which is more detailed, may be a medium-term objective.
You can even send feedback to the service providers you have in mind, asking for their opinion on the feasibility of your project.
When making this list, try as far as possible to keep to the 'identity and access management' mindset. Don't add bricks that fall outside the strict IAM zone, as this will prevent you from looking for the 5-legged sheep. A small example: SSO is an IAM brick, but it's not indispensable; it's a plus that many would like, but it's not part of IAM in the strict sense. A specific SSO solution is going to be superbly good, ergonomic and powerful in terms of SSO connections and security. In the same way, an IAM solution is going to be highly specialized in the management of users and their accounts. An IAM and SSO solution will find it hard to push both technologies at the same time and offer an ergonomic solution. It's a bit like a washing machine-dryer 😂 a good idea on paper, but more disappointing in real life! They're expensive, consume a lot of water and energy, take much longer to dry and wash than on dedicated machines, and don't always give the best results (damp laundry) - but they do the job!
Then list the pluses. Things you'd like to do but can't do right now.
Don't hesitate to break down your objectives into stages if they seem too complex. This will have a double impact: you'll find it easier to achieve them if they are small tasks (quick-win), and you'll have quick wins, which will motivate your teams and give you immediate feedback.
A long-term vision
When you buy an IAM solution, it's rarely to solve a temporary problem and then discontinue the solution. If this is the case, it's because you haven't fully understood the benefits of an identity and access management solution.
This means thinking through the project, the objectives, the solution and the relationship with the service provider over the long term. You also need to be aware of the termination conditions in the event of an unsuccessful outcome. Even so, you should know that even if you can leave quickly, you'll be well into your processes with the solution. You'll have invested time, energy and understanding.
See if you feel comfortable with it, if it evolves regularly, if requests are taken into account, etc.
- A good relationship with your service provider
This may seem secondary, but you won't be able to integrate the solution on your own unless the solution allows it and you're particularly comfortable with the technologies used.
Generally speaking, support is essential. You need to know about the support you receive, how responsive it is, and the solutions you find to your questions. This is something to be assessed in the initial contacts, and if so, during the POC.
You need to feel comfortable with your provider. If you're interested, here are a few points to help you choose your IAM provider.
Do I need to set up an IAM project team?
My colleagues and I have often heard prospects come in and tell us about the IAM project, the project team... and so on.
We're a little surprised to find that identity and access management is often seen as a major project, when in fact it really depends on the way the company operates and the timescales required for implementation. It can be managed in project mode, but it's also perfectly realistic to simply implement IAM without too much complexity in product mode.
What will make the difference is the way the company operates (and not its size, although that does play a role). If a company has heavy processes, it's normal to work in project mode. On the other hand, a company with a flexible DNA can implement the solution in a matter of hours.
So what can be done about it? Normand's answer: it depends 😄
- If you choose a SaaS solution and use it as a SaaS solution, in just a few minutes you can connect your Active Directory (or any other account database) to your HRIS. This gives you a clear list of your users and their AD accounts. Then connect all your software as you go along (between a few minutes and a few days if connectors have yet to be developed). In the space of a few hours to a few days, you'll already have your main software and significant information feedback. You will then familiarize yourself with the platform to create your account creation and suspension parameters, your registration forms, authorizations, alignments, etc. But if you are working in Agile mode, the first sprint has been completed and you can already manage your accounts and users.
- If you opt for an on-premise solution... it becomes longer and more cumbersome. You have to implement it on your servers, configure it, organize updates and so on. This usually takes several months.
- Finally, if you opt for a SaaS solution and your processes are a little long and complex, it's possible to start with a POC. Larger companies generally implement IAM for some of their users. This allows them to test the solution, processes and user feedback before rolling it out across the whole company.
Would you like to receive our white paper on identity and access management?
What next?
Why do we need to continue promoting the identity and access management project once it's up and running? To win over users and reassure sponsors, it's important to talk about the project once it's been implemented.
- You had realistic expectations and so you made realistic proposals 😉 the first figures of which you are communicating internally.
- You've set objectives, and you're answering them objectively: what's in place, what's underway, and what hasn't yet been done or is causing difficulties.
- You will show the initial impact that the user account management solution has had on the company (onboarding figures, time-saving figures, reduction in errors, reduction in shadow IT risks, etc.).
It's important that the enthusiasm of the first few weeks doesn't fade. It's important to set targets for the year, so that a routine is in place. If the decision-makers are not the regular users, it's important that frequent updates are made so that the work of the users is highlighted and that they are motivated to succeed.
An IAM solution also means information feedback, so don't leave it in the solution: process it. IAM consolidates your HR and IT data.
→ Got ghost accounts? Clean it up.
→ Do you have orphan accounts? Reattach them.
→ Got unused licenses? Stop them.
In a word: clean!
Would you like to discuss account and user management?
We invite you to request a demo where we can discuss your project, your needs, your connectors... 😉