Succeeding with your IAM project: everything you need to know!

Published :

01/2021

| Updated on

-
Articles
>
IAM
Tips to know to succeed in your project to implement an identity management solution to automate account creations on different applications.

Summary

There is no need to revisit the necessity of having protection against cybercrime; everyone knows it is crucial. The number of cyberattacks continues to grow year after year, and no sector is spared.

However, there is still a part that remains poorly treated, that of employees and their accounts: identities and access. Why? Because for many years, it was not considered a potential flaw and today, companies realize that this point must be addressed, but since it is not blocking either, we postpone it...

When I talk to IT decision-makers, I often hear:

  • We manage IT onboarding very poorly; we have to anticipate arrivals many weeks in advance for a mediocre result: many back-and-forths with managers and human resources, and not all software is ready on day one.
  • Offboarding is either not processed or processed biannually by cross-referencing the HR file and the IT file... A loooong job.
  • Setting up an IT IAM project is often on the agenda, but it is terrifying because it is seen as too complex, time-consuming to implement, costly, and requires the establishment of a team to manage the project.

Despite these reservations, an identity & access management project is seen as necessary to strengthen the company's security.

Before we start, if you are not very familiar with IAM, I suggest you take a look at this article.

What are the imperatives for a successful IAM project?

Before seeing what the imperatives are for a successful project, I advise you to take a look at the 7 pitfalls to avoid when setting up your IAM solution.

What are the imperatives for a successful IAM project?

Define a person in charge of the project.

We can hear or read in n°1 involve HR but the most crucial aspect is not the involvement of third-party services but the involvement of the IT department in the first place. If you do not have a core that believes in and is involved in the IAM project, everything else will not work regardless of the involvement and communication of others.
The decision-makers, those who will validate the project, are not always the users of the platform. It is the latter who must be motivated AND interested in this project and it is through them that everything will be built.

It is also crucial that the people in charge of the project are familiar with the company's issues. This will make it easier to determine the workflows to implement and the pain points that must be resolved.
Even if the skills are not present at the beginning (everything can be learned anyway), the team in charge will take ownership of the platform and quickly use it (hence the advantage of not choosing something technically off-putting). If you want to recruit the right skills, you will face a real difficulty (shortage), and above all, the person who arrives will not have a detailed knowledge of the company, which can also be a disadvantage.

Support from the provider on the access management platform is therefore to be planned at the beginning of the process, as well as assistance and customer service.

Of course, it is crucial that another person understands the operation, principle, and basic use of the platform in order to replace the primary person in case of illness, leave, or departure.
Upon departure, several days will be required for the two people to carry out a correct handover.

Involve HR and explain the internal interest, especially to managers.

IT - HR and managers involvement

Secondly, I would emphasize the involvement of the company's various departments. Indeed, an identity management project is a decision that will significantly impact IT, as well as HR and management.
Should their level of involvement in the project be the same as that of IT? No, very clearly. For HR, the benefit of an IAM is clear: saving time, better communication with IT, and facilitated onboarding, which will increase the satisfaction of new hires. The goal is therefore to reassure them from the outset regarding data sharing, as their HRIS will be involved. IAM should be seen as a way to simplify the lives of users.

At Youzer, as with other providers, the strength of the platform lies in the initial integration of two elements: the HRIS and the AD or similar. This is how you will find your users and their accounts in the same place. It is understandable that HR may be afraid to share their information. Therefore, ensure the GDPR aspect with your provider. Youzer, for example, is read-only on the HRIS, and you define which fields you want to see appear in the IAM solution.

Therefore, do not hesitate to have a clear and educational discussion with other departments so that they also perceive the difficulties that IT may encounter in managing users, accounts, and company security.
Managers will also benefit because they will be able to enter the new arrival's information via a form and thus have all the accounts ready for their arrival. They will also have the possibility to define with IT which software package applies to their team. A gain in time, satisfaction, and security will be felt.

Define objectives: the imperatives and the advantages.

As we saw in the previous section, one of the points of friction may be the customization of the IAM project. Therefore, set specific and realistic objectives. But above all, do not set objectives that are not of interest to anyone. Your users, HR departments and IT departments have specific needs. Ask these people, see what they need and base your project and your objectives on these specific requests. This will prevent you from scattering. This is especially important in your processes and the creation of your workflows.

Define your objectives
  1. I need to find my users and accounts in one place, in a readable way
  2. I would like to know the state of my IS, what are my current licenses, my active, inactive accounts...
  3. I would like to secure my IS and therefore combat ghost accounts (active accounts of departed users) and misaligned user rights.
  4. I would like to save time and resources on my account creations and suspensions.
  5. I need to connect SaaS and on-premise software

...

Prioritize your objectives. For example, knowing who has what is at the top of the list, while verifying the alignment of rights, which is more detailed, can be a medium-term objective.

You can even get feedback from the providers you have in mind to ask for their opinion and the feasibility of your project.

When you make this list, try as much as possible to stay in the spirit of 'identity and access management'. Do not add bricks that fall outside the strict IAM zone, this will prevent you from looking for the impossible. A small example: SSO is an IAM brick but it is not essential, it is a plus that many want but it is not part of IAM in the strict sense. A specific SSO solution will be super good, ergonomic, powerful in SSO connections and security. An IAM solution will be in the same way very sharp in the management of users and their accounts. An IAM and SSO solution will have difficulty pushing the two technologies at the same time and offering an ergonomic solution. It's a bit like washer-dryers 😂, it's a good idea on paper but more disappointing in reality! Expensive, very water and energy consuming, drying and washing are much longer than on dedicated machines and the result is not always there (damp laundry) it's not optimal BUT it does the job!

Next, list the 'nice-to-haves'. What you would like but is not an immediate imperative.

Do not hesitate to break down your objectives into steps if they seem too complex. This will have a double impact: you will achieve them more easily if they are small tasks (quick-wins), you will have quick victories which will motivate the teams and give you immediate feedback.

A long-term vision

Have a long-term vision

When taking an IAM solution, it is rarely to solve a temporary problem and stop the solution after. If this is the case, it is because the interest of an identity and access management solution has not been well understood.

It is therefore necessary to think about the project, the objectives, the solution, the relationship with the service provider in the long term. It is also necessary to know the termination conditions in an inconclusive case. Despite everything, be aware that even if you can leave quickly, you will be well engaged in your processes with the solution. You will have devoted time, energy and understanding to it.

See if you feel comfortable with it, if the evolutions are regular, if the requests are well taken into account, etc.

  • A good relationship with your provider

This may seem secondary, and yet you won't be able to integrate the solution on your own unless the solution allows it and you are particularly comfortable with the technologies used.

Generally, support is essential. It is therefore necessary to know the support, its responsiveness, and the solutions provided to the questions asked. This is something to evaluate during initial contacts and, if applicable, during the POC.

You need to feel comfortable with your provider. If you are interested, you can find some helpful points for choosing your IAM provider.

Is it necessary to set up a project team for IAM?

Whether it's my colleagues or myself, we have often heard prospects arrive and tell us about the IAM project, the project team, etc.

We are somewhat surprised to see that identity and access management is often considered a major project, when it really depends on the company's operations and the desired implementation timelines. It can be managed as a project, but it is also entirely realistic to simply implement IAM in product mode without excessive complexity.

What will make the difference is the company's operating mode (and not its size even if it plays a role). If a company has heavy processes, it is normal to work in project mode. On the other hand, a flexible structure due to its DNA can implement the solution in a few hours.

So concretely, what is possible to do? A Norman's answer: it depends 😄

  • If you choose a SaaS solution and use it as SaaS, you can connect your Active Directory (or any other account databases) and your HRIS in a few minutes. This will give you a clear list of your users and their AD accounts. Then connect all your software gradually (between a few minutes and a few days if connectors need to be developed). In a matter of hours or days, you already have your main software connected and significant information feedback. You will then familiarize yourself with the platform to create your account creation and suspension settings, your registration forms, authorizations, alignments, etc. But if you work in an Agile method, the first sprint is set and you can already manage your accounts and users.
  • If you opt for an on-premise solution... it becomes longer and heavier. It must be implemented on your servers, configured, organized for updates, etc. This generally takes several months.
  • Finally, if you opt for a SaaS solution (in SaaS mode) and you have somewhat lengthy and complex processes, it is possible to start with a POC. Large companies generally proceed by implementing IAM on a portion of their users. This allows them to test the solution, the processes, and user feedback before deploying it across the entire company.

What's next?

It is important to continue promoting the identity and access management project after its implementation, why? To receive user buy-in and reassure sponsors, it is important to talk about the project once it has been implemented.

  • You had realistic expectations and therefore you made realistic proposals 😉 of which you communicate the first figures internally.
  • You had set objectives and you respond to them objectively: what is in place, what is in progress and what has not yet been done or what poses difficulties.
  • You demonstrate the initial impacts that the user account management solution has had on the company (onboarding figures, time savings, error reduction, risk reduction related to shadow IT, or other).

It is important that the enthusiasm of the first few weeks does not fade. It is therefore necessary to set objectives for the year so that the 'routine' is well in place. If the decision-makers are not the regular users, it is important that points are made frequently so that the work of the users is highlighted and that there is a motivation for success among the latter.

An IAM solution also provides information feedback; don't leave it within the solution—process it. IAM serves to consolidate your HR and IT data.

→ Got ghost accounts? Clean it up.

→ Do you have orphan accounts? Reattach them.

→ Got unused licenses? Stop them.

In a word: clean up!

clean up your accounts

Want to discuss account and user management?
We invite you to request a demo where we can discuss your project, your needs, your connectors... 😉

Need to estimate the cost of an IAM project?

Download this white paper on the cost of inaction in IAM :

We have been unable to confirm your request.
Your request for a white paper has been taken into account.

Recommended Articles

What risks do you take by not implementing entitlement management?
Bring ROI to your IAM project: concrete arguments
Identity governance and administration: the key to effective management