Getting started with IAM pt. 2: Key questions you need to ask

Identity and Access Management (IAM) is emerging as a cornerstone framework to establish a strong security posture, enhance data privacy, and meet ever-changing compliance requirements.

One crucial reason IAM is growing in popularity is its pivotal role in preventing data breaches. An IBM study found that the average cost of a data breach is US$4.24 million. The study also found that organizations with a mature zero trust architecture reduced this cost by US$1.76 million. 

While IAM itself is not a complete zero trust architecture, they intersect to improve an enterprise’s security and lay the foundation for ongoing enhancements. So it’s well worth adopting IAM today to improve your resilience for tomorrow.

Getting started with IAM requires finding answers to crucial questions to help you understand how to prepare. IAM is not a one-off project but an ongoing series of processes, policies, and technologies that necessitates careful evaluation before diving in.

Keep reading to learn precisely which questions you need to answer as you prepare your organization for upgrading to IAM. 

Data and Identity Questions: Building IAM Business Processes

IAM is rooted in business processes and technologies. Evaluating your data and identity ecosystem involves both, yet focuses more on building robust processes to help hone in on the best technologies to meet your needs.

The answers to each of these questions inform how you build future business processes, choose effective technologies, and avoid detrimental mistakes. So let’s break them down to help you move forward:

  • What is the authoritative source for identity data? The user repository is at the core of IAM, as it manages identities and assigns them to individual users. A solution like SailPoint, one of our partners, builds the foundation for IAM by becoming your authoritative identity management source. Working with an IAM consulting agency can help you navigate other available options.
  • How many systems hold the data you need? Centralize data as much as possible to improve the effectiveness and security of identity management.
  • What are the target systems you need to bring under the IAM umbrella? Understand every system in your tech ecosystem that must integrate with new IAM technologies. Map out each system and its permissions.
  • What data elements will be leveraged to correlate between authoritative and target systems? For example, your payroll software has its own permissions for which users can submit timesheets and which can approve them. Understand the data elements used to determine permissions so they can be mapped to the authoritative system.
  • Have you defined critical applications? Not every application in your stack is critical, but many are. Be aware of these applications to securely map permissions to the authoritative source.
  • Who is in charge of generating and managing vital data? The data you gather while planning for IAM is only a moment in time. So designate a stakeholder or team to generate and manage all essential data regularly.
  • Who owns your data? Many enterprises don’t house their own data in the world of third-party cloud platforms. Understand who houses and owns your essential information. Ownership is vital to both security and compliance.
  • What are the compliance requirements and industry expectations? First, it’s vital to understand the legislative and regulatory requirements facing your organization. Additionally, consider industry expectations beyond what’s legally required, such as using a specific cybersecurity framework like NIST.

Access Management Questions: Choosing the Right Technologies

Identities shape the rights and privileges of each user. Access management technologies determine which systems and applications those identities can access and what they can do within them.

The following questions help evaluate how your identity management and access management systems will interact to ensure all the right people are able to access your data and systems:

  • What is your major access management pain point? Most pain points have a solution within IAM. For example, Single Sign-On (SSO) can help alleviate the issue of memorizing passwords for half a dozen applications. Likewise, Multi-Factor Authentication (MFA) can improve problems with security. Know your problems, then seek solutions. Do you struggle with resetting credentials? Then self-service may be the right choice to reduce friction and help desk calls.
  • What are your current strengths? Understand your current access management strengths. Areas you’re currently exceeding in can help build out the rest of your systems.
  • What are the capabilities of your access management systems, and what can they support? Different security standards will allow you to use various systems and technologies. Your current access management systems capabilities will determine what you can build upon it or if you need to replace it. SAML, OAuth 2.0, and OpenID Connect are the dominant standards — ensure capabilities before moving further.
  • How do you currently use identity data to streamline access management? First, consider your current technologies that use data to determine access. Will those methods be sufficient as you move forward, or do you need to upgrade legacy systems?
  • Do you have any applications that need protection but don’t support industry standards? It’s typical for legacy or internally developed applications to become rooted in an enterprise’s tech stack. However, it’s an issue if they don’t support modern standards. It might be time to upgrade to a modern alternative as you adopt IAM.
  • What do authentication and authorization look like in your organization? Authentication verifies a user’s identity, while authorization determines access levels. Have a firm understanding of how your technology currently handles both.
  • How can you improve the user experience (UX) without compromising security? Building a great UX is essential for both internal (IAM) and external identities (CIAM). Embracing IAM is an opportunity to improve the experience while also improving security, such as using SSO to cut down on login screens. Strive for a frictionless experience that handles authentication and authorization.

Governance, Risk, and Compliance Questions: Keeping GRC in Focus

GRC is not your starting point, but it’s an important goal to keep in clear focus as you build your new processes and systems. It’s important to limit risk and improve compliance by always understanding which users can access which systems. Additionally, GRC-related IAM information is always a snapshot in time — it must be reviewed and updated frequently.

Consider each of these questions as you move forward with IAM:

  • How can you give the right people access to essential applications? Compliance requirements are often concerned with restricting access to critical systems and sensitive data. You need robust processes in place to prevent the wrong employees from having high-level access.
  • Who makes decisions regarding access levels? Ownership is a fundamental aspect of both GRC and IAM. Therefore, appoint a stakeholder with a strong compliance understanding to make decisions about which identities are given various access levels.
  • How will you verify employees are reporting to the right person? It’s common for employees to change direct reports as they’re promoted or new managers take over the department. You need a robust life cycle management process that caters to a person’s current role and access levels, not levels related to their previous role or manager.
  • How do you handle joiners, movers, and leavers? New hires, lateral promotions, and resignations are frequent — you need processes for each situation. In addition, many industries are subject to regulatory compliance requiring quarterly or annual reports on who employees report to and what applications they can access. Set the foundation, in the beginning, to streamline creating these reports.

Work with Indigo to Evaluate Your Current State and Future Needs

Getting started with IAM can be daunting, but it’s not an unachievable task. You don’t need to reinvent the wheel; you have thoroughly tested systems and experienced experts ready to help simplify the process.

Indigo Consulting is a leader in guiding enterprises toward building and managing effective IAM systems. Is it time for your organization to get started with IAM? Contact our team of IAM experts and developers today to begin.

Read the other blogs in this series

Interested in learning more about Agile Development for IAM Solutions? Download our eBook today!