The ultimate IAM adoption roadmap: Timelines, must-Haves, mistakes, & more

Adopting IAM can provide a wide variety of benefits for any organization, such as improved security, cost-effectiveness, and streamlined compliance reporting. However, upgrading to IAM from legacy processes and technologies is no small undertaking.

You can go it alone or work with an IAM consultant agency to help develop and deploy your new IAM solution. Most organizations choose to bring in the experts since adopting IAM affects almost every system and user throughout the organization.

Whichever way you’d like to go, we’ve put together the ultimate roadmap to help you understand all the moving pieces involved in adopting IAM. Keep reading to learn the steps to take and mistakes to avoid for a successful implementation.

Typical Timeline for IAM Adoption

Identity and Access Management (IAM) is a framework of processes and technologies focusing on securing and streamlining how organizations manage identities. Adopting IAM can help your business become more cost-effective, secure, compliant, and even productive — but it’s not a simple, short-term project.

Every organization’s timeline for IAM adoption will look a little different. However, even though some steps may vary, the overall adoption timeline has more in common than not. We can still discuss the typical timeline for IAM adoption to help understand the scope and depth of the project.

Each step in adopting IAM falls into a larger category, which we’ve added in parentheses. The three overall phases are Design, Delivery, and Operations. These phases have several individual steps to complete before moving to the next, and some of them may look different based on your organization.

So, let’s dive into what your timeline may look like as you move forward with adopting IAM.

1. Pre-Engagement (SOW Agreement, RFP Response)

The first step of adopting IAM is typically a Request for Proposal (RPF) with a specific service provider or an IAM consulting agency. This stage comes before entering into any formal agreements and helps the provider evaluate your needs and then create a proposal for how they can meet them.

A Statement of Work (SOW) agreement is another crucial phase that details the specific deliverables, timelines, and tasks that will be carried out. The SOW can be considered the terms and conditions of the agreement between you and the vendor.

This phase can take some time as you contact different consultants or vendors, work through the details, and agree to proceed. You’ll have a contract in place before proceeding to step two.

2. Discovery, Current State, & IAM Maturity Assessment (Design)

Designing your future IAM program begins after you’ve signed a contract with a consultant agency. Your chosen consultant will conduct a thorough analysis of all existing systems and the current state of your IAM practices or your current methods for managing identity, access, and authentication.

A crucial element of this step is identifying the best solutions for your specific use cases after we understand your current workflows and processes. The consultant maps out existing processes, assesses the overall maturity of existing IAM programs, and takes the initial step to create a roadmap for moving forward.

It’s common for companies to want to learn more about IAM, including best practices and solution recommendations, before moving to step three. It’s a necessity for your teams to have a firm grasp of both the how and why behind IAM.

3. Architecture & Release Planning (Design)

The last step in the design phase involves building out a theoretical map of what your future IAM program may look like. Your chosen consultant will explain how the chosen solutions will integrate with your existing processes and systems.

An ideal roadmap provides granular details about each solution and its implementation. You’ll understand any involved resources and timelines before moving forward.

The goal of this step and the design phase overall is to create and convey an actionable plan for your organization. Every stakeholder will be able to understand and sign off on the plan before any solutions are implemented.

4. Implementation & Development (Delivery)

Next, you move into the delivery phase. The consultant works behind the scenes to develop and implement the agreed-upon architecture. The right consultant will configure and customize specific to your needs. 

Plenty of testing takes place in this phase due to the complexity of IAM solutions and the uniqueness of your existing tech stack. That does not mean it’s deployed but is implemented in a test environment to make sure all the moving pieces are operating as expected.

Essentially, this phase transforms the theoretical plan into a working, tested solution ready. Generally speaking, your involvement will be minimal in this phase, but you should receive updates as the project progresses.

5. Deployment and Environment Propagation (Delivery)

With your IAM solution built out and tested, the next step is to deploy the new solution across the different environments throughout your organization.  Every organization’s tech ecosystem is unique, so the timeframe and complexity of deployment will vary.

For many medium-sized organizations and enterprises, deployment requires a series of incremental stages with thorough testing along the way. It’s crucial to ensure the developed solution works as expected to maintain security and ease of use at every checkpoint.

Once deployed, most consultant agencies will take a back seat role in the production environment. You’re now in command of your IAM program, and it’s vital that you have the right teams in place for ongoing management. Depending on the agency, you may still have minimal contact for additional training or support issues.

6. Support & Training (Operations)

A reputable IAM consultant agency won’t just deploy and leave — they’ll make sure your teams are ready to take over. This phase focuses on providing training and support to your teams, which may also happen before deployment.

Training can include workshops, guides, documentation, or any other materials to help your teams understand how to use and support the new IAM program.

Many consultants also offer ongoing support to address any questions or issues that may arise as you start using the new tech stack and processes in daily operations.

7. Managed Services (Operations)

Alternatively, you may opt for managed services to have the agency take complete ownership of the solution for your company. Indigo Consulting is also a Managed Service Provider (MSP), so we’ll stay involved and manage IAM operations.

An MSP will be responsible for the day-to-day management and maintenance of your new IAM solution. A vital component of this service is ensuring your IAM program continually meets your needs.

Some organizations choose to go the MSP route over handling these responsibilities internally. Others would instead train in-house personnel and manage everything themselves. It’s up to the specific needs and available resources of each organization.

8. Product Lifecycle & Upgrade Migration (Operations)

The last step is an ongoing process to ensure your IAM tech stack and processes are current. You may need to plan for additional upgrades and migrations beyond the initial deployment. If you choose an MSP, they’ll handle these processes, but otherwise, they’re your responsibility.

Additionally, updates for vendor solutions, changes in compliance requirements, and evolving best practices may necessitate modifying your IAM program. It’s crucial to have an internal team or third-party MSP to keep your program current.

Typical Deployment Models to Consider

Choosing your deployment model is a significant decision that impacts many aspects of development and implementation. So, let’s break down the standard deployment models to consider when making this decision:

  • On-premises deployment: Like other IT systems, on-premise deployment means you’ll host all IAM solutions on your infrastructure. You’ll also take on managing them. This option is resource-intensive, requiring both the right experts and available hardware.
  • Cloud-based deployment: A cloud-based deployment offloads the infrastructure costs to a service provider to improve cost-effectiveness and scalability. You’ll be able to manage usage as necessary, but you’ll need to choose the right vendor to ensure scalability and security in the cloud.
  • Hybrid deployment: This deployment option blends both of the above options. Typically, organizations will keep highly sensitive components internally while working with a reputable cloud provider to handle other aspects. Hybrid deployments can be the perfect solution for many organizations but are often challenging to fully integrate without the right skillset.
  • MSP deployment: We talked about Manage Service Providers (MSPs) earlier — so an MSP deployment largely depends on your chosen provider and ideal solution. Any of the above three options might be put to use, but the MSP is in charge of management rather than internal teams.
  • Identity-as-a-Service (IDaaS): Much like other -aaS platforms, an IDaaS typically involves a subscription plan to help streamline the deployment and management of your IAM platforms. It’s worth noting that customization may be limited, and you’ll need to keep data protection practices in mind.

You’ll decide which type of deployment model works best for your business early on in the process when building a roadmap with your IAM consultants.

Must-Haves to Get Things in Order

If you’re developing a roadmap for a cross-country trip, you’d also consider what you need to do before you start driving. Your IAM roadmap is the same — don’t just start driving and hope for the best; get everything in order before you take off. 

Let’s explore some of the critical things before you start following your roadmap.

Basic Understanding of Your Current Footprint

You need to have a strong understanding of all existing infrastructure and systems.  Knowing what you already have in place helps speed up defining and evolving your current IAM processes.

If you choose to work with a third-party consultant, the first thing they’ll do is strive to understand your current footprint. You should do this ahead of time, whether you’re working solo or with a consultant, to speed up the entire process.

Aligning Stakeholders

Stakeholders need to have an accurate understanding of the IAM adoption process, especially how extensive and time-intensive it may be before you begin.

Additionally, stakeholders should know what the expected outcomes will be — you’ll likely need to convey this information before getting approval. Will you improve security and compliance with more robust IAM practices? Make these benefits clear to those who need to sign off on adoption.

Define an IAM-Focused Project Owner

IAM is time-consuming and connects to nearly every system throughout the enterprise. As such, it’s precious to define a project owner for IAM adoption and ongoing management.

Your IAM champion (the project owner) should understand the entire field and be prepared to help the rest of the team design, implement, deploy, and maintain the future program.

Set Goals

Define clear goals and objectives before you start taking actionable steps in your roadmap. The following questions help give you an idea of how to set IAM-specific goals:

  • What requirements does your future solution need to meet? 
  • What use cases need to be supported? 
  • What functionalities are expected post-deployment?

With goals in place, you’ll start pursuing your roadmap on the right foot.

Create Development Environment

Once you’ve defined your future IAM environment, create a development environment to help implement, test, and refine solutions without affecting live systems. Having the correct environments ready to go allows your teams or partners to start on the right foot — otherwise, they’ll have to create them anyway.

Choose Between Self-Managed or MSP

We’ve talked about MSPs throughout this article, and it’s crucial to underscore that you must make this decision early in the process. Once you’ve completed your roadmap, you must continually maintain and upgrade the program. Do you want to handle this or offload that responsibility to an MSP?

Common Mistakes and Roadblocks You May Encounter

There are plenty of possible mistakes and roadblocks you might come across as you develop and implement your new IAM program. 

Working with an IAM partner can help you navigate around these mistakes  — and we can give you a heads-up if you’ll be building your own solution. Some possible issues to keep in mind include:

  • Being unable to describe or define your existing architecture.
  • Having a lackluster understanding of specific, actionable milestones throughout your timeline for key identity projects.
  • Creating a fixed deadline before you even start without understanding the complexities of IAM integration.
  • Viewing IAM as a single, one-off project rather than the reality of IAM is an ongoing process needing continual advancement.

Each of these mistakes can create delays, frustration, or result in a program that creates more problems than it solves. Make sure all stakeholders and involved teams have the right perspective before you begin to sidestep many of these roadblocks.

How to Choose a Vendor

IAM programs typically use a blend of third-party vendors to implement specific capabilities and features. These vendors provide the specific capabilities you need without requiring a lengthy internal development process.

Your goal is to match vendor capabilities and strengths to your pre-defined target IAM program. For example, if you want to include Customer Identity and Access Management (CIAM) capabilities, consider using ForgeRock instead of building your own solution.

So, let’s quickly name some leading solutions in specific verticals you may need throughout your organization:

  • Privilege Access Management (PAM): Cyberark. 
  • Enterprise Access Management: ForgeRock, Ping (Okta, Auth0)
  • Identity Lifecycle Management (aka IDM): Sailpoint, ForgeRock
  • Customer Identity and Access Management: ForgeRock
  • Authorization: PlainID, ForgeRock (Syria, Axiomatics)

You can see how your future IAM program will likely involve multiple solutions that need to work together. This level of complexity is why choosing a partner to develop and deploy your new IAM program can help save time and avoid common pitfalls.

Looking for an IAM Delivery Partner? Indigo Can Help

Migrating from existing systems and workflows to leading-edge IAM solutions is a far-reaching project. You need the right experts in place to make sure you reap the benefits you’re after rather than inadvertently creating a whole new set of problems.

If you have in-house IAM experts, you might be able to create and execute an IAM adoption roadmap. Otherwise, it’s worth bringing in the experts to ensure you effectively develop and execute your new IAM program.

Indigo Consulting is an industry leader in building, deploying, and managing IAM programs for organizations across many industries. Our expert team knows how to evaluate your current processes and systems, then strategically build your adoption roadmap — and make it a reality.

Are you ready to discover how we can help? Contact us today to talk to an IAM expert to learn more about how we can help your organization.