Access Risk Management Blog | Courion
We all know that deploying an enterprise IAM solution is a journey that entails making many different and often times critical strategic decisions. This journey is often described as long, stressful and tedious, but should it be?
Choosing the right vendor can alleviate many of the hurdles that organizations face in an IAM deployment project and can result in a faster, more successful implementation. This blog is intended to help customers in their evaluation process of IAM vendors, by addressing some important aspects that need to be considered and by raising some questions that need to be answered:
Purpose: Clearly defining the purpose of the project helps consolidate and clarify expectations for the IAM project. This is often not given as much attention as needed. As a result, expectations are not clearly stated and hence organizations struggle to make the right choice in selecting a vendor. Ask yourself this question—What is the primary goal of this project? Some examples are:
- Is it the help desk call volume that you are trying to reduce
- Is it the end user experience that you are trying to improve
- Is it the auditors you are trying to answer
- Is it the overall risk posture that you are trying to secure
Sometimes, it could be one or more of these. If that is the case, then prioritize the goals. Understanding what it is that you are trying to accomplish and clearly stating the goals and priorities will go a long way in your evaluation process.
Impact: Organizations can be shortsighted when it comes to understanding the impact a project such as this may have across the organization. This goes beyond those obviously impacted, such as the end users who will use the solution and the administrators who will manage the solution:
- Is the solution easy to use and will end-users be able to use the solution readily?
- Is the solution easy to administer?
- Does the solution need programming skills sets to deploy and maintain?
- How many people are typically involved in administering the solution?
- Does it only help reduce the workload of people performing provisioning/de-provisioning actions?
- Involvement from target system owners, help desk administrators, HR and marketing:
- How does the solution integrate with the target systems?
- How much of the target system users’ time is needed to support the deployment?
- Does the solution help reduce help desk call volume?
- How is HR information leveraged and how much of the HR department’s time is needed to support the integration?
- Is marketing needed to promote the adoption of the solution? If so what tactics are planned to expedite adoption?
Many organizations do a good job determining which target systems need to be part of the IAM project. For those that struggle with this decision, a good place to start would be to consider:
- High volume applications, for which most of the requests come through.
- Target systems, for which the provisioning teams spend the most time on.
- High-risk applications, for which you lose sleep because you fear that your organization may be at risk if the system was to be compromised.
- The applications that need to be part of the overall solution. Is the solution capable of integrating with these systems easily during any stage of the deployment process?
Processes: More often than not, organizations tend to think that their situation is entirely unique and that a custom solution is absolutely essential to address every detail in every process they currently have. While it is true that no two organizations have exactly the same set of requirements, the need to address every single detail quite often proves to be detrimental to the pace of the project. The result is that the project drags on for a long time. By the time the project gets “on its feet”, the requirements may have changed again.
The point here is to go back to the drawing board and map out the goals and requirements in priority order. By doing so, organizations may realize that with the right IAM solution in place, there may be simpler and more efficient approaches to addressing problems that they had previously been tackling through cumbersome processes or work-arounds due to a lack of tools or available information. Organizations should consider the IAM solution as not just a solution that automates processes but also as a solution that provides the ability to improve existing processes where possible.
Technology: Based on everything discussed so far, you may already be thinking about the technology that can support all of this. After all, everything that needs to be accomplished in an IAM project is driven by the underlying technology. Therefore, choosing a solution that can address both immediate and future needs is strategically important. Some of the questions that might help in determining the right technology are:
- Can the product satisfy all the requirements determined thus far, such as
- Ease of use
- Ease of administration
- Ease of target integration
- Addresses various processes – both immediate and future needs
- Robustness—is the solution enterprise grade?
- What are the components of the overall IAM offering?
- Are each of those components built on the same platform, or are they cobbled together through acquisitions?
- What is the future road map for the product?
Ability to implement: Organizations dedicate a considerable amount of attention to choosing the “right technology”, but frequently undervalue the ability of the vendor to implement the solution. This often leads to an unbearably long IAM project or sometimes even a failed project. Key reasons for failed IAM projects include an inability to understand the magnitude of an enterprise IAM project, underestimating the complexities involved, not aligning expectations correctly, a failure to properly scope a stage-by-stage approach to achieve the ultimate goal and an inability to map out a proper path to success. The importance of choosing a vendor with the experience to clearly address each of these factors and consequently drive an enterprise wide IAM project to success cannot be overstated!
Conclusion: The factors addressed here and questions raised are not meant to be an exhaustive list of all that needs to be evaluated when choosing an IAM vendor, but are intended to highlight some of the key aspects you need to consider to make an informed decision to pick the right vendor and better ensure your success.