New technologies like bring your own identity (BYOI) provide the agility that organisations need to compete in the digital economy, as Jan Zeilinga demonstrated in last month’s blog. But let’s not forget that getting the house in order is an important prerequisite to going “digital”. Employees and contractors need access to the right information to do their jobs, and organisations need to ensure that digital assets are used appropriately.
Without an identity and access governance (IAG) solution, policies and controls designed to mitigate access risk must be performed manually. At best this is a drag on agility but at worst it is a serious security issue. Thankfully, IAG solutions which improve and automate these processes are no longer something that only large organisations can afford.
Whether deployed in the cloud or on-premise, the tricky part about identity and access governance is no longer the technology, which is quite mature, or even the processes. As a new research-based white paper
from First Point Global and our partner SailPoint
shows, it’s the people part that is the real challenge. This publication is rich in findings and advice from practitioners at organisations who pioneered IAG in Australia – the top financial institutions. Some key findings are summarised below:
1.Address the people component as a first priority
IAG projects often struggle when the project team doesn’t truly understand the business needs, the complex rules and politics of the organisation, or the points of view from various stakeholders. IAG projects typically require the participation of many different groups that must work together to ensure success. There is often a large gap between the technical side of the house and business users who may not understand or care about IT and security issues. Addressing these people challenges with “eyes wide open” is a critical success factor.
2.Choose your IAG leader carefully
With this in mind, practitioners interviewed for the white paper recommended choosing leaders who have experience leading large, cross-functional programs – that are skilled at “getting things done”. This type of leader will not shy away from the people and change management side of the job.
3.Find and maintain strong executive sponsorship
Changing business processes and people’s behaviour is a difficult task. Executive leadership is needed to convince the organisation of the strategic importance of the project, ensure adequate IT staffing, mediate departmental conflicts and set priorities.
4.Avoid the “big bang” approach; start small and build momentum
Key recommendations from interviewees included:
Scope the project in small phases that can be completed in weeks – try for as small a scope as you can.
Go after the “low hanging fruit” first. For some organisations, this means starting with the friendliest business units; in others, it means starting with applications that are easiest to integrate with the IAG tool.
Promote your early successes to build support and expand your scope to more applications and business units.
5.Work to achieve business accountability
Managing user accounts and privileges – and ensuring effective access control – is not commonly embraced by business users. In many of the organisations interviewed, IT staff assumed responsibility for identity and access governance. Business application owners were not held accountable for ensuring adequate governance and compliance with internal controls. As a result, IT had responsibility for what were actually business risks. To be successful, accountability for risk had to be shifted to the rightful owners on the business side of the house. Best practices on how to achieve this included using approaches tailored to each business unit. Some groups will respond to the threat of negative audit findings; others will be motivated to reduce the burden of compliance activities like user access reviews.
The white paper provides a unique opportunity to learn about identity and access governance challenges and the best practices to overcome them from leading Australian organisations. If you are planning, implementing or extending an IAG solution, I strongly recommend that you download it
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.