Access Governance Strategy

Identity and Access Management (IAM) projects are often initiated due to an audit finding or security review. These projects have limited management focus — really, if we’re honest about it, a compliance driven project is launched to fix a specific problem in the business. The project is expected to be delivered on time and on budget, and is wrapped after addressing a specific business need.

An Access Governance program doesn’t lend itself to this type of tactical approach. Access Governance needs a strategy, one that will help drive initiatives over the mid- to long-term. This is true even when (or perhaps especially when) an initial project is launched due to a compliance problem.

Access Governance has a longer life cycle than audit or security reviews, which are typically annual events. This is because access is something that crosses business boundaries, requires complex systems integration, and is dynamically changing as the business changes.

Business or IT strategies can help programs like Access Governance get established and funded. A strategy for access can critically assess business needs, develop roadmaps for addressing those needs, and help management to set performance measures.

When setting out to develop an Access Governance strategy, there are some key activities to be considered:

  • Know the audience — Is the CIO the primary reader of the strategy, or will it be used by multiple executives and managers?  A clear understanding of the business audience is crucial before embarking on the development of a strategy.
  • Identify relevant business goals — What is the organization trying to accomplish? What are the business goals for the next three to five years? Read the business plan and look for ways that access management can support those goals.
  • Link Access Governance to business strategy — This is the key to the process and it must be done well. Explaining how a program of Access Governance helps move the business forward is critical. But linking Access Governance to business goals needs to be realistic and defendable if the strategy is going to be adopted.
  • Identify champions — The strategy needs to be built with full support of those business leaders that will receive the benefits of Access Governance. Make them part of the strategy development process and listen to their input. You’ll be rewarded with loyal supporters of the program.
  • Develop a readable strategy — There is nothing worse than a dense, technical document passing itself off as a strategy. Strategies need to be filled with business language. They must use terms that the audience understands, and they need to be structured in a way that encourages reading. Costs need to be identified and provided in both summary and detailed forms. Illustrations and models are key, and a realistic project roadmap diagram is mandatory.

Once the strategy is approved, a program for Access Governance can be developed. Soon, priority projects will begin to deliver strategic results, and your supporters will realize the measurable benefits of having a strategy guide this crucial program.


Assessing IAM

My experience with formal technology planning spans over 20 years.  As an external consultant, I can offer fresh insights as inputs to planning and strategy development.

The planning approach I have used have always included an assessment phase — a set of tasks in the project that is primarily concerned with collecting information about the environment.  This works well when done prior to project planning, strategy work and program development.

Assessments are a vital part of Code Technology’s work in identity management. An IAM Assessment can be delivered on its own, or as part of an identity management strategy project.  The approach we have formulated for IAM Assessments is a little different than the generic IT information gathering. Identity management assessments need to be structured to address key components that impact IAM design and delivery.

If you’ve followed this blog for any length of time, you’ll know that I regularly reference the Pan-Canadian Identity Management and Authentication (IdM&A) Framework.  This framework has provided an excellent structure for assessment and strategy development work.

My approach, then, is to leverage the framework in the development of an IAM assessment.  Without the structure and completeness of this framework it would be difficult to ensure everything was covered.

The heart of the assessment is information gathering: infrastructure, applications, identity stores, policies, processes, etc.  Once these details are collected, analysis of the environment is performed using  the seven Pan-Canadian IdM&A components.

Key questions are used to drive the assessment analysis:

  • Legal –Under what legal agreements and legislation does the organization operate? How do these drive compliance for IAM?
  • Privacy – How well does the environment match to privacy obligations?
  • Security – Does the current environment meet or exceed information security standards? What key identity and access risks need to be considered?
  • Trust – What trust arrangements (if any) exist between federated organizations?
  • Assurance – What processes and technology exist to ensure information assets are protected to the appropriate level of assurance?
  • Identity – How are identities organized and managed?  What identity attributes are stored and utilized?
  • Service Management – How robust and flexible is the current environment? How will it need to be supported?
An assessment is more than just information gathering — the analysis can help to immediately highlight strengths and weaknesses in the environment.  Follow on work can use this documented ‘snap shot’ of the identity management environment to address security gaps, make improvements and plan for new solutions.

A week in the life…

What goes on in the typical week of an identity management consultant? Here’s a sample of my workweek:

  • Most days start right after breakfast at my home office, and consist of coffee and Twitter. I have a solid list of IAM sources that are streaming new information every minute, and I use the caffeine-loading time to get caught up on news and events.
  • I usually have one primary client, and for the last few months I’ve been working with a large health organization to implement an identity provisioning solution. This project is highly tailored to the client’s clinical and administrative needs, and must meet the needs of multiple stakeholders. My job, as a project manager and integrator, goes beyond PM — I need to develop business architectures, review/develop requirements and communicate to three different project teams.
  • I tend to have one or two other projects on the go that I need to personally be involved in. Whether it is overseeing another Code consultant’s delivery or kicking off a new strategy project, I like the variety and interaction that comes from these smaller assignments.
  • Lunch usually equals surfing: news, politics, Oilers hockey.
  • I’d try to post monthly to this blog and manage my Canadiam LinkedIn Group at least once each week. Social media is important but easy to get too involved with for little return (IMO).
  • Business development is important to a boutique firm like Code Technology. Saturday mornings are a good time to check online RFPs and write proposals.
  • I keep a reading folder going in Dropbox. With the Dropbox client installed on all my devices (Mac, Android phone and iPad) I can easily read an analysis or whitepaper whenever I have an extra few minutes. Currently I have several Gartner and Kuppinger Cole IAM papers downloaded and ready to review.

So that is about it. Even though my work is specialized, variety is the key to serving clients, continued learning and growing my business.


Words matter

I should know better.

I walked into a meeting of business types recently and started talking about their IAM service, how provisioning would be implemented and how SSO was part of the next release. SSO was going to be a good thing. Their users would very much enjoy SSO!

Except that they had no idea what SSO was…

The thing is that the audience — all very capable professionals in their own right — were having a hard enough time with the acronym soup already presented. They were still struggling with the picture of permissions for users being moved from one system to another. They were all still mapping their view of what the application did with what IAM would bring to the table. Their gaze grew distant, shoulders sagged, connection closed.

Why didn’t I just say Login Service? These people login to their computers every day. They login to their online banking, and their Facebook accounts. They login to their phones. They get login.

Words do matter in IAM. Figure out who you are talking to and use the right ones.


Where you from?

Periodically I have a disconnect with a client or a consulting partner. You know, one of those moments when you realize you are on different pages than you thought you were when the conversation started.

I’ve realized that there are typically two types of people working in Identity and Access Management. The first group comes from a security background, while the second has access administration or maybe more general IT on their resume. I’m a graduate from the second school.

This really dawned on me about five years ago. I was talking to a consultant, who was relatively new to IT, about identity management and how my job was to give the right people access to the right resource, yadda, yadda, my normal spiel. He was listening but had a furrowed brow and I realized he was struggling with the ‘allow access’ part of the conversation.

I quickly learned that he was an ex-military police officer with experience in electronic security systems. He was much, much more interested in blocking access and ensuring maximum security. The idea that we could (and should) make access easier was hard for him to understand.

I have learned that there are some in this business that come from a position of wanting to over-secure everything. If that’s who you are working with, it is best to consider that viewpoint because they won’t be able to move forward with an IAM solution until their primary security needs are met.

But there are also those of us that want a really good user experience even if it means managing some additional security risk. We’ll always look for a design that allows access — while still being compliant with security and privacy —  but is more aligned with client business needs.

Where you from?

[polldaddy poll=8306656]

Old job, new job

It has been a while since I’ve had a new ‘primary’ contract so I thought a post on the old and new is in order.

Since 2007, I’ve been the IAM Program Manager for the Alberta Government department of Innovation and Advanced Education. We assembled a development team to build a new IAM solution for the department’s growing online services. Web applications for post-secondary students were the main priority but business partner access to online services and SharePoint sites was also required.

The solution was built on top of Active Directory Federation Services (AD FS) and was developed in .Net. The services developed include self-service registration, authentication, authorization, identity proofing, access administration and reporting. We call it the Secure Identity and Access Management System, or SIAMS for short.

Today, that IAM solution has 650,000 identities, processes over 100,000 logins per month and supports 35 business applications. It supports a host of self-service features like password reset via SMS, and can deliver up to LoA 2 identity proofing.

I’m proud of the team that put the system together and very appreciative of the support I received from Innovation and Advanced Education’s management over the years. Code Technology will remain on the job with Dallas Gawryluk taking over the reins in an expanded project management role.

My new position is as a Systems Integration Project Manager with Alberta Health Services. The IAM solution on this project is quite different, and the job I’m being asked to do is already both interesting and challenging.  Working with multiple teams, I am hired to plan and deliver an implementation of an enterprise IAM solution for clinical users and access administrators.

New faces, new issues — and after seven years, a slightly different commute to work. I’m looking forward to the next year!


IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

  • Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
  • PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
  • TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.


The case for less ocean boiling

I don’t know who invented the term ‘boiling the ocean’ but it is a great description for projects that are too large, too ambitious and, ultimately, headed for failure.  Identity management projects run the risk of being setup to fail because their sponsors are trying to boil the ocean.

The problem lies in the scope of a typical IAM project.  These projects can often try to do far too much — the sponsor and project manager confuse the bigger, long-term goal with the project objective.

In a IAM strategy report I completed last year, my recommendation to the client was to use a phased delivery approach:

Smaller projects are easier to manage because they have a single focus and set of outputs to produce.  Adjustments to follow-on projects can be made based on lessons learned.  And with shorter projects, management can more frequently see the real results as each project completes – reports/briefings can be written and financial benefits documented.

Since 2007, I’ve been working as the IAM Program Manager for another client and putting these ideas into practice.  This program has been established with eight releases.  Each release is a project that runs between six and eight months, depending on the current needs of the business and our sponsor.

The key for keeping these projects short is scope management. The scope is determined a month or so before the project starts.  Inevitably, we get a change in scope sometime in the first few months — a new application needs to be integrated, the auditor wants a critical feature added, etc.

As any project manager knows, the triple constraint means that if you increase your scope, you can either extend the project schedule or add resources (and cost) to get the work completed on time.  This triple constraint is often addressed by clients by pushing out the schedule.  This also increases cost of course, even if the team size stays the same.

My philosophy is a bit different.  I look to trade off scope for… scope.  If six weeks of extra work are added, I will look to see if six weeks’ worth of scope can be removed.  Lower priority work can often be removed from scope and planned for the next project.

In other words, I want to keep the project schedule and costs fairly static so that the team can focus on an end date — and, by extension, new work and a new project after that date.  In a longer term program I place a lot of value in delivery.  The sponsor needs to see solutions delivered and projects closed.  We must be able to report to senior management actual business value and a list of real accomplishments, not just the percent complete on a project.

The end results are higher team movtivation over the long haul — in three years, I have had zero team turnover — and better, more measurable business results.


Federated Identity project

I’ve been scoping a Federated Identity Management project for a few months now.  The implementation will include public users and business partners, and will support tens of thousands of users.

We are looking at a number of use cases with this design, including:

  • a low level of assurance with minimal shared attributes, and
  • a higher level of assurance with sufficient shared attributes to support a split profile.

The challenges are going to be related to privacy (the client is in the public sector) and legal issues.  My focus for the next month will be to try and tackles these issues — or at least get a start on them — before we get too involved with defining the technical solution.


IAM in 2010?

It has been a busy, busy past few months for Code Technology — new projects, new opportunities and a growing business.  This post provides an update on our project work with, necessarily, client names obscured:

  • Last fall, the  Identity and Access Management program that I’ve been leading for a large public-sector education organization paid some big dividends.  Over the past two years my team has been building an IAM system on top of Microsoft’s Active Directory Federation Services (ADFS).  The main work was actually completed over a year ago, and the first web applications with a few hundred users were launched.  But in October 2009 the wider deployment started and we now have over 35,000 users, with as many as 120,000 users to come online in just over three years.  By the end of 2010, we could have a dozen applications using the service, enabling access to the broader education sector in Alberta in ways that have previously been impossible.
  • We recently completed an IAM strategy and program development project for a very large organization (85,000+ employees) here in Alberta.  This enterprise has some compelling identity challenges and high security needs.  What is interesting is that we have been able to construct a strategic framework, then drive out enough detail to define individual IAM projects for inclusion into their overall information security program.  I strongly believe that defining strategy without a defined delivery program as part of the report is useless — how many strategies and architectures do we see that end up sitting on executive shelves? With this project completed, the client now has a clearly articulated strategy and a practical set of projects defined in a format that is easily understandable by business and technical decision-makers alike.
  • We have also been working to develop the Canadiam blog and online community.  So far we’ve managed to create the blog site, populate it with a few posts, create a Twitter hash tag (#canadiam) and setup a LinkedIn group.  We are always open to new commenters, guest bloggers and other contributions so if you are interested in this niche slice of Canadiana, visit the site and let us know!  At the very least, feel free to slap #canadiam on to any Tweets you have related to IAM in Canada.

There really seems to be an increased rumble in the IAM services space — I’ve been at this niche for over seven years and I don’t recall a time when there have been so many implementations in the works. Whether it be government, other public sector or for-profit enterprises, IAM seems to be on everyone’s mind.

In the past few weeks alone, we have had interest in Code’s IAM services from three different provinces — five different projects in total. And that’s just what a crossed my desk — there are at least three major IAM implementations being planned or being delivered in Alberta at present, renewed federal efforts to develop the Pan-Canadian framework, another major project in Manitoba and (from what I can gather) similar initiatives in the other western provinces.

There is a lot going on in the identity world.  Will 2010 be the year that IAM makes a big splash across the country?