IAM Roadmap Best Practices

The best identity and access management (IAM) roadmaps focus first on solving business problems within the business context. This piece explains what a typical IAM roadmap entails and offers best practices for ensuring your IAM program supports the business efficiently and effectively. 

IAM Program Guidance 

IAM programs vary depending on regulation, maturity, complexity, and organizational ownership. However, every good roadmap focuses on improving the core IAM functions: provisioning, de-provisioning, role-based access control (RBAC), entitlement and permission management, and access certification. It should also be designed to solve a business case first, because solving the business case should provide overall improvements in identity management. Some ways to frame the project include: 

• Simplicity: Target business areas with standardized functions that yield high return. These projects can be positioned as enabling business speed. 
  
• Rate of change: Target areas with high employee turnover or high growth. These projects can be positioned as enabling business agility. 
  
• Manual effort: Target areas requiring time-intensive repetitive tasks to grant access. This is an IT improvement project, which can be positioned as business efficiency. 
  
• Change in the business: This addresses new apps, new lines of business, mergers, etc. These projects can be positioned as business enablement. 
  
• Risk: Target areas where excessive access presents higher risk. This is an identity project carried out to address specific audit or security concerns. 

READ: Centralized IAM Best Practices

IAM Roadmap Elements 

Your IAM roadmap should have the following elements: 

• Assessment and inventory: Examine the current processes, applications, security requirements, compliance requirements, and available staffing and tooling. 
  
• Role engineering: Survey and review access, and perform role mining, role modeling and implementation. 
  
• Entitlement management: Develop a standard set of entitlement models that map the roles to the applications. 
  
• Application integration: This includes: 
  
  • Integrating the application access with the entitlement models. 
    
  • Integrating the provisioning and de-provisioning with the identity and governance administration (IGA) tooling. 
    
  • Integrating authentication with the single sign-on (SSO) tooling. 
    
• Access review certification: Work with the business owner to certify the role and with the application owner to certify the access. 
  

Depending on the state of the program, the following may also be in scope for the roadmap: 

• Establish a governance committee, which determines how the program will be led. 
  
• Engage and manage stakeholders: These include business owners, application owners and other stakeholders. This is the most crucial aspect of the IAM program because engagement from the business areas and technical areas is the leading success factor. 
  
• Deploy tooling. This includes everything from tool evaluation and selection to instantiation and operation. For example, this would be the process of getting a platform such as SailPoint or Saviynt configured for IGA. 
  
• Develop the team. This includes training and skills development of the core team on the tooling and on overall IAM concepts. 
  

IAM Program Mistakes 

Most IAM programs have many moving parts and keeping everything working optimally can be difficult. Some issues to avoid include: 

• Not building the program to align with the business. Roadmaps that are isolated from the wider business environment often fail to gain the support and traction they need. Ensure the focus of IAM is on using identity to support business initiatives. Use the wider business framework for structuring the work. For example, if the organization uses an objectives and key results (OKR) framework, follow that format to structure the roadmap into quarterly objectives. 
  
• Not spending time with stakeholders. A majority of CISOs hold a governance role in IAM. However, the IAM program’s success is ultimately determined by people outside of the direct oversight and control of the IAM function. In other words, the people developing the policies are not the people executing the policies. Therefore, success depends on relationships between the IAM team and the people performing IAM tasks within the wider organization. When asked what they would do differently, IAM leaders frequently report they would have spent more time building relationships with the business owners to understand the processes and the application owners to understand the technology. 
  
• Not developing in-house talent. The more knowledgeable and skilled the people are within the IAM team at both understanding the tooling and understanding the business, the better the outcomes from the IAM program. 
  

IAM Roadmap Best Practices   

The best IAM roadmaps focus on supporting business initiatives and ensuring stakeholder needs are met. To improve the chances of success, organizations must: 

• Mature the core tasks: Focus on improving provisioning, de-provisioning, access control, entitlement and permission management, and access certification. 
  
• Frame the IAM roadmap within the business context: Solve business problems (e.g., growth through acquisition) with identity solutions, and use business tools (for example, OKRs) to track progress. 
  
• Foster stakeholder relationships: Perhaps more than any other capability, IAM is people- driven. Allocate time in the roadmap and on the team calendars to developing relationships across the organization and developing the skills of the people within the team. 
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.