Post
Identity Management: 6 Pitfalls to Avoid for a Successful Project
We have entered the era of post-digital transformation, a time when needs and uses are constantly being reinvented. In this ever-changing world, companies’ information systems are becoming increasingly complex, open, and constantly evolving. To ensure the security and compliance of this system, identity management is essential.
Users interact through multiple channels, and the information about them is typically dispersed across various silos. The data associated with the digital identities of employees, partners, and customers is thus accessed through an increasing number of entry points.
Mastering identities and permissions is therefore a crucial aspect of protecting the information system from issues related to human error, fraudulent uses, and data loss or theft.
In light of these challenges, CIOs and CISOs must ensure unified governance of users and control access to their services. To this end, implementing an IAM (Identity and Access Management) project and integrating an identity management platform can enhance ROI and productivity.
However, it is a long-term project that can become a burden for the teams involved if not executed properly. To help you avoid such challenges, we consulted our IAM experts, who have listed six pitfalls to avoid when undertaking an identity management project!
1. How does the MFA Fatigue attack work?
L’un des objectifs principaux d’un projet d’identité est de générer un référentiel unique de toutes vos identités et habilitations. Pour atteindre ce but, cartographier tous les comptes et applications est une première étape indispensable.
En omettant des ressources, vous prendriez le risque de ralentir votre projet, d’augmenter vos coûts et de perdre les principaux bénéfices d’une plateforme d’Identity Management. De plus, au regard de la conformité, dans le cadre d’un audit par exemple, toutes ces omissions pourraient vous porter préjudice.
La cartographie doit permettre de recenser l’exhaustivité des identités ainsi que l’ensemble des habilitations pour déterminer ensuite ce qui doit être provisionné.
Alors comment procéder ? Au-delà d’établir une liste de tous vos référentiels, nous vous recommandons d’adopter une démarche par lotissement : équipes, services, sites géographiques, nombre d’utilisateurs… Commencez par exemple par déterminer avec chacun des responsables métiers la liste des ressources qui les concernent. Ils pourront ensuite, en fonction, définir les droits requis avec les membres de leur équipe.
Votre organisation peut également accueillir des utilisateurs externes tels que des prestataires, partenaires ou sous-traitants. En règle générale, cette population ne se trouve ni dans l’Active Directory, ni dans le SIRH mais doit pourtant accéder à plusieurs ressources de votre système d’information. Il est donc primordial de bien les identifier, de les référencer et de veiller à centraliser les identités et habilitations associées de manière à correctement cloisonner vos données.
Une fois toutes ces informations cartographiées, vous devriez obtenir plus de visibilité sur les référentiels qui contiennent les ressources nécessaires à la gestion des habilitations. Cette opération permet également de rapidement déterminer votre source autoritaire (source qui contiendra souvent la majorité des utilisateurs) et d’orienter potentiellement l’usage principal attendu de votre plateforme de gestion des identités (annuaire, référentiel maître, gestion des profils externes…).
Pour aller plus loin et ne pas passer à côté des bonnes pratiques en matière de revue des habilitations, nous vous invitons à télécharger notre guide.
2. Starting the Project with Unqualified Data
Our experts emphasize this point: for a successful identity management project, teams must rely on reliable and consistent data. Without regular verification of the accuracy of user data, it is likely that identity repositories will eventually contain outdated information or even orphan accounts (active accounts of users who have left the company).
Before defining attributes and assigning rights to a user, you need to ensure that their profile is up to date and correctly defined. Generally, it is necessary to clean the data before the project starts to ensure a reliable base on which identity management can rely.
Another crucial step for making data consistent is reconciliation. As mentioned earlier, your organization has multiple repositories: HRIS, Active Directory, directories, databases… Typically, these repositories contain the same user profiles. Reconciliation involves correlating data from different applications to link them to a single identity.
It’s worth noting that data cleaning and reconciliation can be done internally or outsourced to a provider specializing in identity management.
However, be careful not to feed your IAM solution with all your data, even if it is qualified. It is important, especially for optimal security, to store only the necessary data in your software to feed another repository without overloading the solution’s operation.
3. Defining Too Specific Profiles and/or Permissions
While setting up an identity management platform capable of handling all scenarios might seem cutting-edge, it’s actually a mirage that will significantly slow down your platform’s productivity in the long term.
Indeed, the consequences of a highly customized platform identified by our experts are numerous:
- It will be more costly to maintain and update,
- It may quickly become obsolete if technologies or needs evolve,
- It may limit your company’s scalability or integration options with other systems,
- It will require professionals with advanced knowledge of the platform to manage it,
- It may be challenging to recover data or specific functionalities from this solution if it is replaced by another.
With 30 years of experience in the field, we have found that it is more effective to assign a default profile with associated permissions and manage exceptions only when necessary, rather than getting bogged down in overly customized profile management that will proliferate almost at the same rate as your users. Additionally, this will greatly facilitate your task separation strategy.
To determine your profiles and model rights, our experts recommend a hierarchical structure to avoid inconsistencies.
Keep in mind that identity management is an ongoing task; being reasonable in the short term will allow you to be more ambitious in the long-term vision.
4. Covering Too Large a Scope
Once the mapping offers a view of all existing applications, you might want the identity management platform to cover all of them. However, an identity management project is meant to evolve and is, by definition, endless. It would be counterproductive to aim to cover all existing resources at the project’s outset.
Each application typically includes:
- A user scope,
- A validation process,
- A manager,
- A connector to be implemented.
In an identity management project, this means you will have to multiply scenarios and stakeholders for each use case. A too-wide scope could slow down the project and prove costly.
To make the project achievable and understandable, we recommend adopting an iterative approach. Start by targeting the accounts and applications with the most important scopes within the company (such as Active Directory and email) and then proceed with application batches. This approach will allow you to achieve quick wins and even enable project teams to gain expertise in the identity management solution.
The same rule applies to the implementation of connectors. Although it may be tempting to activate automatic provisioning for all resources, starting by connecting only the common core applications will be more productive.
5. Neglecting Change Management
Centralizing resources, changing onboarding/movement/departure processes, reviewing rights with the principle of least privilege, separating tasks… Our clients testify that an identity management project will undeniably disrupt your organization’s habits.
For the project to be sustainable, each stakeholder must realize that these validation steps are fundamental elements in protecting their organization.
While IT teams are already aware of the cybersecurity challenges of the project, they will play a role in uniting and raising awareness among the less technical profiles of your organization. In this regard, it is crucial to involve HR teams from the project’s inception. Firstly, because the HRIS is an essential repository in an identity management project, and secondly, because HR teams will play a key role in process implementation.
Business and application managers should also be particularly aware. For example, it’s typically the service manager’s responsibility to verify application rights and authorized resources.
Another critical factor: opting for a user-centric identity management solution. In their testimonials, our clients emphasize the importance of simplifying tasks as much as possible for users. Indeed, prioritizing user comfort will strengthen the acceptance of new processes and platform adoption. Conversely, if a platform is too complex, its use may be circumvented, leading to human errors.
6. Developing Your Identity Management Platform In-House
Cost reduction, a “tailored” platform for your organization… At first glance, developing your own identity management platform might seem appealing. However, unless your company has strong expertise in identity management software development, such a project will quickly become a burden for your teams.
Developing a solution in-house is a false good idea and can prove to be a costly decision because, without experience, teams will be unable to anticipate the various risks and constraints specific to identity management.
Once the solution is developed, it will then need maintenance and updates. Therefore, employees will need to be continually engaged and may not be able to participate as much in other equally strategic projects. Moreover, there will be a high risk of information loss if one of them ever leaves your organization.
Finally, you will have no guarantee of keeping the solution compliant with external regulations. Therefore, we strongly recommend opting for an identity management solution like Ilex Identity Management and benefiting from all our associated expertise.
Architecture, data, resource provisioning, mapping… In addition to providing a turnkey solution, with the support of Identity Management experts, all these steps will be addressed, well-framed, and you will receive best practices and feedback from participants.
Technical Focus: Watch Out for Prerequisites!
If you choose to entrust your identity management project to a specialist, don’t miss this step. Indeed, many parameters must be checked to determine compatibility between your information system and the chosen platform.
Among the main points of attention highlighted by our experts are connectors.
Planning POCs (Proofs of Concept) for scenarios involving your resources and the identity management platform is a step we highly recommend. This will allow you to test the potential of identified APIs or web services and confirm the smooth operation of automatic provisioning.
Another important technical prerequisite is full compatibility between your identity management platform and your database management system (MariaDB, MySQL, etc.). If the platform cannot be linked to it, the project will not be viable.
Finally, we also recommend anticipating the desired hosting mode for your platform, whether On-Premise or Cloud-based in SaaS mode, to ensure it is available on the chosen solution and allows access to all the desired functionalities.
Certain roles will heavily rely on the identity management platform, and its performance will determine the organization’s productivity. Therefore, it is crucial to ensure that the solution’s availability is fully aligned with business challenges. Business first!