* Umberto Rosti
TOP 07 Identity and Access Management (IAM)
Companies are increasingly mature and certain of the need to have a management that controls the access of its employees, mainly by the rules of the GDPR
After all, there are plenty of examples of corporations that have been harmed by former employees, third parties or employees unhappy with the company. Despite this maturity, many companies are unaware of the main difficulties encountered during the technology implementation process - read costs too - and end up interrupting the project during critical moments.
One of the great paradigms is that all systems must be connected automatically The Identity Management. This is expensive, time consuming and probably will not work. The ideal is to know the critical systems, both in volume of access changes, and in relation to the security of the company. We can mention ERP, CRM, e-mails and file servers, for which Identity Management software already has native automatic connectors, which will bring faster return to the project and the company.
The automatic connection of some systems becomes extremely expensive and time consuming, such as legacy systems, usually developed internally and which do not have a well-structured authentication and authorization layer or even systems that do not have a large volume of data. change of access / users. For these cases, use all the intelligence of the technological solution of Identity Management, Staying only with the last step of the processes manually makes it much cheaper and with the same effectiveness. To get an idea, the time it takes to automatically connect to a legacy system can be months, while automatic connection through a native connector can be done in days.
In short, there are no technological or process issues large enough to negatively impact the deployment of a Identity Management. What exists is a lack of planning, knowledge of business needs and functionality that is desirable.
Below the Top 07 for a great Identity and Access Management project:
1. Definition of the detailed list of systems to be connected in the Identity Management technology solution: Defining this list requires a complete understanding of how this system supports business processes and what technical limitations this system has, for example, user structure, profiles, groups, transactions, screens, objects, features, and more. It is important to define waves, grouping a maximum of three systems, always from the most critical / important to the least.
2. Definition of authoritative bases: Most likely the company will deal with employees, third parties and temporary staff, and will bump into internal human resources policies to get all user data.
3. Existence of a well-defined position versus job structure: Having this structure the gain is immense in relation to the intelligence added to the processes as well as the ease of implementation.
4. Existence of basic access packages by function: This dramatically reduces the number of requests made through human intervention.
5. Definition of actors involved in workflows (approvers, performers, managers, normative): Without the actors defined, there are no processes.
6. Definition of technical features: Identity Management technology solutions have more than 10 possible features, but only a few of them are required requirements in an implementation. It is important to define implementation phases as needed by the business.
7. Assessment of the need to perform a profile redesign with or without segregation analysis: Do not expect to have appropriate adherent access profiles and 100% users early in deployment. The important thing is to take the current scenario of your company and import into the system, “as is”, after all the implementation of the Identity Management technology solution, start an access profile design project together with regulatory areas (risks and internal controls) and with the owners of the business processes. Companies sometimes spend years trying to draw profiles before or during the Identity Management project and lose all their work. Consider deploying a Role Management process integrated with the Identity Management technology solution.
The implantation of Identity Management is simple, believe me.
In the past, some companies tried to make their own identity control system and today they do not migrate to new technologies for fear of losing functionality. THE most of the tools available on the market meet the main needs of the most varied industries, and what you shouldn't do is try to solve all the company's problems with the identity management system. Step-by-step and planning are essential for success, rapid return and visibility of control for the entire company.
* Umberto Rosti is CEO of Safeway
SAFEWAY is an information security consulting company, recognized by its customers for offering high value-added solutions, through projects that fully meet the needs of the business. We can support the information security assessment process in suppliers in defining the assessment criteria and methodology, in carrying out the assessment itself (remotely or in person) in the preparation of recommendations so that suppliers can improve maturity and care with the information of your company, minimizing the associated risks.