Executing The Right Identity and Access Management (IAM) Rollout Strategy

Active Directory used to be the standard for leveraging application identity storage. When the Internet began to boom, Active Directory was no longer able to keep pace with the demands of web-based applications, which used new standards like Security Assertion Markup Language (SAML) and Initiative for Open Authentication (OATH).

Businesses soon realized they needed a technology ‘middleman’ that could understand multiple directory structures, identity stores, and communications. That middleman was Identity and Access Management (IAM). The problem was how to populate IAM systems’ Meta Directory. The solution was to use Active Directory, or an HR system, as the provisioning source.

Unfortunately, many organizations failed to successfully execute their Identity and Access Management rollouts due to a lack of preparation. They forgot the old adage, “Measure Twice, Cut Once.” In this solution brief, we’ll show you four steps to prepare for a successful IAM rollout. The steps focus on Active Directory, one of the most common provisioning sources.

Your IAM Preparation Roadmap

First, map your environment. Understanding security group membership—which groups grant access to what resources (group grants), and how group relationships are nested both inside and between domains—is critical to building organizational roles and identifying potential conflicts early.

Second, reduce unnecessary objects. Most organizations have a chaotic and messy Active Directory with a high percentage of stale users, groups, and other objects. Identifying and deleting objects that are no longer needed can significantly reduce the amount of work needed to align roles with access groups and ensure proper identity management.

Third, create resource-based groups. At their core, organizational identities are groups of small groups, which provide access to different resources. By aligning data and application resources with resource-specific groups, building and maintaining identities becomes more straight-forward and easier to maintain.

Fourth, identify resource owners. Identity and Access Management is a business-focused initiative, so identifying and aligning business owners with resources is critical to ensuring that provisioning and attestation processes work properly.

Conclusion

Identity and Access Management has become a necessary part of business because of the inherent complexity of managing multiple user directories. Organizations need a way to marry multiple identity platforms to a single Meta-Directory to clearly show who has access to what resources, and to simplify managing identifies.

Use the four preparatory steps above to ensure Active Directory, your main provisioning source, is in order so you can avoid the mistakes organizations made early on when they tried to implement IAM systems with hard-to-decipher data. Doing that is like putting subpar fuel in a vehicle. The car might start but, once you begin driving and the black smoke pours from your exhaust, you will eventually find yourself on the side of the road looking for a tow.

These four steps will ensure you have a smooth IAM ride.

N.B.: This post is part of GCA’s guest blog series, where our vendor partners and other industry experts provide valuable insights on topics around Identity & Access Management and IT Security for our readers.