Identity Management consulting can be broken up into a few aspects. The first aspect revolves around the technical capabilities required to implement proper Identity Management.
A typical issue many organizations have when evaluating their Identity Management needs is determining what exactly they are. GCA has a white paper describing many of the realms included in the discipline of Identity Management. Not all organizations will implement all of the realms.
Having worked in Identity Management consulting for over a decade, I have learned that the technical aspects, while extensive and challenging, are the most straightforward part of the job. Identity Management consulting also requires in-depth knowledge of regulatory compliance requirements and how to use the various technologies to implement those requirements. In every vertical, there are different regulatory compliance and audit requirements which fall into one or more of the disciplines of Identity Management.
For example, the healthcare vertical has HIPAA for regulatory compliance which has stringent requirements around user access reviews, provisioning, deprovisioning, privileged accounts, authentication and authorization to name a few. In energy, FERC and NERC cover many of these same aspects, with some requirements being more focused, such as securing the networks with transmission controls, which fall into the authentication, authorization and privileged access realms. PCI-DSS has strict requirements around the enforcement of least privilege, usually implemented in provisioning tools and audited with governance tools which are similar requirements to energy regulations for network segments with access to payment card data.
The next struggle for an Identity Management consultant is to bridge the gap between the regulatory compliance requirement and the technology used to implement the control. That gap is defining the controls necessary to meet regulatory compliance. Regulatory compliance requirements do not tell organizations exactly how to be compliant. Each organization will adopt a framework, such as ISO 27001, Cobit 5, or HITRUST. These frameworks will define the controls which need to be implemented to fulfill the requirements of regulatory compliance. The technologies can be configured in the environment to provide automation to the controls and ultimately become compliant.
For example, SOX requires all publicly traded companies to assure that data which could affect their stock price is available only to those authorized to see it. This requirement is to prevent traders from gaining an unfair advantage by having foresight into how the company is performing before their quarterly earnings statements. One of the controls commonly assessed is user access reviews. These allow the company to provide regular attestations that all users with access to the data need that access to perform their job duties. That control can then be mapped to an Identity Governance technology, which can be configured to provide the compliance teams with a technology that can automatically aggregate access information and compile it into an intuitive web interface for the business to re-attest the access to each appropriate SOX system. It will also provide the necessary audit reports for internal and external audit teams as evidence that the control is being followed.
Identity Management consulting also has a heavy emphasis on understanding the business. Every organization is unique, with their unique business problems to be solved. There is no one size fits all solution. The consulting aspect requires excellent listening skills to learn and comprehend how the business works, followed by what challenges they have within Identity Management. Understanding what tools are necessary first requires a keen understanding of the company, its problems, and goals before selecting a technology or set of technologies.
A common mistake is encountering a generic problem, such as provisioning, then directly running to an analyst and selecting the highest rated tool. Although analyst reports are great for providing a broad brush approach to finding robust toolsets for business problems in a particular classification, they are just one way to help identify. A good Identity Management consultant can listen and understand an organization's challenges and goals, then apply the tool that will be the best to solve those challenges and meet their goals. This choice isn't always the highest rated tool in the magic quadrant. While the square peg may be the highest rated generically, if your organization is more of a round hole, you will probably be better off selecting the round peg instead.
After understanding requirements, selecting appropriate tool(s) and starting implementation, there are then common pitfalls and struggles. Once again, proper Identity Management consulting can help here as well. Many professionals that work in Identity teams are great at understanding the business and its nuances. Identity Management consulting teams are familiar with the tools and common mistakes that can cause the tools to require much more attention. They can also help you get the most ROI out of your software. By leveraging knowledgeable consultants, these challenges can be foreseen and often mitigated in advance.
Want to learn more? Contact us today for a complimentary consultation on how we can help enhance the effectiveness of your organization’s IAM and Governance tools.