Business Benefits of IAM FastTrack Identity Governance ......Identity Governance & Administration...

Business Benefits of IAM FastTrack Identity Governance & Administration (IGA)

Version: 2.0 – Feruary 2015

The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 2

Contents

1 Introduction ........................................................................................................................ 3

1.1 Identity & Access Management explained .............................................................................................. 3

2 IAM FastTrack ..................................................................................................................... 4

2.1 New projects ....................................................................................................................................................... 5

2.2 Existing projects/ IAM operations ............................................................................................................... 5

3 IAM Business Drivers ......................................................................................................... 5

3.1 Business enablement ....................................................................................................................................... 6 3.1.1 Customer Requirements ................................................................................................................. 6 3.1.2 User experience ................................................................................................................................ 6 3.1.3 Bring your on device - BYOD .......................................................................................................... 6

3.2 Control ................................................................................................................................................................... 7 3.2.1 To comply with Regulation and Laws .......................................................................................... 7 3.2.2 Policies ................................................................................................................................................ 7 3.2.3 Protecting assets/ risk management ............................................................................................ 8 3.2.4 Ownership .......................................................................................................................................... 8 3.2.5 “Hacking” .......................................................................................................................................... 8

3.3 Costs ....................................................................................................................................................................... 8 3.3.1 Business Effectiveness ...................................................................................................................... 8 3.3.2 Increase Productivity ....................................................................................................................... 9 3.3.3 Costs of provisioning ........................................................................................................................ 9 3.3.4 Costs of helpdesk activities ............................................................................................................ 9 3.3.5 Using assets ........................................................................................................................................ 9 3.3.6 Cost of licenses .............................................................................................................................. 10 3.3.7 Rationalization ............................................................................................................................... 10

3.4 Greenfield vs Brownfield .............................................................................................................................. 10

4 Business Case .................................................................................................................... 11


1 Introduction

Typically, Identity and Access Management (IAM) projects do not have a good reputation. This is

not without reason. They often cost a lot of money, timelines are not met and goals are

frequently not fully achieved. Nevertheless, IAM is required to make the users visible and gain

control over their access rights.

It goes even further! IAM is the basis of almost everything we do in the IT industry and in the

Facility Management space.

We work for and with many people and we can categorize them into various groups, such as

employees, contractors, consultants, temporary staff, customers, suppliers, prospects, etc. Within

these groups it is clear that we don’t want everybody to have access to everything, including the

use of company assets.

From both a risk and cost management perspective, ’adequate governance is of crucial

importance so that we know who the users are and what the status of their relationship with the

organization is. Once we know all this, we need to ensure that those people only have access to

those (information) assets that they require, based upon their job role/status.

Initially, organizations are perfectly capable of settings this up. Tight on-boarding processes,

purchase orders, etc. are put in place. Maintaining the information is a completely different

ballgame and is often not well organized. As a result costs are too high and risks are not

adequately mitigated.

Capgemini has developed an agile project approach for Identity and Access Management

projects and challenges; IAM FastTrack. This document focuses upon the generic business

benefits of IAM and how IAM FastTrack is helping to achieve those faster.

1.1 Identity & Access Management explained

There is a lot of confusion when it comes to the use of the term Identity & Access Management.

Basically there are multiple processes incorporated into this single term:

- Identity Governance & Administration (IGA)

- Access Management (AM)

- Privileged Identity/Account Management (PIM/PAM)

Not all aspects of IAM can be covered using the IAM FastTrack approach. Access Management

for example, allways requires a degree of specific configuration.

IAM FastTrack do covers the Identity Governance & Administration (IGA) element. Privileged

Account Management is not yet part of the IAM FastTrack concept.

Capgemini is also offering IDaaS (Identity as a Service), however this is not what the market

perception of IDaaS is; more or less Access Management as a Service. Capgemini IDaaS is

covering the full scope of IAM and ‘as a Service’ is the commercial model of pay per use. It’s not

IDaaS delivered via the cloud model perse. Hardware can be at client premises.


2 IAM FastTrack

IAM FastTrack is a methodology developed by Capgemini, offering a wealth of benefits for

clients regarding all kinds of IAM activities. Not only new projects can benefit from this

approach, but also existing projects or existing IAM type of operations.

Identity and Access Management projects can be best described as discovery journeys. It is very

difficult to predict what will be discovered once applications are connected to the IAM system

and identities analyzed etc. Management of IAM projects must be flexible in order to adapt to

these findings, otherwise the business benefits will be difficult to deliver. Setting up IAM projects

often starts with workshops, requirements scoping, etc. Many elements are based upon

assumptions and peoples own version of the “truth”.

Quite often, the result of this approach is that the program is not (not enough) focusing upon

business priorities, is delivering the business benefits as expected, or do not mitigate the most

significant risks.

Another fact is that the majority of requirements, product capabilities, deliverables, etc. are

identical for many organizations and this fact enables Capgemini to offer an agile approach for

IAM projects. Capgemini uses best in class tools and has pre-configured these tools in a way that

tangible results can be delivered in hours rather than months. This is Capgemini FastTrack!

2.1 IAM FastTrack Insight and Implementation

IAM FastTrack can be divided into two separate building blocks;

- IAM FastTrack Insight

- IAM FastTrack Implementation

IAM FastTrack Insight is a unique combination of strategic consultancy and agile tool

deployment. The Capgemini IGA system is up and running after a few days (denpends usually on

network connectivity and the availability of data), whereafter analyzing, and validation of data

and strategy phase will start. The output of the Analysis and Strategy phase will be a concept

IAM strategy, high level business case, IAM roadmap and an IAM policy framework. IAM

FastTrack Insight is offered for a fixed price and last for about 6 weeks.

IAM FastTrack implementation is the implementation of IAM, based upon the IAM FastTrack

Insight results. The organization can decide themselves how, when and what to implement.


2.2 New projects

Capgemini FastTrack is very useful in the case of new projects. Instead of spending a lot of

resources, time and money on a preparation phase, product selection and a Proof of Concept,

Capgemini FastTrack delivers results in just a few days. The results can be used to define the

scope, build a roadmap, define a strategy, etc. The IAM project will be based on facts and not on

assumptions.

Importantly, IAM FastTrack can be used to quickly harvest low hanging fruit, kick off cleansing

activities and define business rules.

Capgemini has already selected specific tooling, but the tooling used isn’t that important. The

bulk of the work required is tool independent. Identity and Access Management is most and

foremost a business process, so defining and fine-graining this process are product independent

activities.

IAM FastTrack can be the stepping stone that may seamlessly lead to a full implementation of all

IAM aspects. Capgemini delivers IAM as a Service, based on FastTrack, but also as onsite

implementation following client requirements.

Exchanging one product for another is possible, while the work done on the business side will

never be wasted.

2.3 Existing projects/ IAM operations

As mentioned earlier, IAM FastTrack is flexible and agile. There’s no need to use all the IAM

FastTrack capabilities. FastTrack can perfectly be used to solve a particular issue, like Identity

Lifecycle processes, review and re-certification campaigns etc.

IAM FastTrack can be integrated with existing IAM products and perform dedicated tasks.

3 IAM Business Drivers

The Business Drivers for IAM as visualized in the picture below.

Consumers are a click

away for going elsewhere.

Simplified user experience

through effective use of

identity is essential to

keeping customers and

growing business

Business

Enablement

Security breaches are

occurring at an alarming

rate. In modern extended

enterprises, identity and

context are the only points

of control that now remain

Control

Reduce costs associated

with the governance and

management of user

access, including the costs

of running flexible

underpinning IAM services

Cost


There might be more and other business benefits present within the organization, but those

benefits will be identified and quantified during the IAM FastTrack phase.

3.1 Business enablement

3.1.1 Customer Requirements

Many customers demand from their suppliers that they are compliant with all

kinds of standards and regulations. Good examples are the ISO standards. The

ISO standard regarding security leaves no room for misinterpretation. Access

Control and Access Management must be adequately organized.

Financial standards (ISAE 3402 or other 3rd party statements) require being in

control when it comes to access rights as well.

It’s not only about compliance when it comes to customer requirements. Demonstrating being in

control and knowing what’s going on can be a differentiator! Customers are relying upon the

quality of the products being delivered and being in control can definitely raise the level of trust.

It’s always good to know for a customer that their information is in safe hands and well

controlled.

3.1.2 User experience

In many cases, its not easy for an end user to find all the existing access

application forms. Historically, ‘people’ has done there own things. IAM is a

perfect opportunity to centralize all the request processes, align them and

provide the end user with insight in both application processes and

approval provesses.

3.1.3 Bring your on device - BYOD

Managing assets (who is using/having which company asset) is already a

challenge whereby IAM can be very helpfull. Another challenge is the

management of personal devices, used in the corporate environment.

Specialized tools are available (Enterprise Device Management/ Mobile Device

Management) and they will all do a good job.

However, using those tools is another challenge and relies completely upon the internal

organizatoin. Who is allowed to use which profile, when, etc.


Here’s where IAM comes in. IAM, especially the Identity & Access Governance aspects of IAM,

ensures that the quality of the data required to operate any BYOD-tool will be adequate.

If the base information, used by any tool is not of proper quality, the tool will not deliver all the

benefits the organization is after.

3.2 Control

3.2.1 To comply with Regulation and Laws

The business environment an organization is operating in dictates the specific

laws and regulations to comply with. However, there are general laws and

regulations everybody has to comply with: Privacy, Accounting, Trading, Health

and Safety, etc.

Identity and Access Management can help to demonstrate compliance.

Organizations are able to ‘prove’ who can access what and even why (based upon company

policies embedded in the IAM system such as business rules and workflows). Specific laws

sometimes require specific measures, like trading laws.

The Telecom sector is a good example. Due to regulation, some parts of the organization need

to be separated from other parts when it comes to information. There is a very strong demand

on those companies to prove to the regulator that they’re compliant.

Another example of what might not be that obvious is using IAM to ensure that only trained

people are having physical access to a production facility. There is no reason why a physical

access control system cannot be part of the IAM ecosystem!

Issues raised in auditors’ Management Letters can be a trigger to kick off an

Identity and Access Management project. With IAM FastTrack, organizations are

able to mitigate risks and issues as highlighted in those Management Letters in

a short period of time.

3.2.2 Policies

Many organizations are facing difficulties with their generic and specific IAM

policies. Documentation is often not up to the task and many policies do exist

in the heads of people. IAM will offer a structures approach to discover,

develop, improve and align policies.


3.2.3 Protecting assets/ risk management

People are our most important asset and also our greatest risk. Therefore

management of the relation between the organization and the identities is of

vital importance (Identity Management). On top of that, an overview of assets,

their value, who owns them and what are the risks by giving people access to

these assets, must be available.

Identity and Access Management is about managing the relation between

identities and assets and anticipating on contextual changes.

If identities and assets are not controlled, risks cannot be managed and costs are not in control!

3.2.4 Ownership

Usually, the people working for an organization the longest, have the highest

number of access rights. This is because access rights are hardly being

reviewed. IAM offers perfect tooling to initiate and schedule regular review and

attestation campaigns.

Once ownership has been established, owners can be made responsible by

including them in the approval and review flows.

Although ownership is quite often assigned, tools to execute the responsibility are lacking. IAM

fills that gap.

3.2.5 “Hacking”

The majority of what we call hacking incidents aren’t hacking at all, but are

down to the way people are using systems, managing passwords, not

deactivating old accounts, etc.

By implementing IAM you will be able to define who the legitimate users of

systems and applications are.

Only when it is known who the legitimate users are, anomalies can be detected.

3.3 Costs

3.3.1 Business Effectiveness

IAM offers a wide range of options to positively influence business effectiveness

and reduce costs. People are a huge cost item. Usually the costs of employment

are well controlled via the HR administration or procurement department, but

the associated costs of using company assets and means, such as software,

mobile devices, etc, are quite often less controlled.

https://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=0CAcQjRxqFQoTCI66ia7N5McCFcbTgAodrVAApg&url=https://www.stopthehacker.com/2012/04/20/ten-scariest-hacking-statistics/&psig=AFQjCNGLZxGLqHVXVvPt4_Cut19wNavWYg&ust=1441704348227163


3.3.2 Increase Productivity

If the process of applying for, reviewing of, and provisioning of access

rights is well organized, productivity loss due to not being able to access

the required information can be reduced to a minimum. Joiners can be

issued with accounts on their first day of work, increasing operational

efficiency.

3.3.3 Costs of provisioning

Once a request has been approved, something must happen. Usually

provisioning is a manual task, performed by internal staff or an outsourcing

party. IAM offers the possibility to fully automate this process and reduce the

costs of provisioning.

There is a trade off here. Because the development and testing of a direct

connection with an application or system can be a costly operation, a business

case approach is required.

3.3.4 Costs of helpdesk activities

Helpdesks are quite often involved in all kind of IAM related activities:

- Access rights are not clear.

- How to apply for access rights

- When do I get my access rights and why does it take so long

- Password resets etc. etc.

IAM offers many options to provide insight and automate processes in order to reduce costs.

Especially when helpdesks are outsourced, the more calls are reduced the higher the savings are.

3.3.5 Using assets

Organization staff usually requires not only access to information, but also the

use of company assets such as laptops, mobile phones, company cars etc.

Being in control of the workforce and the assets they use will deliver direct cost

savings.


3.3.6 Cost of licenses

About 25% of IT spend is on software. As with the use of assets, limiting the use of particular

software to people who really need it for their work, will deliver cost savings.

It frequently happens that software is provided for a project and is not revoked

when that project ends. IAM offers functionalities to check on the business

need and automatically revoke software if necessary.

Even software models, whereby audits by the vendor determine the number of

users, can be made cost efficient. Imagine that software is automatically revoked if unused for 4

weeks; this will reduce the number of active users.

Revocation is a problem when it takes days before the software is re-installed, but using IAM

smartly, this can be done in minutes!

3.3.7 Rationalization

IAM offers the possibility to rationalize infrastructure components. Frequently,

due to various reasons, small forests of solutions and components have been

implemented to manage the Identity Access process. Multiple (active) directories

exist, all kind of steppingstone mechanisms have been introduced, etc.

Implementing IAM offers the option to consolidate all that and create a ‘single

source of the truth’ making other (sub) systems redundant.

Esspecially in the area of Identitiy management,

3.4 Greenfield vs Brownfield

An IAM project will never be a Greenfield implementation. Any form of IAM will

always be in place. The situation can be described as a ‘Brownfield’ where some

gapes do exist.

The Capgemini IAM FastTrack approach is about closing the gaps as soon as

possible, without the need to replace the existing processes or systems.

The IAM FastTrack can be continued in using the service in the ‘as a Service’ model. Within this

model, all options and features are available for a single price per user per month. This enables

the client to migrate from old (processes and systems) to new, without any additional costs.

http://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCLD1oejQ5McCFYPUgAodwlUFXA&url=http://www.123rf.com/photo_8968145_selling-house-on-a-green-field.html&psig=AFQjCNFlRO0UDQlbVCMyIigeXHL5qcAK8A&ust=1441705267258799


4 Business Case

The examples and situations mentioned in the previous chapters are not exhaustive. There can

and will be other benefits from implementing IAM.

It is advised that before a huge IAM project is kicked off, you first create a solid base.

Capgemini’s IAM FastTrack solution is all about that.

Within a very short period of time (weeks), a full IAM suite is deployed in an as a Service model

and the as-is situation can be analyzed based on real data. Among the outputs of the IAM

FastTrack approach are a solid business case and a strategy, providing justification and allowing

for planning for possible further steps.

Business Benefits of IAM FastTrack Identity Governance ......Identity Governance & Administration...

Documents

Transcript of Business Benefits of IAM FastTrack Identity Governance ......Identity Governance & Administration...