Business Benefits of IAM FastTrack Identity Governance ......Identity Governance & Administration...
Transcript of Business Benefits of IAM FastTrack Identity Governance ......Identity Governance & Administration...
Business Benefits of IAM FastTrack Identity Governance & Administration (IGA)
Version: 2.0 – Feruary 2015
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 2
Contents
1 Introduction ........................................................................................................................ 3
1.1 Identity & Access Management explained .............................................................................................. 3
2 IAM FastTrack ..................................................................................................................... 4
2.1 New projects ....................................................................................................................................................... 5
2.2 Existing projects/ IAM operations ............................................................................................................... 5
3 IAM Business Drivers ......................................................................................................... 5
3.1 Business enablement ....................................................................................................................................... 6 3.1.1 Customer Requirements ................................................................................................................. 6 3.1.2 User experience ................................................................................................................................ 6 3.1.3 Bring your on device - BYOD .......................................................................................................... 6
3.2 Control ................................................................................................................................................................... 7 3.2.1 To comply with Regulation and Laws .......................................................................................... 7 3.2.2 Policies ................................................................................................................................................ 7 3.2.3 Protecting assets/ risk management ............................................................................................ 8 3.2.4 Ownership .......................................................................................................................................... 8 3.2.5 “Hacking” .......................................................................................................................................... 8
3.3 Costs ....................................................................................................................................................................... 8 3.3.1 Business Effectiveness ...................................................................................................................... 8 3.3.2 Increase Productivity ....................................................................................................................... 9 3.3.3 Costs of provisioning ........................................................................................................................ 9 3.3.4 Costs of helpdesk activities ............................................................................................................ 9 3.3.5 Using assets ........................................................................................................................................ 9 3.3.6 Cost of licenses .............................................................................................................................. 10 3.3.7 Rationalization ............................................................................................................................... 10
3.4 Greenfield vs Brownfield .............................................................................................................................. 10
4 Business Case .................................................................................................................... 11
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 3
1 Introduction
Typically, Identity and Access Management (IAM) projects do not have a good reputation. This is
not without reason. They often cost a lot of money, timelines are not met and goals are
frequently not fully achieved. Nevertheless, IAM is required to make the users visible and gain
control over their access rights.
It goes even further! IAM is the basis of almost everything we do in the IT industry and in the
Facility Management space.
We work for and with many people and we can categorize them into various groups, such as
employees, contractors, consultants, temporary staff, customers, suppliers, prospects, etc. Within
these groups it is clear that we don’t want everybody to have access to everything, including the
use of company assets.
From both a risk and cost management perspective, ’adequate governance is of crucial
importance so that we know who the users are and what the status of their relationship with the
organization is. Once we know all this, we need to ensure that those people only have access to
those (information) assets that they require, based upon their job role/status.
Initially, organizations are perfectly capable of settings this up. Tight on-boarding processes,
purchase orders, etc. are put in place. Maintaining the information is a completely different
ballgame and is often not well organized. As a result costs are too high and risks are not
adequately mitigated.
Capgemini has developed an agile project approach for Identity and Access Management
projects and challenges; IAM FastTrack. This document focuses upon the generic business
benefits of IAM and how IAM FastTrack is helping to achieve those faster.
1.1 Identity & Access Management explained
There is a lot of confusion when it comes to the use of the term Identity & Access Management.
Basically there are multiple processes incorporated into this single term:
- Identity Governance & Administration (IGA)
- Access Management (AM)
- Privileged Identity/Account Management (PIM/PAM)
Not all aspects of IAM can be covered using the IAM FastTrack approach. Access Management
for example, allways requires a degree of specific configuration.
IAM FastTrack do covers the Identity Governance & Administration (IGA) element. Privileged
Account Management is not yet part of the IAM FastTrack concept.
Capgemini is also offering IDaaS (Identity as a Service), however this is not what the market
perception of IDaaS is; more or less Access Management as a Service. Capgemini IDaaS is
covering the full scope of IAM and ‘as a Service’ is the commercial model of pay per use. It’s not
IDaaS delivered via the cloud model perse. Hardware can be at client premises.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 4
2 IAM FastTrack
IAM FastTrack is a methodology developed by Capgemini, offering a wealth of benefits for
clients regarding all kinds of IAM activities. Not only new projects can benefit from this
approach, but also existing projects or existing IAM type of operations.
Identity and Access Management projects can be best described as discovery journeys. It is very
difficult to predict what will be discovered once applications are connected to the IAM system
and identities analyzed etc. Management of IAM projects must be flexible in order to adapt to
these findings, otherwise the business benefits will be difficult to deliver. Setting up IAM projects
often starts with workshops, requirements scoping, etc. Many elements are based upon
assumptions and peoples own version of the “truth”.
Quite often, the result of this approach is that the program is not (not enough) focusing upon
business priorities, is delivering the business benefits as expected, or do not mitigate the most
significant risks.
Another fact is that the majority of requirements, product capabilities, deliverables, etc. are
identical for many organizations and this fact enables Capgemini to offer an agile approach for
IAM projects. Capgemini uses best in class tools and has pre-configured these tools in a way that
tangible results can be delivered in hours rather than months. This is Capgemini FastTrack!
2.1 IAM FastTrack Insight and Implementation
IAM FastTrack can be divided into two separate building blocks;
- IAM FastTrack Insight
- IAM FastTrack Implementation
IAM FastTrack Insight is a unique combination of strategic consultancy and agile tool
deployment. The Capgemini IGA system is up and running after a few days (denpends usually on
network connectivity and the availability of data), whereafter analyzing, and validation of data
and strategy phase will start. The output of the Analysis and Strategy phase will be a concept
IAM strategy, high level business case, IAM roadmap and an IAM policy framework. IAM
FastTrack Insight is offered for a fixed price and last for about 6 weeks.
IAM FastTrack implementation is the implementation of IAM, based upon the IAM FastTrack
Insight results. The organization can decide themselves how, when and what to implement.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 5
2.2 New projects
Capgemini FastTrack is very useful in the case of new projects. Instead of spending a lot of
resources, time and money on a preparation phase, product selection and a Proof of Concept,
Capgemini FastTrack delivers results in just a few days. The results can be used to define the
scope, build a roadmap, define a strategy, etc. The IAM project will be based on facts and not on
assumptions.
Importantly, IAM FastTrack can be used to quickly harvest low hanging fruit, kick off cleansing
activities and define business rules.
Capgemini has already selected specific tooling, but the tooling used isn’t that important. The
bulk of the work required is tool independent. Identity and Access Management is most and
foremost a business process, so defining and fine-graining this process are product independent
activities.
IAM FastTrack can be the stepping stone that may seamlessly lead to a full implementation of all
IAM aspects. Capgemini delivers IAM as a Service, based on FastTrack, but also as onsite
implementation following client requirements.
Exchanging one product for another is possible, while the work done on the business side will
never be wasted.
2.3 Existing projects/ IAM operations
As mentioned earlier, IAM FastTrack is flexible and agile. There’s no need to use all the IAM
FastTrack capabilities. FastTrack can perfectly be used to solve a particular issue, like Identity
Lifecycle processes, review and re-certification campaigns etc.
IAM FastTrack can be integrated with existing IAM products and perform dedicated tasks.
3 IAM Business Drivers
The Business Drivers for IAM as visualized in the picture below.
Consumers are a click
away for going elsewhere.
Simplified user experience
through effective use of
identity is essential to
keeping customers and
growing business
Business
Enablement
Security breaches are
occurring at an alarming
rate. In modern extended
enterprises, identity and
context are the only points
of control that now remain
Control
Reduce costs associated
with the governance and
management of user
access, including the costs
of running flexible
underpinning IAM services
Cost
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 6
There might be more and other business benefits present within the organization, but those
benefits will be identified and quantified during the IAM FastTrack phase.
3.1 Business enablement
3.1.1 Customer Requirements
Many customers demand from their suppliers that they are compliant with all
kinds of standards and regulations. Good examples are the ISO standards. The
ISO standard regarding security leaves no room for misinterpretation. Access
Control and Access Management must be adequately organized.
Financial standards (ISAE 3402 or other 3rd party statements) require being in
control when it comes to access rights as well.
It’s not only about compliance when it comes to customer requirements. Demonstrating being in
control and knowing what’s going on can be a differentiator! Customers are relying upon the
quality of the products being delivered and being in control can definitely raise the level of trust.
It’s always good to know for a customer that their information is in safe hands and well
controlled.
3.1.2 User experience
In many cases, its not easy for an end user to find all the existing access
application forms. Historically, ‘people’ has done there own things. IAM is a
perfect opportunity to centralize all the request processes, align them and
provide the end user with insight in both application processes and
approval provesses.
3.1.3 Bring your on device - BYOD
Managing assets (who is using/having which company asset) is already a
challenge whereby IAM can be very helpfull. Another challenge is the
management of personal devices, used in the corporate environment.
Specialized tools are available (Enterprise Device Management/ Mobile Device
Management) and they will all do a good job.
However, using those tools is another challenge and relies completely upon the internal
organizatoin. Who is allowed to use which profile, when, etc.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 7
Here’s where IAM comes in. IAM, especially the Identity & Access Governance aspects of IAM,
ensures that the quality of the data required to operate any BYOD-tool will be adequate.
If the base information, used by any tool is not of proper quality, the tool will not deliver all the
benefits the organization is after.
3.2 Control
3.2.1 To comply with Regulation and Laws
The business environment an organization is operating in dictates the specific
laws and regulations to comply with. However, there are general laws and
regulations everybody has to comply with: Privacy, Accounting, Trading, Health
and Safety, etc.
Identity and Access Management can help to demonstrate compliance.
Organizations are able to ‘prove’ who can access what and even why (based upon company
policies embedded in the IAM system such as business rules and workflows). Specific laws
sometimes require specific measures, like trading laws.
The Telecom sector is a good example. Due to regulation, some parts of the organization need
to be separated from other parts when it comes to information. There is a very strong demand
on those companies to prove to the regulator that they’re compliant.
Another example of what might not be that obvious is using IAM to ensure that only trained
people are having physical access to a production facility. There is no reason why a physical
access control system cannot be part of the IAM ecosystem!
Issues raised in auditors’ Management Letters can be a trigger to kick off an
Identity and Access Management project. With IAM FastTrack, organizations are
able to mitigate risks and issues as highlighted in those Management Letters in
a short period of time.
3.2.2 Policies
Many organizations are facing difficulties with their generic and specific IAM
policies. Documentation is often not up to the task and many policies do exist
in the heads of people. IAM will offer a structures approach to discover,
develop, improve and align policies.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 8
3.2.3 Protecting assets/ risk management
People are our most important asset and also our greatest risk. Therefore
management of the relation between the organization and the identities is of
vital importance (Identity Management). On top of that, an overview of assets,
their value, who owns them and what are the risks by giving people access to
these assets, must be available.
Identity and Access Management is about managing the relation between
identities and assets and anticipating on contextual changes.
If identities and assets are not controlled, risks cannot be managed and costs are not in control!
3.2.4 Ownership
Usually, the people working for an organization the longest, have the highest
number of access rights. This is because access rights are hardly being
reviewed. IAM offers perfect tooling to initiate and schedule regular review and
attestation campaigns.
Once ownership has been established, owners can be made responsible by
including them in the approval and review flows.
Although ownership is quite often assigned, tools to execute the responsibility are lacking. IAM
fills that gap.
3.2.5 “Hacking”
The majority of what we call hacking incidents aren’t hacking at all, but are
down to the way people are using systems, managing passwords, not
deactivating old accounts, etc.
By implementing IAM you will be able to define who the legitimate users of
systems and applications are.
Only when it is known who the legitimate users are, anomalies can be detected.
3.3 Costs
3.3.1 Business Effectiveness
IAM offers a wide range of options to positively influence business effectiveness
and reduce costs. People are a huge cost item. Usually the costs of employment
are well controlled via the HR administration or procurement department, but
the associated costs of using company assets and means, such as software,
mobile devices, etc, are quite often less controlled.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 9
3.3.2 Increase Productivity
If the process of applying for, reviewing of, and provisioning of access
rights is well organized, productivity loss due to not being able to access
the required information can be reduced to a minimum. Joiners can be
issued with accounts on their first day of work, increasing operational
efficiency.
3.3.3 Costs of provisioning
Once a request has been approved, something must happen. Usually
provisioning is a manual task, performed by internal staff or an outsourcing
party. IAM offers the possibility to fully automate this process and reduce the
costs of provisioning.
There is a trade off here. Because the development and testing of a direct
connection with an application or system can be a costly operation, a business
case approach is required.
3.3.4 Costs of helpdesk activities
Helpdesks are quite often involved in all kind of IAM related activities:
- Access rights are not clear.
- How to apply for access rights
- When do I get my access rights and why does it take so long
- Password resets etc. etc.
IAM offers many options to provide insight and automate processes in order to reduce costs.
Especially when helpdesks are outsourced, the more calls are reduced the higher the savings are.
3.3.5 Using assets
Organization staff usually requires not only access to information, but also the
use of company assets such as laptops, mobile phones, company cars etc.
Being in control of the workforce and the assets they use will deliver direct cost
savings.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 10
3.3.6 Cost of licenses
About 25% of IT spend is on software. As with the use of assets, limiting the use of particular
software to people who really need it for their work, will deliver cost savings.
It frequently happens that software is provided for a project and is not revoked
when that project ends. IAM offers functionalities to check on the business
need and automatically revoke software if necessary.
Even software models, whereby audits by the vendor determine the number of
users, can be made cost efficient. Imagine that software is automatically revoked if unused for 4
weeks; this will reduce the number of active users.
Revocation is a problem when it takes days before the software is re-installed, but using IAM
smartly, this can be done in minutes!
3.3.7 Rationalization
IAM offers the possibility to rationalize infrastructure components. Frequently,
due to various reasons, small forests of solutions and components have been
implemented to manage the Identity Access process. Multiple (active) directories
exist, all kind of steppingstone mechanisms have been introduced, etc.
Implementing IAM offers the option to consolidate all that and create a ‘single
source of the truth’ making other (sub) systems redundant.
Esspecially in the area of Identitiy management,
3.4 Greenfield vs Brownfield
An IAM project will never be a Greenfield implementation. Any form of IAM will
always be in place. The situation can be described as a ‘Brownfield’ where some
gapes do exist.
The Capgemini IAM FastTrack approach is about closing the gaps as soon as
possible, without the need to replace the existing processes or systems.
The IAM FastTrack can be continued in using the service in the ‘as a Service’ model. Within this
model, all options and features are available for a single price per user per month. This enables
the client to migrate from old (processes and systems) to new, without any additional costs.
The information contained in this document is proprietary. Copyright © 2016 Capgemini. All rights reserved. 11
4 Business Case
The examples and situations mentioned in the previous chapters are not exhaustive. There can
and will be other benefits from implementing IAM.
It is advised that before a huge IAM project is kicked off, you first create a solid base.
Capgemini’s IAM FastTrack solution is all about that.
Within a very short period of time (weeks), a full IAM suite is deployed in an as a Service model
and the as-is situation can be analyzed based on real data. Among the outputs of the IAM
FastTrack approach are a solid business case and a strategy, providing justification and allowing
for planning for possible further steps.