Our Experience

Plan

Build

Run

Identropy’s professional services practice is designed around Plan, Build and Run. Our plan offering called “IAM Kickstart” has been delivering IAM Roadmaps for organizations since 2006.

Exclusive Focus on Identity & Access Management (IAM)

Our roadmaps are focused on GSD (get stuff done)

We leverage a tested methodology that creates custom strategies for each organization

We’ve decided to make our methodology available as part of a “Do it Yourself Kit” at

http://www.identropy.com

Kickstart Program – 7 Step Approach

7 Present Findings

1 P.U.T. Chart

2 Onsite Interviews

3 IAM Capability Assessment

4 Research and Follow-up

5 Architecture and Recommendations

6 Roadmap and Budget Estimates

DELIVERABLES IAM Capability Benchmark

High-Level Architecture

Initiative Roadmap

Editable Project Plan

Executive Presentation

PUT Chart & Pre-work

•PUT Chart•Schedule Interviews / Develop Agenda

•Gather collateral• Recent Audit findings• Governance Structures• Org or IT strategies• Documented IAM Policies

and Procedures•Hold Interviews

• Sample questions• Take Notes (look for quotes)

The PUT Chart

Findings: Assess the Current State

•Define Program drivers (enablement, risk mitigation, compliance?)

•Group Capabilities (see next slide)

•Rate current maturity and desired/goal state

•CMMI or benchmark – you decide

•Rubrics (they’re not just for cubes anymore)

•Other useful slides:

“What is IAM?”

Scope of Assessment

Scope of IAM Program

SWOT

Quotes

Helpful Hint: follow the K.I.S.S. principle

Capability Maturity Assessment Sample

IAM Capability Assessment RubricCapability Scoring Rubric

IAM Governance & Organization

• 5=Formal IAM Governance is serving the needs for visibility for all stakeholders• 4=IAM Governance part of a larger IT Governance Framework and manages with Metrics and SLAs• 3=IAM Governance part of a larger IT Governance Framework and includes formal subcommittees• 2=IAM Governance is formal but is not part of a larger IT Governance Framework• 1=IAM Governance is informal

Identity Data Management

• 5=All accounts, roles centrally provisioned, reconciled• 4=All accounts, roles centrally provisioned• 3=Internal accounts provisioned, roles local in applications• 2=Single registry exists, some provisioning is automated• 1=No single registry of users

User Lifecycle Management

• 5=User lifecycle is managed centrally, request and approval processes are segregated and captured• 4=Most lifecycle processes are centralized, approvals are generally captured• 3=Most lifecycle processes are centralized, approvals are generally out-of band• 2=Identity is created centrally, but remaining lifecycle processes decentralized• 1=Identity Management processes are tribal knowledge

Authentication, Access Control & Federation

• 5=Federated Single Sign On• 4=Single Sign On with strong authentication• 3=Single Sign On, static password• 2=LDAP directory authentication, static password• 1=Local username, local static password

Authorization & Role Management

• 5=Business Roles are defined and leveraged for (de)provisioning and transfers• 4=Business Roles are defined and leveraged for (de)provisioning• 3=Central group management processes and are widely leveraged• 2=Central group management processes exist but are not widely leveraged• 1=Authorization processes are decentralized and not coordinated

Audit, Reporting, & Event Monitoring

• 5=Risk-based recertification cycles exist with quality control measures in place• 4=A risk assessment framework is used to establish appropriate recertification cycles• 3=High risk access is periodically recertified in an automated system• 2=Access recertification tools exists but are lightly used. • 1=Access is not routinely audited or recertified

Summarize Recommendations and Align to Findings

•Executive Summary• Align it to IAM Program drivers

•Architecture Diagram • Show current and future state

•Make sure to design for the future • SaaS• Cloud• Mobile

•Select or short-list products• Use analyst reports from

Gartner or KC• Talk to peers or consultants

10

Enable the BusinessEmploy an IAM Center of Excellence and Deploy Enabling Technologies

Deploy an inclusive IAM Governance framework

Drive greater adoption

Balance security with usabilityEstablish Risk Assessment

Framework and Levels of Assurance

Sample: Executive Recommendation Summary

Sample Recommendations – What to do

Pull together enterprise

identity data into a central identity

repository

Deploy a tool to provide delegated

group management

Replace Custom IAM with packaged

software

Implement coarse-grained policy

enforcement with OpenAM

Bolster application and cloud

provisioning tools

Offer BYOId for loose affiliations and

low risk access

Require strong second factor for certain high-risk

access

Employ an IAM Center of Excellence and Deploy Enabling Technologies

Establish Risk Assessment Framework and Levels of Assurance

Deploy an inclusive IAM Governance framework

Inventory Risk at the Application and Group

level

Adopt existing LOA framework, such as the InCommon Assurance

Program

Apply security controls based on risk

Increase stakeholder involvement through

Technical and Business Advisory Groups

Define Structure and Process for improved decision making and

mission alignment

Sample Reference Architecture Diagram

Develop a Roadmap (timeline)

•Do Now, Do Next, Do Later…& Down the Road

•Develop a resource plan (using internal resources, consultants, or mix)

•Estimate costs• Understand your fiscal calendar• Break-out Capital vs. Expense

• This often favors SaaS or Open Source

• If you need estimates – lean on vendors (consulting and product)

• This is all relevant even if you must do an RFP

IAM Initiative Roadmap

Develop a Deep-dive in the Appendices

What is a key opportunity or pain point?

• Governance• Role Management• Integration Decision

Framework• Project Execution

Tip: dedicate 4-6 slides on a key focus area to drive a particular point home

Perform the Read-out

•Review Detailed deck for IAM Program and closest stakeholders

•Perform executive readout (get to the point in 1 hour)

•Now socialize with the people within your organization who’s support is needed

Thanks and Good Luck!