Best Practice for IAM Projects

I was recently asked to provide some best practice advice for Identity Management projects. This got me thinking and led me to write down some recommendations. I thought it might be useful to share my thoughts.

Identity Management has been delivering business value within organisations for many years. Over that time, thousands of deployment had enabled a number of lessons to be learned which can help organisations ensure that they are not taking an approach which will work against recognised good practice and cause problems as Identity requirements evolve.

Traditionally, Identity Management projects have been seen as complex, expensive and never-ending. Many people are looking to the Cloud to simplify identity management. Whilst the Cloud can introduce speed and agility into an IAM project, there are still fundamental challenges which must be addressed. The Cloud can help simplify the technology, however, as with most business transformation projects; the technology is only one part in the triad of People, Process, and Technology.

It has been seen, over and over again, that many organisations fall into the same pitfalls with IAM projects. Here are some of the areas which organisations must consider when looking at an IAM project.

Business-Driven Project – In my experience, the biggest cause of failure is when an IAM project is treated purely as an IT project. Implementing IAM has a significant impact on the business and organisational and cultural impact cannot be underestimated. At the end of the day, you are not just trying to automate existing processes, you are using the IAM project to re-evaluate business processes to make them more efficient. Early engagement with the business is crucial to the success of an IAM project, which should be seen as an enabler for business strategy, i.e. providing a foundation to open up the business on new channels (digital transformation).

Minimise Customisation – Most organisations think of themselves as unique, having individual requirements which no other organisation has. Therefore, Identity Management solutions are often heavily customised to meet existing business processes and procedures. This makes any IAM platform expensive to manage and difficult to upgrade and maintain. In reality, irrespective of industry, most organisations have very similar IAM requirements and therefore, most processes (e.g. a joiner’s process) can, and should be standardised. Offering lines of business the ultimate level of flexibility and configuration comes at a high price. Of course, there may be that one edge case which absolutely needs customisation and therefore, any IAM solution must be flexible enough to support this. However, addressing the bulk set of use cases should be as standardised as possible. Instead of approaching requirements like “What do you want the flow to be?”, you should approach it like, “Is there any reason why I can’t use this standard flow?” Whilst the Oracle IAM platform enables a high level of flexibility if it is necessary, it also provides a number of out-of-the-box configuration options to help minimise the level of customisation required. This includes (but is not limited to): A number of standard approval workflows, UIs which can be branded and configured without customisation, and a rich set of APIs where extended capability is required, but avoiding customisation of the core platform and making upgrades difficult.

Utilise Open Standards – Proprietary or bespoke integrations add another layer of complexity and cost to any deployment. Identity open standards are mature and provide a rich set of protocols, including: SAML, OAuth, OpenID Connect, SCIM, and LDAP. Where possible, open standards should be used to avoid the need to develop and maintain bespoke integrations. Oracle is a firm believer in open standards. Not only are identity open standards widely supported across our platform, but Oracle also helps to drive many of the above open standards through direct involvement in the appropriate working groups.

Consider All Identity Types – Whilst an organisation may be considering Identity Management for a specific project today, requirements evolve. Digital transformation has shown that customer focus has become more important than ever before. It is important that an organisation’s Identity Management platform is capable of handling, yet unknown Identity Management requirements, across multiple channels, for different sets of users, covering a myriad of use cases. Recognising that different use cases may require different approaches is also critical. For example, enabling digital services for a new set of customers, where all of the underpinning applications exist in the cloud may mean that those users only exist as a cloud identity. However, enabling partner access where access to systems exists across both on-premise and cloud may mean the users need to exist across both environments. It is important that organisations consider an IAM platform which has the capabilities to accommodate all such use cases as well as the correct architectural approach to delivery new requirements in the future. Oracle’s hybrid IAM platform enables this flexibility underpinned by a strong architecture.

Platform vs Point Solutions – As mentioned at the outset, Identity Management is typically seen as a long, complex, expensive project to deploy across an enterprise. There are a number of factors which affect this. However, one of the biggest costs is integration, whether between IAM products or integrating the IAM solution with external components such as target applications. Trying to plumb together Identity Management products from multiple different vendors provides unnecessary costs and complexity and will drive up delivery costs. Industry analysis[1] has shown that deploying a platform which already has the integration work completed can provide cost savings of up to 48%, leading to 35% fewer deficiencies. Adopting a platform does not mean sacrificing functionality. It is possible to get best of breed capabilities whilst still benefiting from a platform. The Oracle IAM platform is regularly recognised as a market leading in individual pillars[2].

Small, incremental wins – In today’s world of rapid agile development, no-one wants to see long running projects which deliver very little value or return until near the end. Identity Management is no different. Therefore, it is crucial that quick wins are delivered and that ongoing wins are incrementally delivered throughout the lifecycle of the project. For example, if you are doing user lifecycle management, get to grips with the process for requesting access first. Then you can start to integrate your targets, again, all in phased approaches. For access management, integrate the apps with the biggest impact on the end user experience first. Don’t focus on the app which is only used by 10 people in a single department.

Information Governance – An IAM project should align to an organisation’s information governance strategy in order to be deemed a success. This includes factors such as regulatory compliance, business continuity planning, operational security (e.g. key management, vulnerability scanning etc.) and should consider integration with such dependent IT systems when delivering any IAM project.

Many of the above points may seem like common sense and the logical approach. Indeed, I am seeing a shift within customers as some of these points are being now being actively rolled into projects and business requirements. However, I am also still seeing the older approach. Hopefully, this post has been useful in providing some pointers for your next IAM project.


[1] Aberdeen Group “Analysing Point Solutions vs Platforms”

[2] Gartner Magic Quadrant for Identity Governance and Administration 2016


Most Important Security Lesson

During a job interview several years ago, I was asked a question that has stuck with me ever since. The question was along the lines of:

“If you could offer one piece of security advice to your customer, what would it be?”

At the time, my immediate answer was “Education, education, education. Teach your employees about security as they are the weakest link in the chain.” Over the years since that interview (disclosure: I got the job), I have often thought whether I could have provided a better answer. In fact, when I interview candidates for jobs today I often ask them that same question to see what their response it. I receive a variety of answers, usually technical.

So far, I haven’t come up with a better answer. Sure, we need to enforce perimeter security as well as standard security best practice, such as “Least Privilege” etc, but I can’t think of a single more important security lesson that my lesson above. You can have a very mature Information Security Management System will all the right controls in place but if you have a compromised user, or even worse a compromised, privileged user, then many of those controls are ineffective.

It is commonly recognised that security controls are a combination of people, processes, and technology. I think, too often we pay too little attention to the people aspect. Security controls have to be looked at holistically, taking into account all three of these facets. That will ensure that you can minimise the potential loss when you are hacked.

Yes, I use the term “when” as opposed to “if”. Every day almost, we see reports of data breaches, many from companies with good security controls in-place. Therefore, I believe it is naive to think that your organisation is un-hackable. That is why it is so important to make sure you have the right security controls and training in place, before this happens, not after.