Simplify Identity and Access Management
Leverage risk- and role-based access control to quantify and simplify the IAM process.
- Identity and access management (IAM) is the foundation of all usability within the environment and needs to be well defined and documented. Every organization has users, and every user needs access.
- Organizations have watched their systems become more entangled as more processes are moved to the cloud and more security threats present themselves.
- Auditing a long list of users is a tedious task that nobody wants to do. Unclassified data exacerbates the problem.
Our Advice
Critical Insight
- Role-based access control (RBAC) doesn’t have to be hard.
Document the information that people inherently know. Having a strong repository of permission-role and user-role assignments is key to ensuring that the RBAC process lives on and remains effective despite changes within the organization. - Focus on permission and role engineering.
Managing identity and access starts with identifying and classifying what requires access, taking into account where it exists and identifying who needs access to it. This first process is termed permission engineering. The latter part is termed role engineering. While not covered in this research, it will be explored in future iterations. - The primary goal should be to minimize privilege creep.
RBAC improves the efficiency of managing IAM by reducing the amount of privilege creep that exists among the users of the organization. When roles are designed, the principle of least privilege is employed, and therefore users are granted only the roles, and consequently permissions, required to do their job.
Impact and Result
- Our research will lay the groundwork for establishing a centralized, effective, and efficient system for managing identity and access. We will help organizations take back control of their IAM environment by creating and implementing a RBAC model.
- Working with the tools associated with this research will help create a repeatable, simplified auditing process and minimize the amount of entitlement sprawl.
- This research will educate readers on selecting and implementing IAM vendors and will assist in producing vendor RFPs and shortlisting vendors to help ensure that selected vendor solutions offer capabilities required by the organization (e.g. multi-factor authentication) based on business goals, compliance, and other gaps, and will offer integration functionality with the different cloud vendors (e.g. SaaS) used by the organization.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.4/10
Overall Impact
$9,536
Average $ Saved
14
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Lee County Clerk of Courts
Guided Implementation
10/10
N/A
10
Carlos was very knowledgeable. He provided valuable insights and documentation that will certainly save us time on our IAM project.
Canopy Growth
Guided Implementation
10/10
N/A
N/A
Carlos clearly understood the complex issues we face and offered some great advice and suggestions on where to start, with potential tools that mig... Read More
Guidehouse LLP
Guided Implementation
9/10
$2,469
1
LivingWorks Education Inc
Guided Implementation
9/10
$3,000
2
Great knowledgeable resources and tools that we can use to help identify potential CIAM solutions for our own use.
British Columbia Assessment
Guided Implementation
10/10
$25,000
20
Carlos we appreciated your broad knowledge of all the various security topics we covered. Thank you!
Massmart
Guided Implementation
10/10
$3,628
20
Always a pleasant experience dealing with the team. The wealth of knowledge by the team adds significant value to the conversations .
Lower Colorado River Authority
Guided Implementation
7/10
$12,999
5
Town Of Marana
Guided Implementation
10/10
$12,599
50
Ian was great. He clearly explained what we were seeking answers/clarification to. He also brought up stuff we hadn't originally thought about.
The Bank of Tampa
Guided Implementation
9/10
$12,599
10
A practical tool and approach was prescribed. I plan to discuss this with my team in the near future as we clear our plate of a regulatory exam a... Read More
Archdiocese of Indianapolis
Guided Implementation
10/10
$4,000
5
Jimmy provided sound advice at the initial part of the project to use Azure AD services for ID Governance. This led to a discovery project by a loc... Read More
Dark Fibre Africa
Guided Implementation
10/10
N/A
5
I liked the advise on being on the look out for features that we may not nee/ or use in selecting a solution. To ensure we are getting value for mo... Read More
College of New Caledonia
Guided Implementation
8/10
$2,000
2
Toronto Community Housing Corporation
Guided Implementation
10/10
$23,500
20
The consultant is very knowledge-full in this subject area. Ian understood very well the constraints at TCHC and based on his rich experience, he ... Read More
SIM Group
Guided Implementation
7/10
$1,000
1
Info-Tech still lacks deep and specific knowledge of a focused PAM
Centrastate Healthcare Systems
Guided Implementation
10/10
$2,479
10
Resorts World Las Vegas
Guided Implementation
10/10
$12,399
29
Ian Mulholland was amazing. He was knowledgeable, professional and he ensured he did anything and everything to meet my needs. Without his RBAC wo... Read More
SME
Guided Implementation
10/10
N/A
2
Ian is very knowledgeable and able to tie together my concerns in a concise manner. I appreciated him sharing his experiences.
City Of Chesapeake
Guided Implementation
10/10
N/A
N/A
American National Insurance Company Inc
Guided Implementation
10/10
$12,063
20
Ian, Willie and Chris were very helpful and gave sound advice on our effort. The tool is excellent and i can tell that there is good experience an... Read More
Allegis
Guided Implementation
8/10
N/A
4
Ian was very knowledgeable in the subject of Identity and Access Management. He was especially helpful with the following areas during the schedul... Read More
LawPRO
Guided Implementation
10/10
N/A
N/A
American Realty Advisors
Guided Implementation
10/10
$11,460
20
Estimated time and financial impact are difficult for us to measure. Our company is classified as a small business, but our sector is financial ser... Read More
Ontario Pension Board
Guided Implementation
9/10
$25,000
20
Willie introduced me to a different blueprint that I had not previously known about. Thanks!
County of San Luis Obispo
Guided Implementation
1/10
N/A
N/A
Baylor College of Medicine
Guided Implementation
8/10
$35,017
10
San Francisco Health Plan
Guided Implementation
9/10
$22,283
10
FIRMA Foreign Exchange
Guided Implementation
8/10
$25,000
10
Getting guidance on the direction and products we should be looking into based on our requirements.
University of North Texas System
Workshop
8/10
$30,999
18
Virginia Department of Taxation
Guided Implementation
9/10
N/A
20
The questions don't really fit our conversation. Ian saved us time, but in a different way by changing our focus. Overall very helpful!
Sherritt International Corporation
Guided Implementation
10/10
$5,000
50
The call with Ian was very helpful. He was able to cover all elements of the IAM and provided many items to consider for a successful deployment. ... Read More
Workshop: Simplify Identity and Access Management
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Complete Level Setting
The Purpose
- Create the foundations for implementing a more robust method for managing identity and access within the organization.
Key Benefits Achieved
- Insight into how to best clean up the current user directory
- An understanding of the misuse impact of the permissions given to users
Activities
Outputs
Define the goals of identity and access management (IAM).
- Defined goals for IAM
Classify application functions.
- Data classification scheme for applications
Identify the misuse impact of each permission.
- Foundation for using risk to justify future access assignment decisions
Discuss role-based access control (RBAC) methodology.
Module 2: Create the RBAC Model
The Purpose
- Develop a documented and formalized RBAC model.
Key Benefits Achieved
- A more robust method for managing IAM
- Documented access matrix for future reference
Activities
Outputs
Identify the best approach for creating roles.
- A plan for implementing a role engineering exercise
Define cardinal constraints through discussion.
- Documented role constraints
Identify mutually exclusive pairs of roles with an affinity map.
- Documented role constraints
Assign users to roles.
- Repository for permission-role and user-role assignments
Module 3: Analyze the Results
The Purpose
- Identify risk-aware metrics for measuring the effectiveness of the RBAC model over time.
- Build a maintenance schedule.
Key Benefits Achieved
- The development of risk-aware metrics allows for the measurement of the effectiveness of the RBAC model over time
- A plan for completing and implementing the RBAC model
Activities
Outputs
Discuss the risk evaluations of roles and users.
- Risk-aware metrics
Define risk threshold for users.
- Risk-aware metrics
Set targets for metrics through a group discussion.
- Risk-aware metrics
Discuss an exception-handling process.
- Maintenance plan
Build a maintenance schedule through group discussion.
- Maintenance plan
Module 4: Plan for the Transition
The Purpose
- Outline best practices for selecting and implementing an IAM solution from a vendor.
Key Benefits Achieved
- A plan for contacting vendors and assessing their solutions against business requirements and goals
Activities
Outputs
Determine your target IAM framework.
Identify alignment with use cases.
Prioritize your solution requirements based on your business, architecture, and performance needs.
Create an RFP to submit to vendors.
Identify the resourcing plan for your IAM implementation.
- IAM vendor procurement plan
Determine start times and accountability with a RACI chart.
- IAM RACI chart
Finalize IAM roadmap and action plan.
- IAM roadmap and action plan
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Audit and classify existing data
- Call 1: Establish a data classification scheme and apply it to application functions.
Guided Implementation 2: Implement a risk- and role-based access control model
- Call 1: Build role hierarchy.
- Call 2: Establish separation of duties constraints.
- Call 3: Define metrics.
Guided Implementation 3: Create an RBAC maintenance plan
- Call 1: Create a maintenance plan for the RBAC process.
Guided Implementation 4: Consider an IAM vendor
- Call 1: Discuss vendor options.
- Call 2: Create an implementation plan for acquiring or changing an IAM solution.
Contributors
- Kassim Dossa, Director of Procurement and IT, AgeCare Investments Ltd.
- Mike Layton, Director – Enterprise Services & Information Systems, Baylor College of Medicine
- Jon Cutler, Chief Information Security Officer, Marshall University
- 5 anonymous contributors
Assess and Govern Identity Security
Mature Your Identity and Access Management Program
Simplify Identity and Access Management
Passwordless Authentication