Get Instant Access
to This Blueprint

Security icon

Simplify Identity and Access Management

Leverage risk- and role-based access control to quantify and simplify the IAM process.

  • Identity and access management (IAM) is the foundation of all usability within the environment and needs to be well defined and documented. Every organization has users, and every user needs access.
  • Organizations have watched their systems become more entangled as more processes are moved to the cloud and more security threats present themselves.
  • Auditing a long list of users is a tedious task that nobody wants to do. Unclassified data exacerbates the problem.

Our Advice

Critical Insight

  • Role-based access control (RBAC) doesnt have to be hard.
    Document the information that people inherently know. Having a strong repository of permission-role and user-role assignments is key to ensuring that the RBAC process lives on and remains effective despite changes within the organization.
  • Focus on permission and role engineering.
    Managing identity and access starts with identifying and classifying what requires access, taking into account where it exists and identifying who needs access to it. This first process is termed permission engineering. The latter part is termed role engineering. While not covered in this research, it will be explored in future iterations.
  • The primary goal should be to minimize privilege creep.
    RBAC improves the efficiency of managing IAM by reducing the amount of privilege creep that exists among the users of the organization. When roles are designed, the principle of least privilege is employed, and therefore users are granted only the roles, and consequently permissions, required to do their job.

Impact and Result

  • Our research will lay the groundwork for establishing a centralized, effective, and efficient system for managing identity and access. We will help organizations take back control of their IAM environment by creating and implementing a RBAC model.
  • Working with the tools associated with this research will help create a repeatable, simplified auditing process and minimize the amount of entitlement sprawl.
  • This research will educate readers on selecting and implementing IAM vendors and will assist in producing vendor RFPs and shortlisting vendors to help ensure that selected vendor solutions offer capabilities required by the organization (e.g. multi-factor authentication) based on business goals, compliance, and other gaps, and will offer integration functionality with the different cloud vendors (e.g. SaaS) used by the organization.

Simplify Identity and Access Management

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should simplify identity and access management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Audit and classify existing data

This phase will assist users with cleaning their current user directory and laying the foundations for implementing a more robust process for managing identities and access.

2. Implement a risk- and role-based access control model

This phase will guide readers through the process of creating and implementing a RBAC model. This includes the definition of metrics that can be used to refine future iterations of the RBAC model.

3. Create an RBAC maintenance plan

This phase covers best practices regarding exception handling and maintaining the RBAC system over time.

4. Consider an IAM vendor

This phase explores the selection and implementation of an IAM solution. Several tools are available to assist project owners with this typically challenging task.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.1/10


Overall Impact

$7,507


Average $ Saved

9


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Archdiocese of Indianapolis

Guided Implementation

10/10

$4,000

5

Dark Fibre Africa

Guided Implementation

10/10

N/A

5

College of New Caledonia

Guided Implementation

8/10

$2,000

2

Toronto Community Housing Corporation

Guided Implementation

10/10

$23,500

20

SIM Group

Guided Implementation

7/10

$1,000

1

Centrastate Healthcare Systems

Guided Implementation

10/10

$2,479

10

Resorts World Las Vegas

Guided Implementation

10/10

$12,063

29

Society of Manufacturing Engineers

Guided Implementation

10/10

N/A

2

City Of Chesapeake

Guided Implementation

10/10

N/A

N/A

American National Insurance Company Inc

Guided Implementation

10/10

$12,063

20

Allegis

Guided Implementation

8/10

N/A

4

LawPRO

Guided Implementation

10/10

N/A

N/A

American Realty Advisors

Guided Implementation

10/10

$11,460

20

Ontario Pension Board

Guided Implementation

9/10

$25,000

20

County of San Luis Obispo

Guided Implementation

1/10

N/A

N/A

Baylor College of Medicine

Guided Implementation

8/10

$35,017

10

San Francisco Health Plan

Guided Implementation

9/10

$22,283

10

FIRMA Foreign Exchange

Guided Implementation

8/10

$25,000

10

University of North Texas System

Workshop

8/10

$31,833

18

Virginia Department of Taxation

Guided Implementation

9/10

N/A

20

Sherritt International Corporation

Guided Implementation

10/10

$5,000

50

Florida League of Cities Inc

Guided Implementation

10/10

$5,093

14

Auckland University of Technology

Guided Implementation

8/10

N/A

N/A

Oregon State Treasury

Guided Implementation

7/10

$12,733

10

Sherritt International Corporation

Guided Implementation

8/10

N/A

20

Corporation Of The City Of London

Guided Implementation

8/10

N/A

N/A

Apega

Guided Implementation

7/10

N/A

N/A


Onsite Workshop: Simplify Identity and Access Management

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Complete Level Setting

The Purpose

  • Create the foundations for implementing a more robust method for managing identity and access within the organization.

Key Benefits Achieved

  • Insight into how to best clean up the current user directory
  • An understanding of the misuse impact of the permissions given to users

Activities

Outputs

1.1

Define the goals of identity and access management (IAM).

  • Defined goals for IAM
1.2

Classify application functions.

  • Data classification scheme for applications
1.3

Identify the misuse impact of each permission.

  • Foundation for using risk to justify future access assignment decisions
1.4

Discuss role-based access control (RBAC) methodology.

Module 2: Create the RBAC Model

The Purpose

  • Develop a documented and formalized RBAC model.

Key Benefits Achieved

  • A more robust method for managing IAM
  • Documented access matrix for future reference

Activities

Outputs

2.1

Identify the best approach for creating roles.

  • A plan for implementing a role engineering exercise
2.2

Define cardinal constraints through discussion.

  • Documented role constraints
2.3

Identify mutually exclusive pairs of roles with an affinity map.

  • Documented role constraints
2.4

Assign users to roles.

  • Repository for permission-role and user-role assignments

Module 3: Analyze the Results

The Purpose

  • Identify risk-aware metrics for measuring the effectiveness of the RBAC model over time.
  • Build a maintenance schedule.

Key Benefits Achieved

  • The development of risk-aware metrics allows for the measurement of the effectiveness of the RBAC model over time
  • A plan for completing and implementing the RBAC model

Activities

Outputs

3.1

Discuss the risk evaluations of roles and users.

  • Risk-aware metrics
3.2

Define risk threshold for users.

  • Risk-aware metrics
3.3

Set targets for metrics through a group discussion.

  • Risk-aware metrics
3.4

Discuss an exception-handling process.

  • Maintenance plan
3.5

Build a maintenance schedule through group discussion.

  • Maintenance plan

Module 4: Plan for the Transition

The Purpose

  • Outline best practices for selecting and implementing an IAM solution from a vendor.

Key Benefits Achieved

  • A plan for contacting vendors and assessing their solutions against business requirements and goals

Activities

Outputs

4.1

Determine your target IAM framework.

4.2

Identify alignment with use cases.

4.3

Prioritize your solution requirements based on your business, architecture, and performance needs.

4.4

Create an RFP to submit to vendors.

4.5

Identify the resourcing plan for your IAM implementation.

  • IAM vendor procurement plan
4.6

Determine start times and accountability with a RACI chart.

  • IAM RACI chart
4.7

Finalize IAM roadmap and action plan.

  • IAM roadmap and action plan

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

9.1/10
Overall Impact

$7,507
Average $ Saved

9
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Audit and classify existing data
  • Call #1 - Establish a data classification scheme and apply it to application functions.

Guided Implementation #2 - Implement a risk- and role-based access control model
  • Call #1 - Build role hierarchy.
  • Call #2 - Establish separation of duties constraints.
  • Call #3 - Define metrics.

Guided Implementation #3 - Create an RBAC maintenance plan
  • Call #1 - Create a maintenance plan for the RBAC process.

Guided Implementation #4 - Consider an IAM vendor
  • Call #1 - Discuss vendor options.
  • Call #2 - Create an implementation plan for acquiring or changing an IAM solution.

Author(s)

Ian Mulholland

Contributors

  • Kassim Dossa, Director of Procurement and IT, AgeCare Investments Ltd.
  • Mike Layton, Director – Enterprise Services & Information Systems, Baylor College of Medicine
  • Jon Cutler, Chief Information Security Officer, Marshall University
  • 5 anonymous contributors
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019