How do you determine the desired/ future situation??
Chief Evangelist André Koot has been focusing on the field of Identity and Access management for 20 years. His message is clear. IAM is no IT party, but a change that affects business processes at all levels. Collaboration between different departments is therefore crucial. In this blog series, we asked him the most pressing questions about why IAM implementations are so often unsuccessful.
How do you determine the desired/ future situation?
Implementing IGA is only one of the tracks in implementing IAM solutions. Identity management and access control is much more than just automating the joiner-mover-leaver workflows and implementing role-based access control. IAM is a company-wide topic, covering privileged access, access to resources by business partners and suppliers, access by customers, and access to resources such as things and robots or RPA’s and managing things, robots and RPA’s. And we should not forget topics like federation, access to and from APIs, physical access, trust networks and, of course, the topic of zero trust.
Access control cannot be restricted to just IGA. Even though many of our customers contact us to help them with product and vendor selection for IGA, we feel that implementing access control cannot be restricted to just that domain. When investigating IGA, we prefer to also investigate the other topics. The reason is that access control serves the organization and that it should fit within the organization. Not just today, but in the long term.
In our philosophy a vision on access is required, a vision on how to manage access for all types of participants and stakeholders, including non-human identities. And the vision on access will then become the basis for the guiding principles for access control, no matter what access requester or access supplier.
In order to prevent the ivory tower syndrome, we must make sure that the vision and strategy on access are built on the company mission statement, its vision and strategy. The vision on access must be aligned with the business vision and strategy. If the company strategy is to go Cloud, then perhaps we will prioritize cloud architectures and create a migration strategy for legacy applications and legacy access. If the company strategy is to pursue business process outsourcing, then we may investigate federation strategies first. If there is an urgent need for compliancy, then we might start implementing governance principles and tools first. If there is a growth strategy, well, you get the picture…
So, that’s why we have to get the business involved in the IAM-related developments. We will let the business perspective be the basis for the IAM strategy, in all IAM-related areas of interest.
Background blog series
The installation of a new identity and access management software package is often approached as an ICT implementation. This not only brings risks, but also unnecessary costs and dissatisfied users. Companies grow and change. The digital age has brought about a transformation in many companies in which digital possibilities are increasingly used. This has resulted in many different applications and systems and sometimes a somewhat fragmented ICT landscape and decentralized organizational control. In doing so, there are more and more types of users using an organization’s digital assets. Such as employees, customers, partners, devices and things. In identity and access management, it is precisely important that these things are connected. Well, in a safe and thoughtful way. This blog series addresses this.