Presented by Jim McDonald, Engagement Manager, Identropy at ForgeRock Open Identity Stack Summit, June 2013
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
TeamStation AI System Report LATAM IT Salaries 2024
Developing an IAM Roadmap that Fits Your Business
1.
2. Our Experience
Plan
Build
Run
Identropy’s professional services practice is
designed around Plan, Build and Run. Our
plan offering called “IAM Kickstart” has been
delivering IAM Roadmaps for organizations
since 2006.
Exclusive Focus on Identity & Access
Management (IAM)
Our roadmaps are focused on GSD (get stuff done)
We leverage a tested methodology that creates
custom strategies for each organization
We’ve decided to make our methodology available as
part of a “Do it Yourself Kit” at
http://www.identropy.com
3. Kickstart Program – 7 Step Approach
7 Present Findings
1 P.U.T. Chart
2 Onsite Interviews
3 IAM Capability Assessment
4 Research and Follow-up
5 Architecture and Recommendations
6 Roadmap and Budget Estimates
DELIVERABLES
IAM Capability Benchmark
High-Level Architecture
Initiative Roadmap
Editable Project Plan
Executive Presentation
4. PUT Chart & Pre-work
•PUT Chart
•Schedule Interviews / Develop
Agenda
•Gather collateral
• Recent Audit findings
• Governance Structures
• Org or IT strategies
• Documented IAM Policies and
Procedures
•Hold Interviews
• Sample questions
• Take Notes (look for quotes)
6. Findings: Assess the Current State
•Define Program drivers (enablement, risk
mitigation, compliance?)
•Group Capabilities (see next slide)
•Rate current maturity and desired/goal state
•CMMI or benchmark – you decide
•Rubrics (they’re not just for cubes anymore)
•Other useful slides:
“What is IAM?”
Scope of Assessment
Scope of IAM Program
SWOT
Quotes
Helpful Hint: follow the K.I.S.S. principle
8. IAM Capability Assessment Rubric
Capability Scoring Rubric
IAM Governance &
Organization
• 5=Formal IAM Governance is serving the needs for visibility for all stakeholders
• 4=IAM Governance part of a larger IT Governance Framework and manages with Metrics and SLAs
• 3=IAM Governance part of a larger IT Governance Framework and includes formal subcommittees
• 2=IAM Governance is formal but is not part of a larger IT Governance Framework
• 1=IAM Governance is informal
Identity Data
Management
• 5=All accounts, roles centrally provisioned, reconciled
• 4=All accounts, roles centrally provisioned
• 3=Internal accounts provisioned, roles local in applications
• 2=Single registry exists, some provisioning is automated
• 1=No single registry of users
User Lifecycle
Management
• 5=User lifecycle is managed centrally, request and approval processes are segregated and captured
• 4=Most lifecycle processes are centralized, approvals are generally captured
• 3=Most lifecycle processes are centralized, approvals are generally out-of band
• 2=Identity is created centrally, but remaining lifecycle processes decentralized
• 1=Identity Management processes are tribal knowledge
Authentication,
Access Control &
Federation
• 5=Federated Single Sign On
• 4=Single Sign On with strong authentication
• 3=Single Sign On, static password
• 2=LDAP directory authentication, static password
• 1=Local username, local static password
Authorization & Role
Management
• 5=Business Roles are defined and leveraged for (de)provisioning and transfers
• 4=Business Roles are defined and leveraged for (de)provisioning
• 3=Central group management processes and are widely leveraged
• 2=Central group management processes exist but are not widely leveraged
• 1=Authorization processes are decentralized and not coordinated
Audit, Reporting, &
Event Monitoring
• 5=Risk-based recertification cycles exist with quality control measures in place
• 4=A risk assessment framework is used to establish appropriate recertification cycles
• 3=High risk access is periodically recertified in an automated system
• 2=Access recertification tools exists but are lightly used.
• 1=Access is not routinely audited or recertified
9. Summarize Recommendations and Align to Findings
•Executive Summary
• Align it to IAM Program drivers
•Architecture Diagram
• Show current and future state
•Make sure to design for the future
• SaaS
• Cloud
• Mobile
•Select or short-list products
• Use analyst reports from
Gartner or KC
• Talk to peers or consultants
10. 1
0
Enable the Business
Employ an IAM Center of Excellence
and Deploy Enabling Technologies
Deploy an inclusive IAM Governance
framework
Drive greater adoption
Balance security with usability
Establish Risk Assessment
Framework and Levels of Assurance
Sample: Executive Recommendation Summary
11. Sample Recommendations – What to do
Pull together
enterprise
identity data into
a central identity
repository
Deploy a tool to
provide delegated
group management
Replace Custom
IAM with packaged
software
Implement coarse-
grained policy
enforcement with
OpenAM
Bolster application
and cloud
provisioning tools
Offer BYOId for
loose affiliations and
low risk access
Require strong
second factor for
certain high-risk
access
Employ an IAM
Center of Excellence
and Deploy Enabling
Technologies
Establish Risk
Assessment
Framework and
Levels of Assurance
Deploy an inclusive
IAM Governance
framework
Inventory Risk at the
Application and Group
level
Adopt existing LOA
framework, such as the
InCommon Assurance
Program
Apply security controls
based on risk
Increase stakeholder
involvement through
Technical and Business
Advisory Groups
Define Structure and
Process for improved
decision making and
mission alignment
13. Develop a Roadmap (timeline)
•Do Now, Do Next, Do Later…
& Down the Road
•Develop a resource plan (using internal
resources, consultants, or mix)
•Estimate costs
• Understand your fiscal calendar
• Break-out Capital vs. Expense
• This often favors SaaS or Open
Source
• If you need estimates – lean on
vendors (consulting and product)
• This is all relevant even if you must
do an RFP
15. Develop a Deep-dive in the Appendices
What is a key opportunity or pain
point?
• Governance
• Role Management
• Integration Decision
Framework
• Project Execution
Tip: dedicate 4-6 slides on a key
focus area to drive a particular
point home
16. Perform the Read-out
•Review Detailed deck
for IAM Program and
closest stakeholders
•Perform executive
readout (get to the point
in 1 hour)
•Now socialize with the
people within your
organization who’s
support is needed