Identity Management Projects Require Proper Planning

Many organizations are launching identity management projects, and avoiding common pitfalls means taking certain steps up front before deployment begins.

Identity management projects are on the menu for many businesses, and like all IT projects, planning is key.

Among the most commonly cited challenges is correctly-sizing the project and not biting off more than you can chew, experts told eWEEK. To avoid that, step one involves doing a little homework.

"To prepare for identity management, you must first agree on what it is to you," Gartner analyst Earl Perkins said. "There is a discovery phase where you identify not only the definition of identity management in general, but you compare it with what your specific needs are. You will also need during such a discovery find out what "assets" you have to address it. Many clients discover to their surprise they already have automation components of IAM (identity and access management), they just don't have it deployed as a coherent, corporate or agency-wide solution."

"Assets also mean things like the key stakeholders, key skill sets required, as well as the technologies you possess," Perkins said. "Then it's a matter of matching requirement to existing asset to determine gaps."

It's also important to have executive sponsorship, he noted, because without it, the project is not going anywhere. Such support could prove crucial in getting a dedicated staff to support the technology when it's up and running.

"Many firms take a -wait and see' approach to IAM," said Andras Cser, an analyst with Forrester Research. "This is bad since most of IAM is mission critical infrastructure that requires 24x7 support. You need to have dedicated people on call to support the IAM solution otherwise senior management will view the IAM project as a hindrance only."

In addition, companies need to understand professional services firms' prices for full IAM implementation can be "prohibitively expensive," he noted.

"To avoid budget overruns, organizations need to dedicate an architect level resource to the external implementation resources and learn and internalize the implementation expertise (connector development, workflow design, etc.) as quickly as possible," Cser told eWEEK.

When it comes time to implement an identity management system, companies need to make sure their house is in order, and that requires an understanding of existing business processes.

"You need to know what policies and procedures are in place for processes such as on-boarding and off-boarding employees or contractors, or what procedures and policies guide activity when an employee changes jobs within a company," said Tim Brown, chief security architect for CA Technologies. "You also need to understand what technology is in use for those processes and procedures and know the workflows and approval processes in place. The results of these procedures impact an organizations regulatory compliance posture."

In addition, businesses need to know who has a right to do what in the organization, Brown added.

"Organizations should strive for the simplest role model possible," he said. "The roles should be based on business functions and cross applications. The role model can be developed using role modeling technology or created manually for less complex organizations."

"Proper planning prevents...poor performance," Perkins said, adding that "the key to this is limiting scope to urgent, prioritized need, choosing a targeted customer base that will later serve as your "credibility check" and staying focused. Run it like the project it is, and don't underestimate its complexity."