The rapid adoption of mobile devices and cloud services together with a multitude of new partnerships and customer-facing applications has extended the identity boundary of today’s enterprise. For the extended enterprise, identity and access management (IAM) is more than just provisioning employees with and enforcing the appropriate access to corporate resources. It’s about the ability to oversee access by a variety of populations, from employees to partners to consumers, and protect a variety of sensitive resources (including data) that may reside on or off the organization’s premises – all while helping to protect the organization from increasingly sophisticated cybercriminals and resourceful fraudsters.
Unfortunately, legacy approaches to IAM are failing us because they can’t manage access from consumer endpoints, they don’t support rapid adoption of cloud services, they can’t provide security data exchange across user populations, and offer no help against emerging threats.
We at Forrester have been promulgating a Zero Trust Model of information security. It eliminates the idea of distinct trusted internal networks versus untrusted external networks, and requires security pros to verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. Zero Trust applies effectively to identity as well. It requires security and identity pros to: 1) center on sensitive applications and data; 2) unify treatment of access channels, populations, and hosting models; and 3) prepare for interactions at Internet scale. Moving toward Zero Trust identity not only helps you improve business agility and achieve compliance – it even helps you enhance customer experience and deliver on your org’s API monetization strategy.
Forrester's Identity and Access Management Playbook will help you evolve from the inflexibility of tightly coupled authentication and access controls to an approach where you deploy service services that produce and consume identity and entitlement information in a loosely coupled manner. Building a Zero Trust IAM strategy that supports the extended enterprise requires a four-step process:
1. Discover: Identifying the trends, justifying the business case, and assessing your maturity. Understanding your organization’s business objectives and what you can achieve with a Zero Trust IAM approach can help you build a sound business case for investment that recognizes the business, financial, and operational benefits. Once you have a well-defined business case, you can also assess your current capabilities against your business case and identify gaps in your strategy.
2. Plan: Creating a strategy to manage IAM as a sustainable, on-going program. To make your IAM strategy a reality, you will need to identify and influence stakeholders on both the business and the IT side of the organization. You must also formally document your IAM strategy and include a description of your current state, a definition of your future state, and a detailed road map and set of recommendations for the sequence of projects needed to make the strategy a reality.
3. Act: Hiring the right staff, governing policies, and implementing IAM capabilities. Because IAM pros must frequently communicate with a business audience, they must possess outstanding communication skills in addition to IAM technical knowledge. And because IAM is so broad and requires a strong central governing function, you will need to hire several types of IAM professionals, including a VP or director-level position, an IAM architect, and an IAM practitioner. You will also be faced with a multitude of on-premises and cloud-based solutions to your IAM technical requirements.
4. Optimize: Measuring, monitoring, and marketing IAM results. You’ll have to measure and monitor the effectiveness of your IAM program and report value to the organization. With an effective metrics program, IAM leaders will be better prepared to demonstrate business value, develop a proactive culture, and align priorities and performance incentives with business strategy. You’ll also be in a better position to understand how your program compares to that of your peers.
So what do you think? How does Forrester’s vision of IAM compare to yours? And will our playbook be useful? My colleagues Andras Cser (@acser) and Stephanie Balaouras (@sbalaouras) and I (@xmlgrrl) value your feedback as we refine this playbook to help you be successful in your role.