Pitfalls of identity access management

It is easy to overlook identity access management as static infrastructure in the background, and that's the chief problem: Too few organizations treat IAM as the crucial, secure connective tissue between businesses' multiplying employees, contractors, apps, business partners and service providers. Aaron Perry, president at Focal Point Data Risk, Focal Point Data Risk’s Identity Governance and Access Management practice, runs through some of IAM’s pitfalls.

Organizations treat IAM as a one-and-done project, not the type of evolving and adaptive program necessary to actually encompass organizations' riskiest asset - their people. Words like "checklist" and "end date" are red flags in IAM meetings, they betray short-term, project-oriented thinking. This misstep dooms many IAM initiatives right out of the gate.

Project-oriented thinking leads to shortchanging IAM. You avoid this by beginning with a multi-year plan that breaks up costs into implementation and operational stages. Forecast the number of people needed, whether the IAM solution will run on-premise, for example and what infrastructure expenses are expected. Within this plan, a team structure should be developed, with an IAM “owner,” so roles, responsibilities, and accountability standards can be established. Without this philosophy in place, IAM programs are paralyzed by chronic resource shortfalls and are dangerously incomplete.

Face it, frontline end-users are reflexively hostile to change, meaning an IAM program that feels arbitrary and foisted upon them will trigger backlash. Spend time to understand end-user stakeholders' requirements and routine; they're almost always perfectly compatible with IAM elements tailored the right way. This deftly avoids complaints about productivity, application support and other headaches.

Top executive is crucial in every IT program, but too often IAM fails because backers use vague words like "security" and "risk." Instead, put IAM advantages in quick-win ROI language any executive will recognize - like explaining how this initiative will let you onboard new employees faster, use new applications more flexibly or seamlessly engage with more overseas partners. The fact it's the truth helps - these are modern IAM's major advantages.

This dooms any program, but particularly when it comes to IAM because unlike forensics or threat intelligence, identity and access seem abstract and obscure. In a recent NACD study, only 15% of directors were “very satisfied” with the quality of cyber security information they receive from their management team. Don't be a statistic - IT and security leaders need to take their first, best opportunity to set the storyline for why IAM is important and its business advantages.

RELATED: Third parties leave your network open to attacks

8 tips for keeping your data safe with Identity and Access Management