What Is ABR? Why Should It Be a Top Priority for CISOs in 2021? Part Two: IAM Blueprint
Your organization is aware that it needs Identity & Access Management. You realize the value of IAM Assessments and how they can help you identify and address the challenges your organization faces when properly implementing an IAM solution. However, the question may still remain, what should you do with your IAM technology? An IAM Blueprint can help you answer that question.
What Is an IAM Blueprint?
If an IAM Assessment answers the question “what” needs to be done, an IAM Blueprint answers the question “how” it needs to be done. How do you go about addressing your IAM needs in a way that manages your IT environment and adds value to and improves the efficiency for end-users? An IAM Blueprint clearly lays out your Identity & Access Management needs. It shows you the functionality required and the steps your organization must follow to successfully implement changes to address the issues brought to light in the IAM Assessment.
How to Create an IAM Blueprint
Your blueprint will start like many other business processes. A simple formula is- people, process, and technology. What is meant by this is that before you can decide on the technology you are going to use, you first need to understand and train the people and assess the process used for identity management. If you jump to purchasing whatever identity management technology is put in front of you, you will end up automating technology that will produce terrible results faster. However, if you correct the back-end issues first, you will have a clear vision of the technology you need to acquire.
Create the Ideal State
Everything starts with the ideal. When talking about IAM, there are going to be several constraints your organization faces in the real world. You may not have enough time, money, or people to currently create the ideal IAM environment. For now, you want to take all of those restraints and throw them away. In creating the ideal state, you imagine a scenario where you have unlimited resources, unlimited money, and unlimited time. What does the perfect IAM environment look like for your organization?
Create Reference Architectures
Using this concept, you are going to create several reference architectures. The reason you go down this route is that if you start with constraints, you are going to end up with miserable-looking deliverables. Without restraints, you can build a set of holistic architectures that cover all of your issues. You can then boil these down into one diagram or a set of diagrams. You start at the high level and then you drill in the details. This would include auto-provisioning, be it federated, internal, or external. You can add Privilege Access Account Management to your blueprint. Your blueprint can include your internal and external SSO and other forms of authentication. Now, you ask questions like, how can you use the technology that you currently have to reach these ideal goals?
Run Gap Analysis
The time has now come to run a gap analysis. In our IAM Assessment, you have identified what the problems are. Up to this point in your blueprint, you have removed the restraints, understand what the goal is and what the ideal situation would be. You understand what technologies are available to mitigate the risk. Now, the question is, what is required for you to go from current to where you want to be? Laying out your blueprint like this allows you to have complete traceability before you even spend a dime on software. Right in front of you is a coherent plan that tells you where you are, where you want to go, and what things you need to add to fill in the gap. With an IAM Blueprint, you will be able to use workshops, interviews, and other resources to get a clear vision of the products your organization needs to improve its Identity & Access Management. Up to this point, you have done IAM Assessment and an IAM Blueprint. But you are only two-thirds of the way through your journey. Now, you need to follow up your blueprint with an IAM Roadmap. This will be the topic of the last article in our series.