Your SlideShare is downloading. ×
Recipe for failure - why IAM projects fail
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Recipe for failure - why IAM projects fail

547
views

Published on

Why do IAM projects fail of often? KPMG provides answers.

Why do IAM projects fail of often? KPMG provides answers.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
547
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Recipe for failureSix habits to ruin Identity and Access ManagementMarch 2013KPMG in the Netherlandsdrs. Mike Chung RE
  • 2. Facts and figures• Most large IT projects have significant cost overruns, deliver far less than anticipated and one in six projects is a ‘black swan’ (Oxford Business School 2011)• Over 75% of IAM projects deliver less than expected (KPMG 2009)• Almost 50% of IAM projects outrightly fail (KPMG 2009)
  • 3. From mess to menace: your route to chaos Automation of access Proliferation of accounts Rise of IAM Push for compliance Age of numbness Lost to the cloud
  • 4. Chaos• Myriad of access permissions• Password madness• Maze of interfaces
  • 5. • Security leaks• Incompliance• Higher costs
  • 6. Habit I: Assign to the wrong department• Burden IT with business responsibilities• Expect IT has full understanding of business processes, compliance and the value of data• Do as you please
  • 7. Why do we do that?• IAM is perceived as an IT issue• IAM technology vendors talk to IT managers• Deployment of directories and user repositories are initiated by IT departments
  • 8. Habit II: Never stop expanding• Increase the number of accounts blindly• Create GPOs, groups, nested groups and more groups• .. And shares and SharePoint sites
  • 9. Why do we do that?• We (people) are driven by providing instant solutions without considering the consequences• Integrating IAM landscapes after mergers and acquisitions is often complex and labour- intensive• Applications often offer functionalities that are easy-to-use but difficult to govern
  • 10. Habit III: Work towards complexity• Deploy multiple directories, virtual directories and repositories• Implement that fancy IAM system, password wallets, PAM, SIEM, access governance application, data governance tool• Rejoice your organisation with enterprise RBAC, policy-based access, context-based IAM and whatever sounds vaguely credible
  • 11. Why do we do that?• IAM industry is a fast-moving industry with many new technologies and products• Issues from one application is patched by another application with issues, and patched by..• In theory, theory and practice are the same – in practice, it is not (Albert Einstein)
  • 12. Habit IV: Trivialize the importance• Remember: excessive access is far better than no access• Ignore security leaks, or better: convince yourself that IAM has nothing to with security• Pass audit findings to someone else – what about the IT department?
  • 13. Why do we do that?• Business users perceive access as a (human) right, excessive access as a secondary consideration• Security awareness is often low• Data security is seen as a sole issue of IT – so does the IT department
  • 14. Habit V: Hear no evil, see no evil• Keep the end-state of IAM obscure• Keep the current state of IAM unknown to everybody else, and you• Then ask yourself: how do I suppose to know the delta?
  • 15. Why do we do that?• We have no protocol of behaviour for things we don’t see (Nicolas Taleb)• We take a lot of risks because we are comfortable we don’t see them• We are notoriously bad in estimating magnitude of complex, abstract issues
  • 16. Habit VI: Rush to the cloud• Bypass IT on your way to SaaS• Believe in the next big thing• Quit asking questions and stop thinking
  • 17. Why do we do that?• Organisations are usually driven by costs, seldom by rational insights• Our mind is made for fitness, not for truth (Steve Pinker)• Many of us are not rational enough to be exposed to hypes
  • 18. Now act accordingly
  • 19. chung.mike@kpmg.nl