Recipe for failure - why IAM projects fail


Published on

Why do IAM projects fail of often? KPMG provides answers.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Recipe for failure - why IAM projects fail

  1. 1. Recipe for failureSix habits to ruin Identity and Access ManagementMarch 2013KPMG in the Netherlandsdrs. Mike Chung RE
  2. 2. Facts and figures• Most large IT projects have significant cost overruns, deliver far less than anticipated and one in six projects is a ‘black swan’ (Oxford Business School 2011)• Over 75% of IAM projects deliver less than expected (KPMG 2009)• Almost 50% of IAM projects outrightly fail (KPMG 2009)
  3. 3. From mess to menace: your route to chaos Automation of access Proliferation of accounts Rise of IAM Push for compliance Age of numbness Lost to the cloud
  4. 4. Chaos• Myriad of access permissions• Password madness• Maze of interfaces
  5. 5. • Security leaks• Incompliance• Higher costs
  6. 6. Habit I: Assign to the wrong department• Burden IT with business responsibilities• Expect IT has full understanding of business processes, compliance and the value of data• Do as you please
  7. 7. Why do we do that?• IAM is perceived as an IT issue• IAM technology vendors talk to IT managers• Deployment of directories and user repositories are initiated by IT departments
  8. 8. Habit II: Never stop expanding• Increase the number of accounts blindly• Create GPOs, groups, nested groups and more groups• .. And shares and SharePoint sites
  9. 9. Why do we do that?• We (people) are driven by providing instant solutions without considering the consequences• Integrating IAM landscapes after mergers and acquisitions is often complex and labour- intensive• Applications often offer functionalities that are easy-to-use but difficult to govern
  10. 10. Habit III: Work towards complexity• Deploy multiple directories, virtual directories and repositories• Implement that fancy IAM system, password wallets, PAM, SIEM, access governance application, data governance tool• Rejoice your organisation with enterprise RBAC, policy-based access, context-based IAM and whatever sounds vaguely credible
  11. 11. Why do we do that?• IAM industry is a fast-moving industry with many new technologies and products• Issues from one application is patched by another application with issues, and patched by..• In theory, theory and practice are the same – in practice, it is not (Albert Einstein)
  12. 12. Habit IV: Trivialize the importance• Remember: excessive access is far better than no access• Ignore security leaks, or better: convince yourself that IAM has nothing to with security• Pass audit findings to someone else – what about the IT department?
  13. 13. Why do we do that?• Business users perceive access as a (human) right, excessive access as a secondary consideration• Security awareness is often low• Data security is seen as a sole issue of IT – so does the IT department
  14. 14. Habit V: Hear no evil, see no evil• Keep the end-state of IAM obscure• Keep the current state of IAM unknown to everybody else, and you• Then ask yourself: how do I suppose to know the delta?
  15. 15. Why do we do that?• We have no protocol of behaviour for things we don’t see (Nicolas Taleb)• We take a lot of risks because we are comfortable we don’t see them• We are notoriously bad in estimating magnitude of complex, abstract issues
  16. 16. Habit VI: Rush to the cloud• Bypass IT on your way to SaaS• Believe in the next big thing• Quit asking questions and stop thinking
  17. 17. Why do we do that?• Organisations are usually driven by costs, seldom by rational insights• Our mind is made for fitness, not for truth (Steve Pinker)• Many of us are not rational enough to be exposed to hypes
  18. 18. Now act accordingly
  19. 19.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.