Recipe for failureSix habits to ruin Identity and Access ManagementMarch 2013KPMG in the Netherlandsdrs. Mike Chung RE
Facts and figures• Most large IT projects have significant cost overruns, deliver far less than anticipated and one in six projects is a ‘black swan’ (Oxford Business School 2011)• Over 75% of IAM projects deliver less than expected (KPMG 2009)• Almost 50% of IAM projects outrightly fail (KPMG 2009)
From mess to menace: your route to chaos Automation of access Proliferation of accounts Rise of IAM Push for compliance Age of numbness Lost to the cloud
Chaos• Myriad of access permissions• Password madness• Maze of interfaces
Habit I: Assign to the wrong department• Burden IT with business responsibilities• Expect IT has full understanding of business processes, compliance and the value of data• Do as you please
Why do we do that?• IAM is perceived as an IT issue• IAM technology vendors talk to IT managers• Deployment of directories and user repositories are initiated by IT departments
Habit II: Never stop expanding• Increase the number of accounts blindly• Create GPOs, groups, nested groups and more groups• .. And shares and SharePoint sites
Why do we do that?• We (people) are driven by providing instant solutions without considering the consequences• Integrating IAM landscapes after mergers and acquisitions is often complex and labour- intensive• Applications often offer functionalities that are easy-to-use but difficult to govern
Habit III: Work towards complexity• Deploy multiple directories, virtual directories and repositories• Implement that fancy IAM system, password wallets, PAM, SIEM, access governance application, data governance tool• Rejoice your organisation with enterprise RBAC, policy-based access, context-based IAM and whatever sounds vaguely credible
Why do we do that?• IAM industry is a fast-moving industry with many new technologies and products• Issues from one application is patched by another application with issues, and patched by..• In theory, theory and practice are the same – in practice, it is not (Albert Einstein)
Habit IV: Trivialize the importance• Remember: excessive access is far better than no access• Ignore security leaks, or better: convince yourself that IAM has nothing to with security• Pass audit findings to someone else – what about the IT department?
Why do we do that?• Business users perceive access as a (human) right, excessive access as a secondary consideration• Security awareness is often low• Data security is seen as a sole issue of IT – so does the IT department
Habit V: Hear no evil, see no evil• Keep the end-state of IAM obscure• Keep the current state of IAM unknown to everybody else, and you• Then ask yourself: how do I suppose to know the delta?
Why do we do that?• We have no protocol of behaviour for things we don’t see (Nicolas Taleb)• We take a lot of risks because we are comfortable we don’t see them• We are notoriously bad in estimating magnitude of complex, abstract issues
Habit VI: Rush to the cloud• Bypass IT on your way to SaaS• Believe in the next big thing• Quit asking questions and stop thinking
Why do we do that?• Organisations are usually driven by costs, seldom by rational insights• Our mind is made for fitness, not for truth (Steve Pinker)• Many of us are not rational enough to be exposed to hypes