Checklist Playbook for CISO, CSO and Information Risk & Security Managers to plan and implement a successful IAM (Identity and Access Management) program. It covers Access Governance and Identity Administration, Single Sign On (SSO), Privileged Identity Management, and more.
2. WHAT IS YOUR EXPERIENCE WITH IAM PROGRAMS
Advantages
Challenges
Advise
2
3. PLAYBOOK FOR IAM PROJECTS
Map Vision to a Specific Organizational Need or Pain Point
Readiness Assessment and Planning
Build a Business Case for Management Buy-in
Technology and Product Evaluation
Implementation Roadmap
Avoid Common Pitfalls
3
4. BROAD CATEGORIES FOR DISCUSSION
Access Governance and Identity Administration
Access Certification, Centralized User Administration
Single Sign-On
Reduce Password Stress
Privileged Identity Management
Control and Track Shared Access
4
5. IDENTITY AND ACCESS GOVERNANCE
Map Vision to a Specific Organizational Need or Pain Point
Compliance – Auditor paints us in the red
Knowing Who has access to What
Readiness Assessment and Planning
Who are the Users – Employees, Third Parties, Customers
What are the current User Management Processes
Where do applications reside – on-premise, cloud
What effort is needed by Stakeholders
TCO – Include effort by Stakeholders and benefit accruing to them
Build a consensus with stakeholders
Prioritize to ensure a positive first impression
Who will drive the program, build an inclusive governance team
5
6. IDENTITY AND ACCESS GOVERNANCE
Build a Business Case for Management Buy-in
Start Small and show Incremental Business value
Focus on Soft Benefits such a Productivity, Efficiency, Time Saved
Show Hard Benefits as the IAM program Matures over time
Identify high-quality stakeholders who will benefit
Technology and Product Evaluation
Be mindful of changing business processes and application landscape over the
years
Where do applications reside – on-premise, cloud
Prefer extensible solutions that can be scaled up over time
Should have availability of skilled and experienced resources in market
OEM presence and support should be available in local geography
6
7. IDENTITY AND ACCESS GOVERNANCE
Implementation Roadmap
Prioritize Features and Applications on low cost, maximum impact
Identify Early Adopters and use them as advocates
Prepare a framework to categorize applications and adopters
Avoid Common Pitfalls
Lack of planning and prioritizing
Overly ambitious in scope, scale and effort
IT drives the project without stakeholder involvement and buy-in
Trying to implement complex IAM technology on their own
Reusing bad processes in new systems
Product selection based only on license cost or free deals
7
8. SINGLE SIGN-ON
Map Vision to a Specific Organizational Need or Pain Point
User Convenience – Too Many Passwords to Remember
Reducing the Helpdesk Cost
Readiness Assessment and Planning
Who are the Users – Employees, Third Parties, Customers
Where do applications reside – on-premise, cloud, etc.
What type of applications – WebApp, Thick, Terminal
Access Mechanisms – Within Network, Outside Network
What effort is needed by Stakeholders
TCO – Include effort by Stakeholders and benefit accruing to them
Build a consensus with stakeholders
Prioritize to ensure a positive first impression
8
9. SINGLE SIGN-ON
Build a Business Case for Management Buy-in
Focus on Soft Benefits such a User Convenience
Show Hard Benefits as savings on Helpdesk costs
Identify high-quality stakeholders who will benefit
Technology and Product Evaluation
Be mindful of changing usage patterns of users over the years
Extensible solutions that can be scaled up over time
Should have availability of skilled and experienced resources in market
OEM presence and support should be available in local geography
9
10. SINGLE SIGN-ON
Implementation Roadmap
Prioritize Applications and Features on low cost, maximum impact
Identify Early Adopters and use them as advocates
Prepare a framework to categorize applications and adopters
Avoid Common Pitfalls
Lack of planning and prioritizing
Overly ambitious in scope, scale and effort
IT drives the project without stakeholder involvement and buy-in
Trying to implement complex IAM technology on their own
Reusing bad processes in new systems
Product selection based only on license cost or free deals
10
11. PRIVILEGED IDENTITY MANAGEMENT
Map Vision to a Specific Organizational Need or Pain Point
Compliance – Auditor paints us in the red
Who is using Shared Id’s and What are they doing with it
Readiness Assessment and Planning
Identify the Users – Internal IT, Outsourced IT, OEM, Shadow IT
Identify the Types of devices, servers and databases and how they are accessed
TCO – Include effort by Stakeholders and benefit accruing to them
Build a consensus with stakeholders
Prioritize to ensure a positive first impression
11
12. PRIVILEGED IDENTITY MANAGEMENT
Build a Business Case for Management Buy-in
Focus on Compliance and Reducing Risk of Vendor/Third Party Access
Show highly sensitive data at Risk of Breach
Show Hard Benefits as savings on manual audit and forensics
Technology and Product Evaluation
Flexibility to accommodate variety of access mechanisms and remote access tools
Storage requirements for data retention for audit purposes and features to
minimize size of recordings
What features are there to quickly search and playback point in time recording
instead of viewing hours of recordings
Are there features for real time alerting or blocking of high risk commands.
Should have availability of skilled and experienced resources in market
OEM presence and support should be available in local geography 12
13. PRIVILEGED IDENTITY MANAGEMENT
Implementation Roadmap
Prioritize High Risk devices, servers and databases
Prioritize High Risk users
Avoid Common Pitfalls
Lack of planning and prioritizing
Overly ambitious in scope, scale and effort
IT drives the project without stakeholder involvement and buy-in
Trying to implement complex IAM technology on their own
Product selection based only on license cost or free deals
13
14. 14
AUJAS INFORMATION RISK SERVICES (AUJAS.COM)
400+ Customers
served across 22 countries
340+ Employees
globally with more than 190
specialists
290+ Certified employees
across standards, technologies &
industry certifications
Aujas helps organizations manage information security risks by protecting data, software, people and
identities in line with compliance requirements and best practices; we also help strengthen security
governance and intelligence frameworks.
Investors:
• Seed Funding
• IDG Ventures – Boston, MA
• Series B Funding
• IDG Ventures – Boston, MA
• IvyCap Ventures – Bay Area, CA
• RVCF - India
Global Presence: