Checklist Playbook for CISO, CSO and Information Risk & Security Managers to plan and implement a successful IAM (Identity and Access Management) program. It covers Access Governance and Identity Administration, Single Sign On (SSO), Privileged Identity Management, and more.

1. IDENTITY AND ACCESS
MANAGEMENT PLAYBOOK
DEEPAK SIMON
IAM SOLUTION ADVISOR,
CISO PLATFORM 2016
deepak.simon@aujas.com

2. WHAT IS YOUR EXPERIENCE WITH IAM PROGRAMS
Advantages
Challenges
Advise
2

3. PLAYBOOK FOR IAM PROJECTS
 Map Vision to a Specific Organizational Need or Pain Point
 Readiness Assessment and Planning
 Build a Business Case for Management Buy-in
 Technology and Product Evaluation
 Implementation Roadmap
 Avoid Common Pitfalls
3

4. BROAD CATEGORIES FOR DISCUSSION
Access Governance and Identity Administration
 Access Certification, Centralized User Administration
Single Sign-On
 Reduce Password Stress
Privileged Identity Management
 Control and Track Shared Access
4

5. IDENTITY AND ACCESS GOVERNANCE
 Map Vision to a Specific Organizational Need or Pain Point
 Compliance – Auditor paints us in the red
 Knowing Who has access to What
 Readiness Assessment and Planning
 Who are the Users – Employees, Third Parties, Customers
 What are the current User Management Processes
 Where do applications reside – on-premise, cloud
 What effort is needed by Stakeholders
 TCO – Include effort by Stakeholders and benefit accruing to them
 Build a consensus with stakeholders
 Prioritize to ensure a positive first impression
 Who will drive the program, build an inclusive governance team
5

6. IDENTITY AND ACCESS GOVERNANCE
 Build a Business Case for Management Buy-in
 Start Small and show Incremental Business value
 Focus on Soft Benefits such a Productivity, Efficiency, Time Saved
 Show Hard Benefits as the IAM program Matures over time
 Identify high-quality stakeholders who will benefit
 Technology and Product Evaluation
 Be mindful of changing business processes and application landscape over the
years
 Where do applications reside – on-premise, cloud
 Prefer extensible solutions that can be scaled up over time
 Should have availability of skilled and experienced resources in market
 OEM presence and support should be available in local geography
6

7. IDENTITY AND ACCESS GOVERNANCE
 Implementation Roadmap
 Prioritize Features and Applications on low cost, maximum impact
 Identify Early Adopters and use them as advocates
 Prepare a framework to categorize applications and adopters
 Avoid Common Pitfalls
 Lack of planning and prioritizing
 Overly ambitious in scope, scale and effort
 IT drives the project without stakeholder involvement and buy-in
 Trying to implement complex IAM technology on their own
 Reusing bad processes in new systems
 Product selection based only on license cost or free deals
7

8. SINGLE SIGN-ON
 Map Vision to a Specific Organizational Need or Pain Point
 User Convenience – Too Many Passwords to Remember
 Reducing the Helpdesk Cost
 Readiness Assessment and Planning
 Who are the Users – Employees, Third Parties, Customers
 Where do applications reside – on-premise, cloud, etc.
 What type of applications – WebApp, Thick, Terminal
 Access Mechanisms – Within Network, Outside Network
 What effort is needed by Stakeholders
 TCO – Include effort by Stakeholders and benefit accruing to them
 Build a consensus with stakeholders
 Prioritize to ensure a positive first impression
8

9. SINGLE SIGN-ON
 Build a Business Case for Management Buy-in
 Focus on Soft Benefits such a User Convenience
 Show Hard Benefits as savings on Helpdesk costs
 Identify high-quality stakeholders who will benefit
 Technology and Product Evaluation
 Be mindful of changing usage patterns of users over the years
 Extensible solutions that can be scaled up over time
 Should have availability of skilled and experienced resources in market
 OEM presence and support should be available in local geography
9

10. SINGLE SIGN-ON
 Implementation Roadmap
 Prioritize Applications and Features on low cost, maximum impact
 Identify Early Adopters and use them as advocates
 Prepare a framework to categorize applications and adopters
 Avoid Common Pitfalls
 Lack of planning and prioritizing
 Overly ambitious in scope, scale and effort
 IT drives the project without stakeholder involvement and buy-in
 Trying to implement complex IAM technology on their own
 Reusing bad processes in new systems
 Product selection based only on license cost or free deals
10

11. PRIVILEGED IDENTITY MANAGEMENT
 Map Vision to a Specific Organizational Need or Pain Point
 Compliance – Auditor paints us in the red
 Who is using Shared Id’s and What are they doing with it
 Readiness Assessment and Planning
 Identify the Users – Internal IT, Outsourced IT, OEM, Shadow IT
 Identify the Types of devices, servers and databases and how they are accessed
 TCO – Include effort by Stakeholders and benefit accruing to them
 Build a consensus with stakeholders
 Prioritize to ensure a positive first impression
11

12. PRIVILEGED IDENTITY MANAGEMENT
 Build a Business Case for Management Buy-in
 Focus on Compliance and Reducing Risk of Vendor/Third Party Access
 Show highly sensitive data at Risk of Breach
 Show Hard Benefits as savings on manual audit and forensics
 Technology and Product Evaluation
 Flexibility to accommodate variety of access mechanisms and remote access tools
 Storage requirements for data retention for audit purposes and features to
minimize size of recordings
 What features are there to quickly search and playback point in time recording
instead of viewing hours of recordings
 Are there features for real time alerting or blocking of high risk commands.
 Should have availability of skilled and experienced resources in market
 OEM presence and support should be available in local geography 12

13. PRIVILEGED IDENTITY MANAGEMENT
 Implementation Roadmap
 Prioritize High Risk devices, servers and databases
 Prioritize High Risk users
 Avoid Common Pitfalls
 Lack of planning and prioritizing
 Overly ambitious in scope, scale and effort
 IT drives the project without stakeholder involvement and buy-in
 Trying to implement complex IAM technology on their own
 Product selection based only on license cost or free deals
13

14. 14
AUJAS INFORMATION RISK SERVICES (AUJAS.COM)
400+ Customers
served across 22 countries
340+ Employees
globally with more than 190
specialists
290+ Certified employees
across standards, technologies &
industry certifications
Aujas helps organizations manage information security risks by protecting data, software, people and
identities in line with compliance requirements and best practices; we also help strengthen security
governance and intelligence frameworks.
Investors:
• Seed Funding
• IDG Ventures – Boston, MA
• Series B Funding
• IDG Ventures – Boston, MA
• IvyCap Ventures – Bay Area, CA
• RVCF - India
Global Presence: