Identropy's professional services practice focuses on Identity and Access Management (IAM) through a structured plan-build-run approach, providing a DIY kit for IAM roadmaps. The IAM kickstart program includes a seven-step methodology designed to assess current capabilities, create strategies, and establish implementation roadmaps for organizations. Key deliverables include an IAM capability benchmark, architecture recommendations, and a detailed initiative roadmap to enhance IAM governance and effectiveness.

2. Our Experience
Plan
Build
Run
Identropy’s professional services practice is
designed around Plan, Build and Run. Our
plan offering called “IAM Kickstart” has been
delivering IAM Roadmaps for organizations
since 2006.
 Exclusive Focus on Identity & Access
Management (IAM)
 Our roadmaps are focused on GSD (get stuff done)
 We leverage a tested methodology that creates
custom strategies for each organization
We’ve decided to make our methodology available as
part of a “Do it Yourself Kit” at
http://www.identropy.com

3. Kickstart Program – 7 Step Approach
7 Present Findings
1 P.U.T. Chart
2 Onsite Interviews
3 IAM Capability Assessment
4 Research and Follow-up
5 Architecture and Recommendations
6 Roadmap and Budget Estimates
DELIVERABLES
 IAM Capability Benchmark
 High-Level Architecture
 Initiative Roadmap
 Editable Project Plan
 Executive Presentation

4. PUT Chart & Pre-work
•PUT Chart
•Schedule Interviews / Develop
Agenda
•Gather collateral
• Recent Audit findings
• Governance Structures
• Org or IT strategies
• Documented IAM Policies and
Procedures
•Hold Interviews
• Sample questions
• Take Notes (look for quotes)

5. The PUT Chart

6. Findings: Assess the Current State
•Define Program drivers (enablement, risk
mitigation, compliance?)
•Group Capabilities (see next slide)
•Rate current maturity and desired/goal state
•CMMI or benchmark – you decide
•Rubrics (they’re not just for cubes anymore)
•Other useful slides:
“What is IAM?”
Scope of Assessment
Scope of IAM Program
SWOT
Quotes
Helpful Hint: follow the K.I.S.S. principle

7. Capability Maturity Assessment Sample

8. IAM Capability Assessment Rubric
Capability Scoring Rubric
IAM Governance &
Organization
• 5=Formal IAM Governance is serving the needs for visibility for all stakeholders
• 4=IAM Governance part of a larger IT Governance Framework and manages with Metrics and SLAs
• 3=IAM Governance part of a larger IT Governance Framework and includes formal subcommittees
• 2=IAM Governance is formal but is not part of a larger IT Governance Framework
• 1=IAM Governance is informal
Identity Data
Management
• 5=All accounts, roles centrally provisioned, reconciled
• 4=All accounts, roles centrally provisioned
• 3=Internal accounts provisioned, roles local in applications
• 2=Single registry exists, some provisioning is automated
• 1=No single registry of users
User Lifecycle
Management
• 5=User lifecycle is managed centrally, request and approval processes are segregated and captured
• 4=Most lifecycle processes are centralized, approvals are generally captured
• 3=Most lifecycle processes are centralized, approvals are generally out-of band
• 2=Identity is created centrally, but remaining lifecycle processes decentralized
• 1=Identity Management processes are tribal knowledge
Authentication,
Access Control &
Federation
• 5=Federated Single Sign On
• 4=Single Sign On with strong authentication
• 3=Single Sign On, static password
• 2=LDAP directory authentication, static password
• 1=Local username, local static password
Authorization & Role
Management
• 5=Business Roles are defined and leveraged for (de)provisioning and transfers
• 4=Business Roles are defined and leveraged for (de)provisioning
• 3=Central group management processes and are widely leveraged
• 2=Central group management processes exist but are not widely leveraged
• 1=Authorization processes are decentralized and not coordinated
Audit, Reporting, &
Event Monitoring
• 5=Risk-based recertification cycles exist with quality control measures in place
• 4=A risk assessment framework is used to establish appropriate recertification cycles
• 3=High risk access is periodically recertified in an automated system
• 2=Access recertification tools exists but are lightly used.
• 1=Access is not routinely audited or recertified

9. Summarize Recommendations and Align to Findings
•Executive Summary
• Align it to IAM Program drivers
•Architecture Diagram
• Show current and future state
•Make sure to design for the future
• SaaS
• Cloud
• Mobile
•Select or short-list products
• Use analyst reports from
Gartner or KC
• Talk to peers or consultants

10. 1
0
Enable the Business
Employ an IAM Center of Excellence
and Deploy Enabling Technologies
Deploy an inclusive IAM Governance
framework
Drive greater adoption
Balance security with usability
Establish Risk Assessment
Framework and Levels of Assurance
Sample: Executive Recommendation Summary

11. Sample Recommendations – What to do
Pull together
enterprise
identity data into
a central identity
repository
Deploy a tool to
provide delegated
group management
Replace Custom
IAM with packaged
software
Implement coarse-
grained policy
enforcement with
OpenAM
Bolster application
and cloud
provisioning tools
Offer BYOId for
loose affiliations and
low risk access
Require strong
second factor for
certain high-risk
access
Employ an IAM
Center of Excellence
and Deploy Enabling
Technologies
Establish Risk
Assessment
Framework and
Levels of Assurance
Deploy an inclusive
IAM Governance
framework
Inventory Risk at the
Application and Group
level
Adopt existing LOA
framework, such as the
InCommon Assurance
Program
Apply security controls
based on risk
Increase stakeholder
involvement through
Technical and Business
Advisory Groups
Define Structure and
Process for improved
decision making and
mission alignment

12. Sample Reference Architecture Diagram

13. Develop a Roadmap (timeline)
•Do Now, Do Next, Do Later…
& Down the Road
•Develop a resource plan (using internal
resources, consultants, or mix)
•Estimate costs
• Understand your fiscal calendar
• Break-out Capital vs. Expense
• This often favors SaaS or Open
Source
• If you need estimates – lean on
vendors (consulting and product)
• This is all relevant even if you must
do an RFP

14. IAM Initiative Roadmap
Enable the Business
Drive Greater Adoption
Balance Security with Usability

15. Develop a Deep-dive in the Appendices
What is a key opportunity or pain
point?
• Governance
• Role Management
• Integration Decision
Framework
• Project Execution
Tip: dedicate 4-6 slides on a key
focus area to drive a particular
point home

16. Perform the Read-out
•Review Detailed deck
for IAM Program and
closest stakeholders
•Perform executive
readout (get to the point
in 1 hour)
•Now socialize with the
people within your
organization who’s
support is needed

17. Thanks and Good Luck!