contact Search
Search
Insight

IDAM: sharpening identity and access management

Harry Metcalf

Identity and access management (IDAM) is a cornerstone of cyber security. It’s also one of the hardest areas to get right. The challenges aren’t just technical. There are also important business issues to consider including how to align IDAM with your organisation’s operating model, how to bring key people from the business on board and how to strike the right balance between security and user experience in line with your risk appetite. So how can you make sure your IDAM is fit for purpose, technically and strategically? 

You wouldn’t give your passport or bank details to a random stranger on the street. IDAM is the business equivalent of the precautions you would follow in your personal life. 

IDAM is a set of policies, processes and tools that enable the right users and devices to access the right resources, at the right times, for the right reasons.  

IDAM is more important than ever as access becomes stretched across increasingly extended digital ecosystems, many involving customers, suppliers and other third-parties. IDAM is also a critical element of compliance with new regulations including the Network and Information Security (NIS2) Directive.

In turn, IDAM is at the centre of the growing shift from traditional firewalls to ‘never trust, always verify’ zero-trust access. More than half of cyberattacks leverage compromise of valid user credentials. Zero-trust based IDAM controls are one of the only protections against this.

The importance of IDAM in cyber security

Tech-enabled IDAM solutions are essential. Organisations can no longer rely on manual and error-prone processes to protect access to sensitive data and corporate resources. 

Effective IDAM secures access to your corporate network, ensuring only the right users and devices have access to the right systems at the right time. It can also automate the allocation and management of user access rights, providing granular access control and auditing of all corporate assets on premises and in the cloud.  

IDAM is a responsive as well as preventative control. If information is compromised, IDAM provides a clear repository of who has access to what. It also allows for mass rollout of access changes or password updates. 

However, the cost should be weighed up against the value derived to set up and maintain the matrix of users, roles and application access rights. Many companies find that the most effective use of time and money comes from concentrating this effort on the critical systems which house confidential data or provide elevated access to users. 

Beyond all-important security and compliance, effective IDAM can improve the user experience by enabling single sign-on for applications and automatically updating permissions as employees move roles.  

As you look to drive innovation and digital engagement, the competitive advantages include allowing customers, partners, contractors and suppliers access to your network without compromising security. 

Cyber security: technical challenges  

But IDAM isn’t a standard solution. The market is fragmented with no one, dominant, ‘do it all’ product or vendor. From a technical perspective, additional complexity comes from the quality of organisations’ own data, the ownership of this information and the trade-off between security and user experience.  

In our experience of helping clients to define and deliver their IDAM objectives, we often discover quality issues with the data used to form ‘identities’ and even an inconsistent view of what constitutes an ‘identity’ within an organisation. Typical examples include missing data that needs to be created from scratch, misalignment of personal data across systems or lack of clarity over who controls the data. 

Managing IDAM complexities in cyber security

Just as demanding are the business challenges. All too often, IDAM initiatives are established and run out of IT, without sufficient involvement from business teams in setting the priorities and building them into design. 

The result is lack of business alignment. This might manifest itself in difficulties in agreeing the right roles and responsibilities to manage identities and access rights across IT and the business functions. Solutions may also struggle to scale and evolve as the number of users or connected systems increases, due to insufficient clarity on how ongoing operations should be managed.    

Insufficient business involvement can also lead to a lack of commitment from the business teams needed to make the IDAM solution work. HR is a clear case in point as it often holds a lot of the identity information and plays a key role in assigning and updating access rights.  

Implementing IDAM solutions

So how do you tackle these technical and business challenges to successfully deliver an IDAM solution that is both secure and aligned with business objectives? Three priorities stand out: 

Build up a clear understanding of your current IDAM maturity and where the key challenges lie, before diving in to select and implement technologies. This includes understanding where and how your current identities and access are managed and ensuring you’re clear about the current ‘joiner, mover, leaver’ processes, as well as understanding how privileged access rights are granted and revoked.  

This initial evaluation will provide important insights into the complexity of the issues you’re trying to resolve and allow you to identify priority areas for improvement to bolster your IDAM maturity and, ultimately, mitigate your security risks. 

Given its business criticality, IDAM requires business sponsorship and management - not just technical expertise. 

Key steps include bringing business and IT leaders together to articulate and seek consensus for the business vision for IDAM and the actionable strategy to achieve that vision. This will include clearly defining the future operating model, such as agreeing on the core IDAM processes and the split of responsibilities across IT and the business, along with what should be centralised in IT or HR versus devolved to business functions.  

Define and implement manageable projects to deliver your IDAM strategy, breaking it down into digestible chunks and setting up the right team and governance for each initiative to successfully deliver. This includes ensuring you have the right mix of internal subject-matter experts from Security, IT, HR and the business functions.  

IDAM projects often require significant changes from the internal and external users of your systems. For example, you might be changing the way in which they access the systems they use every day. So you shouldn’t overlook the importance of having a robust change management plan in place to land and sustain the changes effectively.  

Let’s talk  

From helping our clients run initial discovery assessments and defining their IDAM strategies, to selecting appropriate systems and designing and implementing business-focused solutions, our experienced team of consultants has helped clients such as Unilever, Primark and International Airlines Group (British Airways) to deliver on their IDAM objectives. Come and talk to us to find out more. 

Share:

Related services
Service

Cyber security and operational resilience

Arrow icon
The author
Harry Metcalf

Harry Metcalf, Consultant

Harry's profile
Connect on LinkedIn

Related insights

5
insight - Cyber security

How CEOs can get on top of cyber risks

Arrow icon
2
insight - Cyber security

How NEDs can get on top of cyber risks

Arrow icon
4
insight - Cyber security

How CISOs can get on top of cyber risks

Arrow icon
google maps

The Berkeley Partnership LLP
20 Farringdon Street
9th Floor
London, EC4A 4AB

+44 (0)20 7643 5800

google maps

The Berkeley Partnership LP
530 Fifth Avenue
Suite #808
New York, NY 10036

+1 (929) 526 2010