IAM challenges, Trust and Implementing an IAM roadmap at PrivSec IAM

Robert Bateman, Analyst and Research Director, GRC World Forums, got the morning’s talks underway with ”How to implement an IAM Roadmap with Effective Ongoing Demand-Management Practices To Align Business Needs.” The panel of experts explained that organisations often lack mature roadmaps, creating point-in-time roadmaps but not actively managing or working from them over time. (In other cases, organizations lack a roadmap at all.) A point-in-time roadmap does not accurately reflect ongoing or completed projects, recently adopted technology, or other dependencies. Without a continually updated roadmap, an organization’s IAM team provides limited demand management and reacts to business needs only as they arise.

The lack of demand management leads to IAM investment that is not aligned with true business needs. In order to make the roadmap effective, a demand-management function is needed. 

When discussing the historical view of IAM, David Doret, IT Risk & Cybersecurity: IAM & PAM Manager, BNP Paribas said that ”IAM was focused on the work force, and this is probably caused by the historical evolution of IAM products. This is a wrong view of capabilities today. IAM does have a number of sub domains, and we shouldn’t understand it as simply for the workforce. IAM embraces customer IAM.”

Jas Sagoo, Sr Director, Technical Sales and Services International, Auth0, added: ”There was a historical view of what IAM was focusing on the workforce. What we’re seeing now is customer identity. What organisations should be looking at when thinking about IAM strategy and roadmap is how can they leverage tools to cover an entire spectrum.The important point here is whatever platforms or technology they’re using, there’s always elements where you have to create integrations, always look at standards.”

Zoë Rose, Regional and Supplier Information Security Lead, Canon, explained that when it comes to building a roadmap it is necessary to “pull in all the non-functional, functional requirements.”

”You’re not going to implement the most expensive solution because it might not be the right one for your business. First thing to do is a problem statement, is it IT or is it security growth? Is this something new, are you extending something you already have? To be able to succeed in a project you need to know the requirement and the purpose. A lot of programs I’ve seen fail, regardless of the solution, is that they did not property acquire those requirements.”

”You probably won’t get them all at once (requirements.) You’ll want a process in place to prepare for changes. Things change, you might have a new requirement or change in an existing requirement. Ensure that it’s remaining accurate, and someone needs to be in charge to be accountable for that,” Rose added. 

During the “Implementing an Effective Operating Model to Ensure Organisational Alignment to Continuously Improve IAM Services” session, the panel of experts acknowledged that a fundamental mistake for organisations when handling security needs is performing individual, one-off projects to address IAM concerns. Individual projects often lack centralised leadership and provide only temporary solutions to the issue at hand. While a one-off initiative may temporarily close a pointed gap for a specific business area, it may not always align with the enterprise IAM program vision.

David Terrar, Director and Chair, Cloud Industry Forum, said that “the last 18 months have demonstrated how nimble our organisations can be at having to do things differently. That shows us the need for having the right approach, and that the landscape we’re dealing with has got a lot more sophisticated, and there are a lot more opportunities for organisations to get it wrong.”

When discussing how the pandemic changed the IAM landscape, Terrar added: ”All of the security landscape was changed and made more complex. More threats, getting more sophisticated. We went from a complicated world you could plan for, to a complicated world you couldn’t.” 

Oliver Carr, Cyber Security Evangelist, Strategist, and Leader, explained that a IAM model is needed in order to become the enabler of business priorities and business goals: ”When it comes to IAM services, we need to provide solutions to the business. The more you get to organisations who develop their own digital services, the more important it is to provide solutions which can be slotted in.”

When discussing in-house solutions, Carr added: ”If you look at the companies providing those solutions today, they spend more money than we will ever get to as organisations. Don’t kid yourself that you can do it better. On the other hand, don’t totally hand it over to someone that doesn’t understand your business.”

Trust was a hot topic on the agenda today. In the ”OneLogin Keynote: Trust but apply ZERO TRUST” session Niamh Muldoon, Global Data Protection Officer, OneLogin explained how many organizations struggle with digital transformation, hybrid workforces and cloud computing particularly when implementing a framework to meet their compliance requirements. Thus trusting a brand while applying a “Zero Trust Technical Architecture and Zero Trust Operating Model” was discussed. 

Muldoon said when it comes to Zero Trust and framework, it’s all about operational brilliance, adding that it is important that end users know the difference between being a trusted organisation and operation excellence, and the operation approach to zero trust. 

She added that it is important that end users ”are aware of the various different threats they face in their day to day roles, and why zero trust must be applied,” and when it comes to zero trust operations end users need to know ”if they have encountered a threat or have done something incorrectly, how to report and correct it.”