The 2015 Gartner IAM Summit in Las Vegas focused on successful identity and access management deployments. Gartner defines successful as IAM solutions that are simple, business driven, and secure. Simple refers to a solution’s degree of difficulty related to it installation, configuration, implementation and maintenance. Business driven recognizes that people drive business operations and decision-making. Identity and access management enables best practices to happen. Secure ensures the right people maintain the right access to the right systems at the right time.
Identity and access management, an important undertaking for an enterprise, can be transformative. It’s also not easy and with the Internet of Things (IoT), successful IAM deployments are about to get even more challenging. Just as alarming, another unannounced theme of the Gartner IAM Summit focused on identity management’s failure to deliver value as promised. Clearly, the rise of digital business creates new opportunities, but it also brings new challenges.
In addition to heightened attention on privacy issues, classical IAM issues continue to stymie IAM deployments. These include typical risks that derail programs: inadequate funding, alignment and attention to change management immediately come to mind. IAM provides automated and self-service tools for provisioning, access management, and governance yet companies often experience modest operational and security improvements after rollout. Why is this so?
Gartner IAM Traditional Challenges Exposed
In talking to those steeped in IAM’s traditional challenges, they share common frustrations. These center on getting business buy-in to choosing the right solution and encouraging adoption. These experiences indicate IAM value results more from strategy then technology capabilities. Vendor positioning of their all-in-one solutions frequently neglect to mention that IAM delivers value only when expectations are thought out with achievable timelines.
As part of a solution, you must concurrently prepare everyone for change. To demonstrate this point, Avatier hosted a "solution provider" session. Like previous Gartner events, we let a customer share their IAM experience. Our session, "Launch Your Solution in 12 Weeks," featured Calnan Weech, Senior Director of IT at Atlantis, Paradise Island Resorts.
Successful IAM Case Study
Atlantis, Paradise Island, Bahamas, represents one of the world’s most astounding resorts. They are the largest resort and casino in the Caribbean. With over 8,000 employees, Mr. Weech identified the key decisions leading to their successful IAM rollout. Transitioning from manual provisioning, their IAM strategy delivered near immediate value to operations in the Bahamas, Atlantic City, Florida, and New York.
Foremost, they sought to improve provisioning efficiency and perform timely de-provisioning with certainty. Particularly, with over 150 business applications, de-provisioning access was a challenge. It took excessive time and made reporting compliance with confidence difficult. In addition, they sought to replace manual processes with self-service IAM. They recognized this transformation required role based access control (RBAC) and automated workflow approval processes.
To streamline their audit reviews, they first required strong access controls. For PCI DSS and SOX compliance reporting, they needed system and application accountability. For PCI DSS compliance, they must restrict access to customer data to business need-to-know. This requires tracking and monitoring all access to network resources and consumer credit card data.
Sarbanes-Oxley (SOX) makes signing officers responsible for internal audit controls with penalties including fines and imprisonment. Signing officers must evaluate their internal controls and report on them every 90 days. Publicly traded companies must publish the effectiveness of their financial reporting audit controls and operational procedures. SOX makes the board of directors and management responsible for audit and record keeping failures.
Successful IAM Decision Making
Atlantis, Paradise Island chose their IAM solution based on their existing experience with Avatier. In 2014, they deployed our enterprise password manager with great success. One year later, they received management buy-in for our IAM provisioning solution. They convinced stakeholders of provisioning efficiency gains along with elevated de-provisioning security.
Mr. Weech related they secured funding one year in advance. Over the course of the next several months, they took time to align operations. They assembled a team consisting of a project manager and IT SME. The two worked half time on the project. They were primarily responsible for the activities of a larger project team formed from partnerships across their operations and locations. This at-large project management team performed testing, took advanced training, and served as early adopters. Twelve weeks after their kick-off they celebrated their go-live rollout.
Perhaps you are thinking only in paradise. Another perspective is paradise revealed. Through planning and a successful relationship with an existing vendor, Atlantis, Paradise Island tells a story. They concentrated on their operations. They first took time to align their stakeholders and management. Next, they empowered a cross-functional team and spent little time evaluating IAM solutions. When they were ready to kick-off, they made a purchase.
In production two months, Atlantis, Paradise Island is off to a successful IAM start. They appear on course to achieve the efficiency and security value as projected. In transforming IAM operations, they are certain to meet—even exceed their goals. This includes improving provisioning service levels by two days and terminating access within 24 hours. With streamlined processes and improved efficiencies, Atlantis, Paradise Island can redirect their focus. Freed from manual provisioning and de-provisioning, they now concentrate on compliance reviews, IT audits and security. In showing how, Atlantis, Paradise Island represents the Gartner IAM definition of success.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.