For over twenty years, Wavestone has been supporting clients develop and strengthen their Identity and Access Management programs. Within this area, Wavestone has observed that organizations do not always approach IAM in a comprehensive manner. While Security is an obvious dimension covered by IAM, other dimensions (e.g. UX enhancement, internal procedures improvement, etc.) are often overlooked. Additionally, accurately assessing maturity in IAM is complex – market standards, such as NIST, does not allow evaluation across all issues.
To dive deeper into IAM, our experts have created an IAM maturity assessment tool.
Interview with Anatole CATHERIN, Manager and IAM expert for almost 10 years at Wavestone.
Hi Anatole, thanks for your time! First of all, can you explain what IAM really is?
Identity and Access Management (IAM) is a discipline that sits at the crossroads of three worlds:
- Cybersecurity strengthening: It comprises managing identities, the rights granted to these identities and user access to company resources. Each user has access confined to the limits of their role within an organization. To successfully achieve this, organizations need to know who, within their information system, can perform which actions and why. IAM is therefore an essential component of cybersecurity, especially during implementation of a Zero Trust policy.
- Business enablement: Identity and Access Management is also a business enabler and a facilitator for successful digital transformation within organizations as it increases operational process efficiency to employees and customers. For example, IAM enables the control and fluidity of arrivals, departures or mobility by ensuring that new employee benefit from accurate accesses. In case of subsequent mobility or departure, the relevant accesses are removed and no information is lost.
- UX enhancement: IAM facilitates a seamless user experience for employees within an organization. Moreover, the best IAM systems operate behind the scenes to enable work on arrival and enhanced connectivity based on security requirements.
Why is it so difficult to build an IAM system that works?
As you can imagine, the challenge and complexity of IAM is striking (and maintaining) the balance between security and fluidity of navigation.
To successfully implement IAM, it is important to assess the current state. With good reason, clients have difficulty measuring the effectiveness of their existing IAM system. There is no dedicated benchmark in the market evaluation.. The NIST pillars are high-level and do not cover all the challenges related to IAM; the existing benchmarks only deal with the cybersecurity aspect of IAM and ignores the impact on the operational efficiency of an organization’s internal procedures and the fluidity of the user experience.
The goal in creating the IAM Framework was to create a framework that evaluates the entire discipline and that can be used to build an efficient roadmap.
Can you tell us a bit about the IAM maturity assessment tool?
More than a tool, it’s a framework and a tool-based methodology that supports customers and provides them an overview of their IAM maturity.
The Framework enables the understanding of an organization’s current state (which IAM perimeters are deployed (or not), which IAM axes require further work, etc.). It provides an overview, with the right framework, the right angle and the right resolution to cover all IAM topics.
The maturity assessment consequently allows the prioritization of workstreams that culminates in an IAM action plan! Thanks to this framework, we can identify the main areas for improvement, while accounting for organizational nuances by introducing the notion of scope.
In short, it meets three objectives: Evaluate, Improve and Extend IAM to other perimeters (beyond internal and service providers, with customers or partners). It was intended to be exhaustive to highlight our customers’ shortcomings and subsequently measure their progress and the effectiveness of their transformation program.
Our ambition is to make it the primary evaluation standard, entirely dedicated to IAM, with a sufficient level of granularity to cover all issues!
How is it structured?
Concretely, our tool is composed of about fifty questions that cover the 6 IAM themes:
- Identity management
- Entitlement management
- Access control
- Privileged access management
- Reporting and controls
It can be used in several cases, here are 2 examples:
Use case 1:
During an audit or (pre)scoping mission, i.e. when you do not know your level of maturity in terms of access and identity management.
In this case, the questions allow you to identify areas for improvement in order to launch IAM evolution projects.
Use Case 2:
As part of a transformation program (medium or long term). This type of maturity assessment can be relevant at the halfway point of a transformation program in order to determine the progress made and to redirect the strategy if necessary.
Can you tell us about the last time you used it with a concrete example?
We tested the questionnaire in the field through several missions, during which the use of the IAM Framework helped accelerate the process. These missions comprised:
- the definition of an IAM roadmap for a large energy company
- the framing of a migration to an IAM tool for a banking group, which allowed the measurement of gaps between their existing solution and the new one
- IAM maturity assessment for an insurance company, to identify friction points and areas for improvement and to establish a roadmap
For these three projects, the assessment grid made it possible to identify all addressable topics (regardless of whether the client was aware of them at the outset) in order to provide an actionable roadmap covering all IAM issues. In other words, the Framework can be used as an analysis framework for the implementation of a project.
We plan to launch new missions on the subject and we are looking forward to supporting new customers in their journey to improve their IAM structure!
A final word?
I will end by reminding you of the key components of the Framework:
- It is “ready to use”: the fifty questions encompassed in the framework designed by Wavestone experts covers all IAM topics
- It offers a standardized and formalized vision of its maturity on the subject of access and identity management: this assessment is also an opportunity to involve all the key players impacted by IAM: cyber teams, IT teams, internal audit teams and business teams,
- It facilitates the prioritization of actions within a transformation program:as explained above, it can be used at different times and can therefore be used as a support for a broader reflection,
- Finally, it is a flexible means of use: It can be used at a very high level (a strategic level) or to develop very specific actions.
Want to evaluate yourself? Please contact us!