Experts David Cline and Ryan Babbitt discuss how Zero Trust Security…
Author: Jill Roozeboom, Business Analysis Manager & Security Officer
Have you been considering upgrading or implementing an Identity Governance solution? I’d like to share with you a few key lessons learned after working on several Identity Governance projects.
What does Identity Governance even mean? At a high level, it’s governing the end-to-end lifecycle of security access across an enterprise. This includes:
- the security access workflow when a person is on-boarded, off-boarded, and everything in between, such as a job transfer or name change
- how security access is requested
- what approval is required for security access
- how security access is fulfilled
- how security access certifications are conducted according to regulatory requirements
- how security access is reported on and audited
So, now for the good part. Let me share with you the key lessons learned based on my participation in several Identity Governance projects:
1. Conduct thorough discovery prior to implementation
Complete an enterprise-wide discovery before jumping directly into your implementation. This includes:
- understanding high-level current state processes
- defining future state processes
- identifying target systems (i.e. applications) to be governed
- prioritize the work
Conducting the discovery before diving into the implementation allows for architecture and design decisions to be made while taking into account the bigger picture and long term identity roadmap. If you don’t work through the big picture, you could back yourself into a corner down the road when you need new functionality and/or process.
2. Establish the right architecture up front
Identity Governance projects are different than most software implementation projects because your production Identity Governance system might need to govern non-production security access. Analyze the business need to govern security access across all environments (e.g. Dev, QA, Prod), and then decide how you will develop and test the integration with various target systems.
An example architecture might be:
- Identity Governance Development & QA – integrates with a copy of Disaster Recovery environment
- Identity Governance Production – integrates with the actual Dev, QA and Production target system environments
The bottom line is you should not try to develop and test against a production target system, nor a non-production target system that needs to be governed.
3. Define clear business processes
Let’s be honest. Identity Governance projects can be overwhelming. Truth be told, defining the business requirements and processes is often more difficult than the technical implementation. If you take time to clearly define your Identity Governance business processes, you will achieve greater success than if you were to dive straight into development.
4. Be flexible
Often companies already have Identity Governance “processes” that are followed, even if they are all manual. When you start your Identity Governance implementation or upgrade project, challenge yourself on your existing business processes. It’s Zirous’ job as an implementation partner to recognize and challenge business processes that might lead to more customization and/or more administrative overhead. Be willing to adjust existing business processes in order to limit customization and don’t require a business process if the only reason is “that’s how it has always been done.”
5. Don’t try to boil the ocean
How many target systems do you need to integrate with your Identity Governance solution? 50? 100? 200+? Don’t try to do it all at once. Prioritize the work based on what will have the greatest impact to your enterprise and plan iterative implementations. This will allow you to have hands-on experience with how the Identity Governance software works, help uncover what may not work for your day to day business operations, and may even help you make different decisions for subsequent phases.
6. Conduct thorough User Acceptance Testing
That might seem like an obvious statement, right? It’s important. No one knows your business better than your own people. Engage key, knowledgeable business users as part of the project team and get their feedback on the system during testing rather than waiting until it’s time for training. They will have unique insights that can point out flaws in process, designs that might have been based on incomplete knowledge, and that no one else may be able to articulate until they see it. This will provide valuable feedback and get employee buy-in on the processes and product.
You should now be prepared for the complexities that Identity Governance projects can throw your way! Are you ready to take the plunge?
If you’d like help approaching an Identity project from experts who have successfully conducted them for enterprise clients, contact us today.