The topic of Single Sign-On (SSO) has come up recently with…
Considerations before buying Identity and Access Management products: Don’t buy milk if you’re lactose intolerant!
So here you are. You understand that your business needs an Identity and Access Management system. You’ve evangelized about how it can make provisioning access faster and more efficient, as well as helping meet regulatory and audit requirements. You’re ready for the next step. But if you’re thinking the next step is selecting which software to purchase, you couldn’t be more wrong.
Before you can properly evaluate a tool and all the things it could do for you, you need to understand what it must do for you. If you skip this fundamental step before making your purchase, you’re putting yourself at risk. The technology can be complex, and you’ll likely want to evaluate many business processes to take full advantage of the tool you select. With that in mind, here are recommendations to help you make the right decision. Some of these may seem like common sense, but many times I’ve seen companies make purchases before they truly understood their needs, and they came to regret it.
Don’t purchase before understanding your needs!
It’s not as simple as putting together a bullet list of features. That’s important, but it’s also important to understand where you are now and where you’re going.
What business factors are driving your decision? Some common examples are below. These drivers should be used to prioritize functionality requirements.
- Reduced costs through greater efficiency, including self service requests and password management.
- Reduced risk by automatically onboarding and offboarding in a timely manner.
- The ability to efficiently certify access through one interface instead of spreadsheet dumps of access from every individual system.
- Industry or governmental regulatory requirements that are supported by auditable approval and provisioning processes.
- Simplified access requests and certifications, and standardized access, due to the implementation of Role Based Access Control (RBAC).
To understand where you’re going, you also need to have a thorough understanding of where you are today. As one client discovered, they had several different user communities whose sources of truth were in several different systems. Sometimes these systems overlapped for the same user, so they learned that they had to have a tool that could aggregate several source systems into a single identity. They also learned that there were eight (8!!!) intake channels for new employees which a new tool would have to replace. Also, each user community might need a different method of establishing credentials when onboarding a new person. A new identity and access management system would have to account for that.
Understanding your current processes may seem straightforward because you already know them. However, it involves asking the right questions about processes that you may not have even thought to ask. Most companies are well-versed in the “typical” onboarding process, but what about other identity lifecycle events? Have you thought about what access employees should gain or lose as they change departments? What about converting a contractor to an employee, or vice versa? Experience in assessing your current state and future needs is essential. You should consider bringing in a partner who has experience in this area. As one client repeatedly said during the course of discovery sessions, “I don’t know how we would have gotten this far without you!”
Next you need to move on to future state. What processes can be consolidated, changed, or eliminated with a new tool? Be prepared to look at everything with fresh eyes and a willingness to do things better, not just how you’ve always done them. Challenge the current state, and don’t settle for the status quo. Ask an experienced partner what advantages a tool might provide; some ideas may not even have been in your plan because you didn’t know they were possible. For example, “Single” Sign On doesn’t have to involve authenticating only once if a highly sensitive system is involved. Or maybe they have an idea for integrating identities with a SIEM tool in order to provide more context during a possible breach. What would an experienced partner recommend as “must do”?
Zirous’ senior business analyst Jill Roozeboom has some insights into making your Identity project successful, which of course starts with a thorough discovery phase.
What is your long term roadmap?
An Identity and Access Management implementation should be a program within your organization, not just a single project. There will likely be several phases that address different needs by priority. Do you understand what goals need to be achieved, and everything that needs to be in place to support them?
Starting with short term objectives are a great way to get started quickly, but if you haven’t thought through what you might want to accomplish in the future, you could find that you’ve painted yourself into a corner.
Take the time to map out what you need and when, and what dependencies there are between projects, and focus on what value each objective adds to the business. If it’s not valuable, is it necessary? Can you move nice-to-have functionality later in the timeline? Are there low effort goals that will be big wins for the business?
As an example of project interdependencies, suppose you eventually want Single Sign On (SSO) in addition to the automated provisioning that you’ll start with. To support that goal, you may need a central LDAP that you don’t have today. Your provisioning system will need to ensure all users that participate in SSO are in that LDAP. To complicate matters, you may also have a system like EBS that requires a specific LDAP. Is that LDAP software included in your purchase? Do you need to bundle it in your first purchase or can it be obtained closer to when you need it?
A few years ago I worked with a client who had purchased software assuming it would provide all the capabilities they needed. After some review of their long term needs, we discovered that while they had purchased the right software, they didn’t purchase the right license that would enable them to authenticate customers using social platforms. They were understandably unhappy and had to re-evaluate whether the business need was important enough to change licenses.
Do you need a single vendor to provide all capabilities, or are you comfortable mixing different best-of-breed vendor technologies?
After the steps above, you should have a thorough understanding of your existing business processes, and of your desired future state functional requirements. Now you need to prepare yourself for the kinds of software vendors you might work with.
Some vendors provide a wide array of identity and access management related software that will cover almost any need. You could purchase everything from a single vendor and know that they will provide support for everything.
Or you might find a vendor that does one thing really well, like provisioning, but they don’t support your SSO or MFA needs. If you go with this vendor, you’ll need to look elsewhere (maybe at their partners) for software to meet all of your needs. It’s especially important to understand your comfort level with a multi-vendor solution if you’re initiating the process through an RFP. Be clear that you’re willing to entertain solutions that span multiple vendors.
Will your implementation be vanilla, or will it need to be customized to fit your business processes?
This is one of the most difficult questions to answer, and it absolutely cannot be answered if you haven’t done your due diligence on the steps above. Keep in mind that most systems are configurable within certain parameters, but customization means that you need them to do something that isn’t implicitly available out of the box.
In a nutshell, if certain business processes are inflexible, they may require customization within the tool. There’s nothing wrong with that per se, but you need to understand that you’ll be maintaining these customizations through future upgrades. Do the benefits outweigh the long-term costs?
Also, many people are interested in the possibility of cloud-based solutions. The promise of the benefits that they provide is intriguing. But they may not be able to meet all your customization needs. The need for customizations could be the difference between choosing a cloud-based solution or one that requires an on-premise implementation. That being said, cloud solutions naturally evolve quickly. Work closely with a knowledgeable partner to determine if functionality that meets your needs is already in the product or is on their roadmap.
None of these topics is easy to answer, but each of them is essential in leading you to the right identity and access management software purchase.
You wouldn’t know where to begin rebuilding an engine if you’d never taken one apart before. Don’t be afraid to reach out for help from a trusted partner who can help you navigate these challenging questions. If they’ve been there before, they’ll have a manual to follow so you aren’t wondering how all the leftover parts fit.
Zirous would be honored to be that partner for you. Ask about our Catalyst process for ensuring your identity and access management project’s success!