Challenges in Identity and Access Management (IAM) Practice

4 04 2012

Identity and Access Management is concerned with managing user identities (who are the users) and their access privileges (what they can access) in an enterprise’s IT systems. As an organization grows its application portfolio grows as well and with that comes the administrative issue of effectively maintaining user identities and access levels. Besides the administration issues of maintaining these identities and in applications, the end-user must also remember their login credentials for each system.

The consequences of poor IAM practice in an organization are many – identify theft, users not being able to access information and so leading to increase in IT incidents, information leakage and unauthorized modification of data. Thus, IAM practice hits all three dimensions of CIA (Confidentiality, Integrity, and Availability).

Setting up an effective IAM practice presents quite a few challenges. Below are some challenges that are being faced in my organization as we try and build an IAM framework within the IT Governance function.

Firstly, to build a central registry of user identities and their access rights against each service/application to serve as a reference for provisioning and de-provisioning activities. One of the recurring problems is when an employee leaves the company or moves to a different department, there is no easy way to tell from which systems their access needs to be revoked. As a result, active identities of employees who have left the company always show up in the yearly audit findings. To properly address this issue the identity provisioning/de-provisioning process needs to be aligned with the HR employee onboard/leave processes.

Secondly, a thorough understanding of employees’ access level across different systems needs to be developed.  In this step we are effectively setting up role based access. This requires understanding of application capabilities, its types of users, the types of information (objects) that can be accessed and modified. This is a difficult task, as highlighted by Michael Liou “the challenge with any role project is taking enormous volumes of user, role and privilege information and reconciling it to build a new role model or adapt an existing one — without incurring substantial time and labor costs”[1].  Setting up a role based access environment also affects in-house application development where the team is often used to testing their applications with super user IDs (IDs that can perform all functions).

Another big milestone on the roadmap is to enable single sign on across the enterprise and maybe even go to a federation implementation. The challenge here is architecting a consistent solution across the application portfolio which is a mix of in-house developed and vendor applications. This requires developing in-house capabilities and raising change requests with vendors so that all systems can integrate.

Lastly, like other processes, IAM practice is about aligning people, process and technology. We need tools to manage identities and access levels. We want to raise people awareness and avoid sharing of accounts to perform tasks. We want infrastructure teams to lose their habits of using default administrator accounts for network devices and using the same password for administrator accounts on all servers. We need a robust ongoing process around provisioning/de-provisioning identities and ensure that new applications being added in the portfolio adhere to the IAM principles. As Sari Kalin highlights -“Pilot the processes, not just the technology. CIOs who’ve begun identity-management efforts say that business-process issues present bigger hurdles than the technology.” [2]. The article further talks about understanding “the logic behind why we were doing things a certain way”. This relates to organizational culture change by understanding the consequences of insecure procedures. The challenge is to convince employees that absence of negative events does not mean safe processes and systems.


[1] WHITE PAPER Identity Governance: The Business Imperatives | August 2010  Michael Liou – CA Technologies Security Management

[2] – How to Tackle Identity and Access Management By Sari Kalin December 01, 2005