Ten Common IAM Deployment Challenges and Their Solutions

New cloud-based IAM solutions, providing uniform and simplified identity management, are gaining popularity. However, companies typically find it taxing to regulate admin privileges when they embrace cloud technologies. For CIOs and their staff, the difficulty in managing “who can access what” introduces a new set of IAM difficulties. To optimize the existing IAM solution in the best way,  companies need to take control of major challenges faced by IAM in the cloud. The top ten are discussed in this article. Let’s explore.

Identity and access management (IAM) is an essential set of tools, techniques, and procedures (TTP) to control who can access information resources. IAM must include on-premises and cloud access to classified and categorized data and systems in today’s IT world. It must also support business access policies applied to safe access by many remote users working over home and public networks. Consequently, an organization can face many challenges during designing, implementing, and managing an IAM solution. These challenges are all manageable if attention is given to them throughout the IAM solution’s life cycle. 

IAM Overview

IAM solutions support the entire identity management and access control process, including:

• Onboarding based on assigned roles
• Automated onboarding using sources of truth, such as the human resources database
• Multifactor authentication with consistent management across systems and users regardless of location
• Business policies that dynamically determine under what circumstances network access is granted and the resources that can be used
• Quick and automatic removal of permissions for terminated employees across on-premises and cloud resources
• Closely managed and audited privileged accounts

This is a general list of IAM capabilities. Each solution has its own set of features and associated business considerations.  

See More: How to Measure the Success of IAM Deployment

The Pitfalls

Following are the top ten pitfalls associated with Identity and Access Management implementations:

1. Lack of proper perspective
2. Lack of management support
3. Lack of proper planning
4. Lack of proper participation
5. Lack of end-user guidance
6. Lack of attention to the cloud
7. Lack of attention to the future
8. Poor user role management
9. Poor Privileged Access Management (PAM)
10. Misapplication of role access management

Let’s go through these pitfalls individually.

Lack of proper perspective

Organizations tend to get hung up on treating everything as a project, but this does not work for security efforts. Protiviti assertsOpens a new window that IAM may begin as an umbrella project that is multi-phased over two or more years. This results in a series of implementation projects running consecutively or in parallel. However, organizations should manage these projects as an ongoing program. Failure to do so makes this pitfall one of the biggest causes of IAM implementation failure.

The first step around this pit is the assignment of someone responsible for IAM throughout its life cycle. This person ensures effective communication between the team and stakeholders and manages operational and strategic considerations over time.

Another step requires setting expectations with management and other stakeholders. Everyone must understand the amount of work involved, the probable need to adjust approaches over time, and the necessary ongoing auditing and monitoring for success. IAM can be complex; most complex solutions are neither perfect nor do they remain acceptable without regular intervention.

Setting expectations is not just a one-time event. The program manager must also continuously reinforce support for IAM as it slowly becomes a reality. Otherwise, stakeholders might lose interest and pull needed resources.

Lack of management support

Business priorities can change over time. These changes can often result in resources being pulled from one project and focused on another. In addition to having overall management support, IAM efforts require a strong executive sponsor. Idenhaus Consulting writesOpens a new window that having an executive sponsor “decreases the likelihood that the IAM solution will fall victim to organizational politics.”

A program manager also supports all stakeholders and maintains a solid and open communication channel.

Lack of proper planning

The lack of proper planning leads to mismanagement of resources needed to implement and manage IAM. Instead of a discrete project, IAM requires a comprehensive roadmap that might extend over several years. Further, the roadmap must be fully supported by stakeholders.  

Each leg of the journey requires full stakeholder involvement. Risks associated with integrating each system and related processes must be identified and assessed. The journey’s path should be mapped based on prioritizing those risks. This usually translates into prioritizing system integration into IAM based on classifications and categorizationsOpens a new window .

At the end of each leg or phase, stakeholders should reassess the roadmap. Risks will likely change over time, and unexpected challenges will arise. The length of the roadmap will certainly require planning reviews and modifications, or the IAM efforts will fail or fall short of expectations; stakeholder support might falter.

Lack of proper participation

The list of stakeholders related to an IAM roadmap is long. Missing any relevant stakeholder can result in missing one or more implementation objectives. In my experience of IAM implementation, common stakeholders include:

• Data owners
• System owners
• Data stewards
• Security analysts
• Security engineers
• Application developers
• Auditors
• Finance
• Network engineers
• Network managers
• Server admins
• Server engineers
• Business unit management
• Help Desk/support

This is not a complete list, and job role titles are likely different across organizations. However, this list provides a good idea about who is needed in creating, maintaining, and working on the roadmap except for one more critical group: users.

Lack of end-user guidance

Failure to include users comes with common pitfalls. Users sometimes see new solutions as hard to use, which results in their inability to accept them. This is a serious challenge when implementing new authentication processes. Some authentication solutions require biometric or token sensors. If not adequately matched to user needs, these can become a production bottleneck that causes a lack of user and management acceptance.

The ideal authentication process is transparent to the user, but this is not always possible. Consequently, the stakeholders must identify authentication needs for each resource and the level of intrusion into user activities based on risk. This effort must include affected users to help identify day-to-day challenges and understand the need for the lack of transparency.

Lack of attention to the cloud

IAM is not just for on-premises systems. It must also include both known and unknown cloud services the organization uses. The level of shadow IT use affects the complexity of extending identity management to the cloud.

Integrating cloud resources into IAM starts with conducting an inventory of all IaaS, PaaS, and SaaS cloud services. Because of shadow IT, IT will have to take steps to scan network traffic to identify unapproved cloud services. Once all services are identified, management must review them to determine what to approve and shut down.

The team must determine IAM capabilities with cloud services inventory in hand across all listed solutions. This helps determine the right IAM solution, design, and the possible shift to different cloud services that provide the same benefits. Further, Sandra Gittlen and Linda Rosencrance writeOpens a new window that IDaaS, or identity as a service, might be one way to manage cloud and on-premises IAM while moving much of the solution management to the service provider.

Assessing cloud needs also includes working with appropriate stakeholders to predict near- and long-term intentions for other cloud use. This links closely with pitfall 7.

See More: Top 10 Identity and Access Management (IAM) Solutions

Failure to plan ahead

Again, IAM implementation is complex and resource-intensive. An organization does not want to focus only on “what is” during solution design. Instead, discussions with stakeholders and reviewing the pending project portfolio help understand future identity management needs.

Laurance Goasduff, writing for GartnerOpens a new window , describes trends that organizations should consider in 2022 when looking at IAM: 

• Continued growth of connect-anywhere computing
• Ongoing need to improve the user experience
• Continued move to decentralized IT architecture
• Emergence of new applications and API capabilities
• Continued move to zero-trust networking
• Focus on security on the endpoint device

Poor role management

The business role to which an employee belongs should determine information resource authentication and authorization. IAM uses business role assignments, usually provided by the human resources database, to determine what a user can access. If an employee’s role changes, the IAM system automatically revokes previous permissions and assigns new permissions for the new role. This requires regular management of roles.

Role management begins with data/system owners mapping out business processes and the business roles that execute the process tasks. This helps understand what a role must access to meet business objectives. Access for each role is then configured in the IAM system.

Poor role design can cause a lack of needed access or permissions that exceed need-to-know, least privilege, or separation of duties constraints. Further, data/system owners must regularly review role assignments to prevent loss of productivity and permissions creepOpens a new window .

Poor privileged access management (PAM)

Organizations use privileged accounts to manage servers, applications, and network devices. These administrator accounts should not be day-to-day accounts used by IT or other users. Instead, they should be dedicated accounts whose use is closely controlled and audited. PAM performs this control and auditing.

PAM is implemented in different ways, but capabilities organizations should ask about during solution selection include

• How does the IAM control the checking out of privileged accounts? PAM should always know when a named user accesses an administrator account.
• How is access to PAM accounts controlled? What level of granularity is provided?
• Does the PAM functionality frequently change passwords for managed privileged account access to resources?  
• Are active privileged access sessions monitored? How is anomalous behavior reported? How easy is it to reconstruct unwanted privileged access during forensics activities?

Misapplication of role access management

Finally, how will the IAM solution control access? Today, organizations control access by role using either RBAC or ABAC. RBAC is traditional role-based access control. Access to resources is solely based on the user’s assigned business role. ABAC, or attribute-based access control, adds additional access characteristics to an IAM’s entity authentication decisions.

ABAC, described in detail in NIST SP 800-162, extends role-based access control. It can check several characteristics of the user/device attempting to connect, including 

• Device owner 
• Location of the device
• Type of device
• Time of day
• Day of the week
• Resources the user wants to access

In addition to controlling access via ABAC, an IAM should also support multifactor authentication. No amount of role control works as expected if only passwords are used for authentication to highly categorized resources and highly classified data. Implementation of an IAM is the perfect opportunity to strengthen access controls, and organizations should include associated risk assessments as part of the IAM program.

Final thoughts

IAM is an ongoing program that requires full participation by stakeholders from across the organization. It touches every facet of business operation and requires implementation and configuration based on prioritized risk assessments.

An IAM solution at some level is needed by almost every organization with more than a few users. Understanding associated pitfalls and how to avoid them is part of comprehensive planning for a successful rollout and continued value over the IAM life cycle.

Which of these challenges has your business encountered the most? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON IAM SOLUTIONS

• When Is the Right Time to Move IAM to the Cloud?
• How to Get Identity & Access Management (IAM) Right, Finally
• Choosing an Identity & Access Management (IAM) Solution? Top 10 Questions to Ask