FAQ: Three Big IAM Questions Answered

Bart Allan

December 7, 2020

When identity access management implementation is on the table, there’s often a list of common questions that organizations ask before taking the big step. Some surround misconceptions, while others cover the lesser understood benefits that come with IAM automation. Overall, these questions have the potential to stall definitive IAM action and improvements that IT decision-makers can champion in any IAM execution.

To help streamline the decision making process, we’re spotlighting three of the most common questions and insightful answers to clear up much of this ambiguity and drive successful IAM automation process decisions.

Are data cleanup or roles a prerequisite to IAM implementation?

Some people assume that before an IAM system deployment:

  1. You must clean up inappropriate entitlements.
  2. You must define roles to assign appropriate access rights to users automatically.

Both of these preconditions to IAM deployment are a myth. No matter how bad their access rights data, every organization has at least manual processes to grant and revoke access, and those processes work at some level. While cleaning up entitlement data is a worthwhile cause, it’s not a prerequisite for IAM deployments.

However, once you deploy an IAM system, processes such as analytics, org-chart construction, data cleansing, and more can help shape the definition and the automatic assignment of roles. In other words, IAM does not depend on role-based access control (RBAC), and RBAC does not strictly require IAM, but RBAC is much easier to implement once an IAM solution with role-mining capabilities is in place.

Can an IAM system help clean up insufficient and incorrect data? 

Many IT decision-makers look to IAM systems to provide a means to clean up unsatisfactory data. This desire is often the impetus behind implementation in the first place. Thankfully, automated processes and workflows helps clear the obstacles that substandard data places on an organization’s IT infrastructure and network.

You can leverage automated processes and workflows to:

  1. Link users to their managers.
  2. Invite stakeholders to perform reviews and flag inappropriate entitlements.
  3. Deal with orphan and dormant accounts and profiles. 

Take note, however, that an IAM implementation supports data cleanup and not the reverse. 

IT leadership can use a reference level IAM solution to clean up old, no-longer-needed entitlements. This process is often done before undertaking role development.

Does RBAC help with efficiency or security? 

It is important to understand that role-based access control (RBAC) is useful for efficient administration and improves the user-friendliness of requests, but RBAC alone is not a practical approach to long-term risk management. 

Roles are an excellent way to grant appropriate rights where many users have identical requirements. When an organization scales and the scope of specific users’ authority grows ever-larger, such as with executive management, two deleterious things happen simultaneously:

  1. The risk represented by these business users increases. Clearly, the CFO can do much more harm to a company than a sales clerk. 
  2. Users become increasingly unique, making the use of roles to govern their access rights less cost-effective. For example: What is the point of defining a function if you will assign only one user that role?

Therefore, in less complicated scenarios, roles are a useful tool to improve access requests, automate entitlement assignment and revocation, and help manage entitlements shared by many users usually found in low-risk job functions. But don’t make the mistake of trying to create a role for everything. As roles become more fine-grained (applying to only a few people), they are no longer cost-effective, do little to assist in the management of entitlements, and, ultimately do not lower the access risk of the most privileged users.

Instead, other mechanisms – segregation of duties policy, approvals before granting access, risk scoring, and access certification – are more appropriate tools for risk management and access governance. 

While these three common questions cover some of the most significant IAM system ideas, they are not the only concerns that organizations have surrounding IAM solutions.  In fact, this FAQ may only scratch the surface of your own uncertainties and challenges in identity access management deployment and that is where Hitachi ID can be a helpful resource.

Schedule your demo today to see how Hitachi ID Bravura Identity can answer all of your identity management questions and challenges.