The rapid adoption of mobile devices and cloud services together with a multitude of new partnerships and customer-facing applications has extended the identity boundary of today’s enterprise. For the extended enterprise, identity and access management (IAM) is more than just provisioning employees with and enforcing the appropriate access to corporate resources. It’s about the ability to oversee access by a variety of populations, from employees to partners to consumers, and protect a variety of sensitive resources (including data) that may reside on or off the organisation’s premises - all while helping to protect the organization from increasingly sophisticated cybercriminals and resourceful fraudsters.
Unfortunately, legacy approaches to IAM are failing us because they can’t manage access from consumer endpoints, they don’t support rapid adoption of cloud services, they can’t provide security data exchange across user populations, and offer no help against emerging threats.
We at Forrester have been promulgating a Zero Trust Model of information security. It eliminates the idea of distinct trusted internal networks versus untrusted external networks, and requires security pros to verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic. Zero Trust applies effectively to identity as well. It requires security and identity pros to: 1) centre on sensitive applications and data; 2) unify treatment of access channels, populations, and hosting models; and 3) prepare for interactions at Internet scale. Moving toward Zero Trust identity not only helps you improve business agility and achieve compliance - it even helps you enhance customer experience and deliver on your org’s API monetisation strategy.
Forrester's Identity and Access Management Playbook
will help you evolve from the inflexibility of tightly coupled authentication and access controls to an approach where you deploy service services that produce and consume identity and entitlement information in a loosely coupled manner. Building a Zero Trust IAM strategy that supports the extended enterprise requires a four-step process:
1. Discover: Identifying the trends, justifying the business case, and assessing your maturity.
Understanding your organisation’s business objectives and what you can achieve with a Zero Trust IAM
approach can help you build a sound business case for investment that recognises the business, financial, and operational benefits. Once you have a well-defined business case, you can also assess your current capabilities against your business case and identify gaps in your strategy.
2. Plan: Creating a strategy to manage IAM as a sustainable, on-going program.
To make your IAM strategy a reality, you will need to identify and influence stakeholders
on both the business and the IT side of the organisation. You must also formally document your IAM strategy
and include a description of your current state, a definition of your future state, and a detailed road map and set of recommendations for the sequence of projects needed to make the strategy a reality.
3. Act: Hiring the right staff, governing policies, and implementing IAM capabilities.
Because IAM pros must frequently communicate with a business audience, they must possess outstanding communication skills in addition to IAM technical knowledge. And because IAM is so broad and requires a strong central governing function, you will need to hire several types of IAM professionals
, including a VP or director-level position, an IAM architect, and an IAM practitioner. You will also be faced with a multitude of on-premises and cloud-based solutions
to your IAM technical requirements.
4. Optimise: Measuring, monitoring, and marketing IAM results. You’ll have to measure and monitor the effectiveness of your IAM program and report value to the organisation. With an effective metrics program, IAM leaders will be better prepared to demonstrate business value, develop a proactive culture, and align priorities and performance incentives with business strategy. You’ll also be in a better position to understand how your program compares to that of your peers.
You can download the full Executive Overview
for the IAM playbook here
So what do you think? How does Forrester’s vision of IAM compare to yours? And will our playbook be useful? My colleagues Andras Cser (@acser
) and Stephanie Balaouras (@sbalaouras
) and I (@xmlgrrl
) value your feedback as we refine this playbook to help you be successful in your role.