Blog post

Testing Your IAM Planning Decisions Needs a Robust Risk Model

By Homan Farahmand | April 27, 2016 | 0 Comments

Risk ManagementArchitectureCybersecurityIAM

IAM planners/architects can greatly benefit from predicting the impact of a prioritization decision on operational risk, before making the actual decision. Why? Because testing an IAM planning decision in a production environment is not cheap. Our review of more than 50 large IAM deployments between 2009 and 2015 found many suboptimal deployments of IAM solutions that is indicative of something not quite working. After some digging, we noticed many IAM decisions are based on arbitrary priorities that cause delays, budget overrun and unrealized expected outcomes. We found in many cases that the primary focus is on satisfying short-term compliance needs, driven by audit or regulatory findings, with less attention to the big picture.

We know that when you have some tactical objectives, you may not like the term “big picture.” But in IAM having the big picture in mind is the magic trick which makes or breaks the key initiatives (e.g. Identity Governance and Administration projects). Gartner has developed a practical starter risk model as the first step toward establishing a comprehensive and consistent operational risk model for IAM. The model’s primary goal is to assess and test key prioritization decisions. It has 100 weighted IAM controls across program disciplines and architectural components that are indicative of the operational risk; assuming these controls properly applied to important coverage areas (i.e. infrastructure and application domains/instances). The model mathematically calculates an aggregated IAM Key Risk Indicator (KRI) that is useful in executive discussions as well. However, the math part doesn’t need a rocket scientist. The model enables IAM teams to:

  • Address IAM prioritization problems using scenario analysis,
  • Review budget against operation risk impact,
  • Discuss the issues with regulators and auditors,
  • Effectively track progress, and
  • Communicate values generated from risk reduction to business executives.

If you are interested in learning more about the model and try it, check-out our recent report and toolkit at: IAM Risk-Based Planning Model and Toolkit for Reducing Operational Risk. Gartner for Technical Professional subscription is required for access to the research report.

Leave a Comment