IAM projects are some of the most complex, longest, and most expensive internal projects a company can undertake as they span many years, require the involvement of almost all teams, and cost loads of money for procurement of systems, and integrations. As with all big projects, failure can be disastrous. In this post, let's go through the top five challenges that face most IAM project, how they affect the work, and what we can do to handle them in a good way.
1. Lack of Experienced Project Management
This one might be obvious, but hear me out. IAM project usually tend to be complex and span over multiple years with huge budgets and a rather long list of systems to deal with while juggling conflicts, time restrictions, and people. Considering all of these responsibilities, under no circumstances should a technical person be put in charge of the project management aspects of such work, or you will end up with a burned up person and a messy– or even worse, failed – IAM project. Hire a professional project manager – preferably one with good experience in IAM projects – if you don't have someone in the company that can take this initiative on as their full-time work.
2. Non-existent Processes
Before you jump into buying systems and integrating your stuff, you need to make sure the processes that underpin identity and access management work are there and that they are followed in a diligent and systematic way.
Trying to integrate systems or centralize access before putting these processes in place will result in a very tense and complicated situation where the technical work is in place, but there are no processes to support it, thus wasting people time, causing confusion and frustration, and probably delaying the delivery timeline of your project.
Identify your essential IAM processes and make sure they are reviewed, approved, and put in place. Observe the processes in action for a couple of weeks to confirm the validity of your designs and the efficiency of the workflows before moving to the next step of your IAM work.
3. Inaccurate or Low-Quality HR Data
IAM relies heavily on HR data, and that data must be accurate, complete and readily available for a streamlined IAM flow. You can't build a reliable IAM program with incomplete, inaccurate, or unavailable HR data. You could try, but you will be burning cash and walking in circles forever.
All the automated – and manual– flow of IAM depend on knowing – for example – who is employed, who left, what team a person is in, what country they work from, or the name of their manager. Without that data, you can't provision access, you can't offboard people, and you can't process access requests. Check the data available in your HR systems thoroughly and make sure any gaps are filled in before connecting those systems to your identity platforms.
4. Unclear System Ownership
Ownership is hard, specially in today's age where systems and tools are mainly SaaS-based and acquiring a new tool is as simple as buying something from Amazon. Teams tend to acquire the tools that allow them to work efficiently – which is great – but without a proper ownership process in place, many of these SaaS services end up without clear ownership which complicated IAM work on many levels.
5. Limited Budget
IAM programs are not cheap. The platforms (Okta, OneLogin, SailPoint, ...) cost loads of money not to mention that most systems and clod services charge higher prices if you want to have SAML, SCIM, or any other identity related protocol.
This means your project or initiative will cost A LOT of money and if you don't have enough money, the program will struggle and might even fail. This is tragic, but it's the sad state of affairs. Make sure you have a reasonable budget that covers all the project expenses, failing that, make it abundantly clear to your management that things might not work as they expect.
There is a special place in hell for companies that put SSO and Multifactor authentication features on the Enterprise plan.
This isn't an exhaustive list, and you will face many other challenges during the lifetime of your IAM project, but from what I have learned so far, these five can lead to serious problems and might ruin the entire project. Now that you know about them, make sure to not overlook them, and your project should do just fine.