Professional Documents
Culture Documents
Build Your Identity and Access Management Roadmap
Build Your Identity and Access Management Roadmap
This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited.
forrester.com
For Security & Risk Professionals
3 IAM Roadmap Build-Out And Update Are Forrester’s Identity And Access Management
Key To The IAM Strategy Cycle Maturity Assessment
›› Premature vendor selection. Organizations often skip an initial assessment of their current IAM
state and immediately jump to RFPs and vendor selection.1 This happens even more often when
decisions are guided by a compliance violation or other nonstrategic initiative. Regardless, this
is a recipe for failure. Instead, organizations should conduct an IAM assessment that includes an
evaluation of the current directory architecture, an inventory of the existing application portfolio,
and other key foundational tasks such as entitlement cleanup and role design.2 S&R pros can then
assess the results to identify priorities and ensure proper alignment with the roadmap. IAM is 70%
people, process, and politics: Mapping out and documenting nontechnical requirements is more
important here than with any security discipline. If you ignore these nontechnical requirements, be
prepared to deal with chaotic IAM deployment.
›› Failure to account for interdependencies among IAM capabilities. IAM projects are often
closely related; you can automate user account provisioning only if your user stores and federation
processes and tools are in order. Multifactor authentication (MFA) is best implemented if you have
a well-oiled machine of a web environment with single sign-on (SSO) across the board. An IAM
roadmap forces discovery and planning for these interdependencies and thus reduces rework and
the cost of IAM implementation. These interdependencies can also drive the actual roadmap by
leveraging the connections to plan an optimal deployment.
›› Lack of executive stakeholder support and commitment for funding. IAM projects are often
complex and broadly scoped undertakings, making them vulnerable to cuts from execs with
limited patience and budget. Supplementing an executive IAM presentation with an IAM roadmap
execution track record that details how you planned for activities and how you went live with them
is the most effective tool to maintain executive rapport for IAM projects. Also, using the roadmap to
lay out a phased approach to large projects, with key milestones to mark progress along the way, is
a strategy that successful IAM teams employ.3
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
›› Undefined metrics for success. S&R pros often struggle with defining and selecting the most
appropriate metrics to measure IAM success. An overabundance of signals can lead to paralysis by
overanalysis or measuring too many things that don’t really matter. The best approach is to identify
areas of risk and inefficiency and select metrics that can be used to measure improvements. S&R
pros can measure quantitative metrics (e.g., reduction in password reset costs from user self-
service) as well as qualitative ones (e.g., risk reduction and improved user productivity). S&R pros
also struggle with capturing and reporting on IAM metrics in a comprehensive and consistent way.
Disparate systems, processes, and reporting tools make this difficult. Selecting the right metrics
and limiting what you collect to only the essentials make this barrier much easier to overcome.4
IAM Roadmap Build-Out And Update Are Key To The IAM Strategy Cycle
Security teams that create IAM strategies resulting in successful implementations go through an
iterative process to refine and further build out their strategy. The process includes six steps: 1) assess
the current state and refine process mapping to IAM; 2) engage relevant cross-functional stakeholders;
3) confirm the scope; 4) define appropriate metrics to measure success; 5) detail recommendations
and define the future-state roadmap; and 6) communicate progress and value (see Figure 1). We
describe steps 1, 2, 3, 4, and 6 in our IAM strategic plan report. This report focuses on step 5, detailing
recommendations and defining a roadmap. Step 5 must be well-executed to ensure that progress and
value can be effectively communicated in the final stage. Best practices include:
›› Treat IAM as a program, not a project or product. IAM has implications across many aspects of
the organization, so it’s essential that you treat IAM as an overall program with multiple functional
capabilities and not just as an individual product deployment. This means creating a governance
leadership team that defines and manages the entire IAM roadmap and strategy. The roadmap is a
living document. It should have a rolling 12-month plan that is adjusted as business requirements,
budget, or unforeseen external factors change the landscape.
›› Focus on projects that solve as many of your highest priority problems as possible. To
garner support for a potentially disruptive and costly IAM project you must first identify the
parts of your IAM program in most critical need of fixing. Determine this based on observations
of relative maturity compared to peers and include supporting facts (see Figure 2). Linking
recommendations to observations helps justify your reasoning and overcome resistance (see
Figure 3). Tying IAM changes to business transformation efforts and external-facing website
redesign plans is a natural way to enhance the likelihood of gaining the approval and funding to
see these projects through to completion.
›› Start simple, then apply lessons learned to more-complex projects. When prioritizing roadmap
activities of equal merit and criticality, start with the less complex option — for instance, implement
a privileged identity management vault for IT admins before an entitlements management project
covering thousands of applications for tens of thousands of global employees. Then break the
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
entitlements management project into bite-sized pieces. Mature IAM teams approach such
projects on an application-by-application basis, starting with the well-defined; then, with the basics
mastered, they move on to the more complex tasks. Assess IAM maturity levels to determine how
to prioritize budgets and resources (see Figure 4). It’s also a good idea to look at the firm’s overall
security posture and see how IAM fits into a Zero Trust Model.5
›› Reinforce the weakest links. Sometimes, you’ll have to fix a gaping security or compliance hole,
such as adding MFA for a remote workforce, or privileged identity and access controls for cloud
platforms with excessive permissions. Conducting or updating an IAM maturity assessment helps
point out the weakest links.6 Completing the self-assessment at defined intervals (consider redoing
the assessment every 180 days) also helps you track and monitor progress, which you can then
share with other key stakeholders and senior executives.
›› Develop a detailed roadmap of your recommendations. Once you’ve established the tie-backs
for recommendations, you need to define a realistic roadmap outlining the implementation plans.
A roadmap doesn’t need to be a full-blown project plan; it’s a visual tool to understand resource
requirements, interdependencies, and project durations (see Figure 5). It’s also a good idea to
embed the IAM roadmap into a broader IT security roadmap. In so doing you will align with overall
strategic plans, thus making IAM more relevant and, in turn, will have more success in building and
maintaining executive support.
Communicate progress
engage stakeholders.
and value.
Detail recommendations
Confirm the scope.
and define a roadmap.
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
our company,
in comparison supporting facts about
status Area with peers our business-critical problems
Web single sign-on Ahead A web single sign-on product is implemented for a
large number of applications, for password resets, and
to lock out accounts not used for 60 days.
Directory Ahead Two main AD domains exist: DoM1 and DoM2; most
infrastructure authentication (from web SSo applications) happens
against these AD domains.
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
e
d
ur
ar
d
ct
gr nd
bo
n
on
or
tio
ru
ce atio
en tity
g
te n a
io
w
n-
ce
in
st
a
at
ss
c
em en
on
ig
Ac y in tio
ra
an
ifi
er
ie pa
s
ag id
nf
si
rt
rit ec
rn
d
le
em ry i
vi
fe
an ed
lic e
ve
cu rot
ng
e
ro
s
y
po loy
m leg
ss
o
go
si
se a p
rp
tit
ct
ce
p
i
eb
en
ire
M
se
iv
at
Pr
IA
W
Id
D
D
Assign default
owners to data
assets
Set up broad
separation of
duties detection &
prevention rules
expand RBAC
Continue with
strong
authentication
implementation
implement a CoTS
PiM solution
Track cost of
iAM-as-a-service
elevate iAM
coordination to
executive level
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
FIGURE 4 Use The Forrester IAM Maturity Model To Provide Recommendations And Rationales
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
Q1 Q2 Q3 Q4
Project
requirements: extend privileged identity mgmt. solution to
A Bc Devops and cloud
• SoW
• Sponsor/Po/PM
• Budget
Access recertification
• Resources campaign
Aligned • interdependencies
to overall
Active Directory clean-up
security
strategy
Recommendations
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
›› Align IAM roadmap to overall security strategy. Provided that your organization has a prevailing
security strategy, such as Zero Trust, prioritize the IAM initiatives that help fulfill that broader
strategy. For instance, replace passwords with stronger authentication methods to verify identities
with a high level of assurance before granting access. If your organization does not have a well-
defined security strategy, then the IAM team has an opportunity to provide leadership in defining
one and rallying other security teams around a common purpose.
›› Identify business benefits realized through IAM. IAM projects help shift the perimeter of the
enterprise from the network to identities. Ongoing, scalable, and robust security is impossible
unless you imbue the concept of identity into every process and data element that needs
protection.8 Employee and customer satisfaction improvements, such as quick access to seamless
cloud and on-premises apps using SSO and passwordless authentication, help your organization
serve its customers better.
›› Revisit and course correct the IAM roadmap as needed. The IAM roadmap should be loosely
coupled with the organization’s overall security strategy and roadmap. It should also be sequenced
to prioritize the biggest gaps in security or areas of highest risk. Yet, reality will get in the way
and you will need to make adjustments because of things like staffing shortages, changes to the
business (M&A, restructuring, new business initiatives) or external factors (pandemics, extreme
weather). Update the roadmap on a rolling 12-month basis so that it remains current to reflect new
changes and gives you headlights to see where you are going for the coming year. In addition, you
will be more prepared for major annual updates that align to the organization’s fiscal year.
›› Use metrics to quantify cost avoidance and user productivity gains. IAM projects often
involve replacing security solutions that were built in-house, require manual processes, can’t
be refactored for modern use cases, and are expensive to maintain. Identity management and
governance (IMG) solutions, for instance, come with big price tags, but they automate tedious,
manual user account provisioning, deprovisioning, transfer, and recertification projects, which
can be a much bigger drain on IT budgets over time. Justify the costs by quantifying the financial
implications of the status quo — manual and inefficient processes, misdirected resources and
consultants to maintain, lost business productivity, etc. Capture before and after metrics related
to end user and admin productivity (e.g., average time for onboarding a new employee or for
application approval processes).
›› Track budget overruns. IAM has so many integrations and dependences with applications, IT
infrastructure, and business processes, that unforeseen costs are sure to arise. Understanding
the difference between planned and actual budgets for an IAM project after an implementation,
whether successful or unsuccessful, is key to tuning the factors such as project scoping, IAM team
composition, and, ultimately, your organization’s IAM strategy.9
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.
Endnotes
1
See the Forrester report “Build Your Identity And Access Management Strategy.”
2
See the Forrester report “Forrester’s Identity And Access Management Maturity Assessment.”
3
See the Forrester report “Making The Business Case For Identity And Access Management.”
4
See the Forrester report “Develop Actionable Business-Centric Identity And Access Management Metrics.”
5
See the Forrester report “A Practical Guide To A Zero Trust Implementation.”
6
See the Forrester report “Forrester’s Customer IAM Security Maturity Assessment Model.”
7
See the Forrester report “Making The Business Case For Identity And Access Management.”
8
See the Forrester report “The Zero Trust eXtended (ZTX) Ecosystem.”
9
See the Forrester report “Building A Customer-Obsessed IAM Team.”
© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
forrester.com
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
142514