Licensed for individual use only

Build Your Identity And Access Management

Roadmap
Roadmap: The Identity And Access Management Playbook

by Sean Ryan and Andras Cser

December 30, 2020

Why Read This Report Key Takeaways

You must base your identity and access
management (IAM) roadmap on a well-defined
strategy that establishes and articulates the
business need and value of IAM across your
entire organization. Your IAM roadmap should be
flexible and specific, and it should describe short-,
medium-, and long-term IAM activities for the next
18 to 24 months and be updated at least annually.
In this report, we provide security and risk (S&R)
leaders with systematic guidance on how to
develop and sustain a compelling IAM roadmap.
An IAM Roadmap Translates IAM Strategy Into
Action
A roadmap defines the synergies, sequences, and
priorities for your organization’s IAM program.
It also aligns IAM with your organization’s
overall security and IT strategy. Without an IAM
roadmap, priorities shift on a whim, timelines slip,
and misalignment of activities ensues — resulting
in ineffective, reactive IAM practices.
Align Roadmap Items To IAM Observations
To successfully execute on your firm’s IAM
strategy, IAM roadmap activities should solve the
identified identity-related problems within your
organization. Prioritize these activities based on
potential business impact, complexity, maturity,
and your organization’s functional skill sets.

This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited.
forrester.com
For Security & Risk Professionals

Build Your Identity And Access Management Roadmap

Roadmap: The Identity And Access Management Playbook

by Sean Ryan and Andras Cser

with Merritt Maxim, Benjamin Corey, and Peggy Dostie
December 30, 2020

Table Of Contents Related Research Documents

2 A Detailed Roadmap Is An Essential Build Your Identity And Access Management
Component For IAM Success Strategy

3 IAM Roadmap Build-Out And Update Are Forrester’s Identity And Access Management
Key To The IAM Strategy Cycle Maturity Assessment

Recommendations Making The Business Case For Identity And

Access Management
8 Track IAM ROI Closely, And Modify IAM
Strategy As Needed

Share reports with colleagues.

Enhance your membership with
Research Share.

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
© 2020 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research,
Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing
is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

A Detailed Roadmap Is An Essential Component For IAM Success

By executing against a well-defined IAM roadmap, S&R teams can expect to achieve their goals through
strategic alignment, investment in the right places, sequencing of activities, and time spent wisely. On
the other hand, IAM programs without adequate planning are doomed to fail. Postmortems of IAM
project delays and failed implementations usually point to the following project-ending mistakes:

›› Premature vendor selection. Organizations often skip an initial assessment of their current IAM
state and immediately jump to RFPs and vendor selection.1 This happens even more often when
decisions are guided by a compliance violation or other nonstrategic initiative. Regardless, this
is a recipe for failure. Instead, organizations should conduct an IAM assessment that includes an
evaluation of the current directory architecture, an inventory of the existing application portfolio,
and other key foundational tasks such as entitlement cleanup and role design.2 S&R pros can then
assess the results to identify priorities and ensure proper alignment with the roadmap. IAM is 70%
people, process, and politics: Mapping out and documenting nontechnical requirements is more
important here than with any security discipline. If you ignore these nontechnical requirements, be
prepared to deal with chaotic IAM deployment.

›› Incomplete understanding of how business processes map to IAM. A good IAM

implementation provides a 360-degree view of the enterprise’s joiner, mover, and leaver processes
as well as access policy enforcement processes across lines of business, geographies, etc.
Security professionals often lack the deep familiarity with IAM processes that interweave multiple
apps, user populations, machine identities, and data platforms (cloud and on-prem). This can lead
to unforeseen issues when products are deployed on top of existing processes. At this point, the
IAM teams are left with three unpalatable options: 1) spend lots of time and money to customize
the product; 2) change business processes to fit the product; or 3) start planning an expensive rip-
and-replace project for the recently deployed product.

›› Failure to account for interdependencies among IAM capabilities. IAM projects are often
closely related; you can automate user account provisioning only if your user stores and federation
processes and tools are in order. Multifactor authentication (MFA) is best implemented if you have
a well-oiled machine of a web environment with single sign-on (SSO) across the board. An IAM
roadmap forces discovery and planning for these interdependencies and thus reduces rework and
the cost of IAM implementation. These interdependencies can also drive the actual roadmap by
leveraging the connections to plan an optimal deployment.

›› Lack of executive stakeholder support and commitment for funding. IAM projects are often
complex and broadly scoped undertakings, making them vulnerable to cuts from execs with
limited patience and budget. Supplementing an executive IAM presentation with an IAM roadmap
execution track record that details how you planned for activities and how you went live with them
is the most effective tool to maintain executive rapport for IAM projects. Also, using the roadmap to
lay out a phased approach to large projects, with key milestones to mark progress along the way, is
a strategy that successful IAM teams employ.3

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

›› Undefined metrics for success. S&R pros often struggle with defining and selecting the most
appropriate metrics to measure IAM success. An overabundance of signals can lead to paralysis by
overanalysis or measuring too many things that don’t really matter. The best approach is to identify
areas of risk and inefficiency and select metrics that can be used to measure improvements. S&R
pros can measure quantitative metrics (e.g., reduction in password reset costs from user self-
service) as well as qualitative ones (e.g., risk reduction and improved user productivity). S&R pros
also struggle with capturing and reporting on IAM metrics in a comprehensive and consistent way.
Disparate systems, processes, and reporting tools make this difficult. Selecting the right metrics
and limiting what you collect to only the essentials make this barrier much easier to overcome.4

IAM Roadmap Build-Out And Update Are Key To The IAM Strategy Cycle
Security teams that create IAM strategies resulting in successful implementations go through an
iterative process to refine and further build out their strategy. The process includes six steps: 1) assess
the current state and refine process mapping to IAM; 2) engage relevant cross-functional stakeholders;
3) confirm the scope; 4) define appropriate metrics to measure success; 5) detail recommendations
and define the future-state roadmap; and 6) communicate progress and value (see Figure 1). We
describe steps 1, 2, 3, 4, and 6 in our IAM strategic plan report. This report focuses on step 5, detailing
recommendations and defining a roadmap. Step 5 must be well-executed to ensure that progress and
value can be effectively communicated in the final stage. Best practices include:

›› Treat IAM as a program, not a project or product. IAM has implications across many aspects of
the organization, so it’s essential that you treat IAM as an overall program with multiple functional
capabilities and not just as an individual product deployment. This means creating a governance
leadership team that defines and manages the entire IAM roadmap and strategy. The roadmap is a
living document. It should have a rolling 12-month plan that is adjusted as business requirements,
budget, or unforeseen external factors change the landscape.

›› Focus on projects that solve as many of your highest priority problems as possible. To
garner support for a potentially disruptive and costly IAM project you must first identify the
parts of your IAM program in most critical need of fixing. Determine this based on observations
of relative maturity compared to peers and include supporting facts (see Figure 2). Linking
recommendations to observations helps justify your reasoning and overcome resistance (see
Figure 3). Tying IAM changes to business transformation efforts and external-facing website
redesign plans is a natural way to enhance the likelihood of gaining the approval and funding to
see these projects through to completion.

›› Start simple, then apply lessons learned to more-complex projects. When prioritizing roadmap
activities of equal merit and criticality, start with the less complex option — for instance, implement
a privileged identity management vault for IT admins before an entitlements management project
covering thousands of applications for tens of thousands of global employees. Then break the

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

entitlements management project into bite-sized pieces. Mature IAM teams approach such
projects on an application-by-application basis, starting with the well-defined; then, with the basics
mastered, they move on to the more complex tasks. Assess IAM maturity levels to determine how
to prioritize budgets and resources (see Figure 4). It’s also a good idea to look at the firm’s overall
security posture and see how IAM fits into a Zero Trust Model.5

›› Reinforce the weakest links. Sometimes, you’ll have to fix a gaping security or compliance hole,
such as adding MFA for a remote workforce, or privileged identity and access controls for cloud
platforms with excessive permissions. Conducting or updating an IAM maturity assessment helps
point out the weakest links.6 Completing the self-assessment at defined intervals (consider redoing
the assessment every 180 days) also helps you track and monitor progress, which you can then
share with other key stakeholders and senior executives.

›› Develop a detailed roadmap of your recommendations. Once you’ve established the tie-backs
for recommendations, you need to define a realistic roadmap outlining the implementation plans.
A roadmap doesn’t need to be a full-blown project plan; it’s a visual tool to understand resource
requirements, interdependencies, and project durations (see Figure 5). It’s also a good idea to
embed the IAM roadmap into a broader IT security roadmap. In so doing you will align with overall
strategic plans, thus making IAM more relevant and, in turn, will have more success in building and
maintaining executive support.

FIGURE 1 The Annual IAM Strategy Lifecycle

Assess the current state.

Communicate progress
engage stakeholders.
and value.

Build your IAM

strategic plan.

Detail recommendations
Confirm the scope.
and define a roadmap.

Define metrics that

matter to the business.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

FIGURE 2 An Example Summary Of IAM Observations And Supporting Facts

Critical Severe Acceptable

our company,
in comparison supporting facts about
status Area with peers our business-critical problems

Data protection and Behind We have no comprehensive mapping of file shares to

security integration AD, no DLP/eRM, no data content tagging.

Access Behind We use manual processes for access recertification;

certification there is no data assets access recertification, no
preventive or detective separation of duties checks.

user provisioning on par There is a continuous update of identity management

and governance solutions for employees and business
partners.

identity federation on par We have nonstandard web services protection,

difficult-to-map internal to external roles’ translations,
and we can’t support SaaS applications adequately.

Privileged identity on par There is no registry of privileged systems; credentials

management are embedded in property and configuration files for
APi calls and database access.

iAM governance Ahead Planning of iAM strategy is systematic, HR is involved

board in iAM, and the company is conscious of the business
value-add of iAM.

Web single sign-on Ahead A web single sign-on product is implemented for a
large number of applications, for password resets, and
to lock out accounts not used for 60 days.

Directory Ahead Two main AD domains exist: DoM1 and DoM2; most
infrastructure authentication (from web SSo applications) happens
against these AD domains.

employee password Ahead Centralized user identification is provided by a custom

policies downstream system, and web SSo provides SSPR;
most authentication is against AD so there is no major
need for password sync.

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

FIGURE 3 Link Recommendations To Observations And IAM Activities

sample detailed recommendations

Critical Severe Acceptable

e
d

ur
ar

d
ct
gr nd

bo
n

on

or
tio

ru
ce atio

en tity
g
te n a

io

w
n-
ce
in

st
a

at

ss
c

em en
on

ig
Ac y in tio

ra
an
ifi

er

ie pa
s
ag id

nf
si
rt
rit ec

rn
d

le

em ry i
vi

fe

an ed

lic e
ve
cu rot

ng

e
ro

s
y

po loy
m leg
ss

o
go

si
se a p

rp

tit

ct
ce

p
i

eb
en

ire
M
se

iv
at

Pr

IA

W
Id
D

D
Assign default
owners to data
assets

Set up broad
separation of
duties detection &
prevention rules

use CoTS access

recertification
solution

expand RBAC

Continue with
strong
authentication
implementation

implement a CoTS
PiM solution

Track cost of
iAM-as-a-service

elevate iAM
coordination to
executive level

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

FIGURE 4 Use The Forrester IAM Maturity Model To Provide Recommendations And Rationales

Forrester’s composite IAM maturity model

Identity management Access management

• User provisioning • Web single sign-on

• Enterprise job role • Customer IAM
management • Cloud access management
• Segregation of duties • Identity federation
policies
• API security
• Employee password policies
• Security integration
• User self-service
• Two-factor authentication
• Entitlement management
• Risk-based authentication
• Privileged identity
management
• Access certification
• Directory infrastructure

Governance and program management

• IAM governance board

• IAM risk analysis
• IAM budgeting

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

FIGURE 5 Align IAM Roadmap To Recommendations And Overall Security Strategy

Q1 Q2 Q3 Q4

Phase 1: identity mgmt. & Phase 2: identity mgmt. &

governance rollout governance rollout

Project
requirements: extend privileged identity mgmt. solution to
A Bc Devops and cloud
• SoW
• Sponsor/Po/PM
• Budget
Access recertification
• Resources campaign
Aligned • interdependencies
to overall
Active Directory clean-up
security
strategy

iAM/oWASP update password Research/evaluate

pen testing policies iAM options for
data lakes

upgrade MfA, add

conditional access

CiAM workflow integrate CiAM with CRM

improvements and master data mgmt.

>5 full-time employees (fTes) 2 to 5 fTes <2 fTes

Recommendations

Track IAM ROI Closely, And Modify IAM Strategy As Needed

Tracking metrics arms you with the data to fund the projects on your roadmap. You can use metrics
to prove that a given project improved efficiency or reduced risk in a measurable way. In this way
it will prove out ROI. It’s difficult for naysayers to argue with substantiated and quantified process
improvements, especially employee and customer satisfaction, labor costs for identity administration,
and improving the overall cost of security. Therefore, when recommending activities, be sure to
innumerate their estimated cost and expected benefits.7 You will also be able to use these to aid
prioritization, sequencing, and keeping executive stakeholders up to speed on status. S&R pros should:

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

›› Align IAM roadmap to overall security strategy. Provided that your organization has a prevailing
security strategy, such as Zero Trust, prioritize the IAM initiatives that help fulfill that broader
strategy. For instance, replace passwords with stronger authentication methods to verify identities
with a high level of assurance before granting access. If your organization does not have a well-
defined security strategy, then the IAM team has an opportunity to provide leadership in defining
one and rallying other security teams around a common purpose.

›› Identify business benefits realized through IAM. IAM projects help shift the perimeter of the
enterprise from the network to identities. Ongoing, scalable, and robust security is impossible
unless you imbue the concept of identity into every process and data element that needs
protection.8 Employee and customer satisfaction improvements, such as quick access to seamless
cloud and on-premises apps using SSO and passwordless authentication, help your organization
serve its customers better.

›› Revisit and course correct the IAM roadmap as needed. The IAM roadmap should be loosely
coupled with the organization’s overall security strategy and roadmap. It should also be sequenced
to prioritize the biggest gaps in security or areas of highest risk. Yet, reality will get in the way
and you will need to make adjustments because of things like staffing shortages, changes to the
business (M&A, restructuring, new business initiatives) or external factors (pandemics, extreme
weather). Update the roadmap on a rolling 12-month basis so that it remains current to reflect new
changes and gives you headlights to see where you are going for the coming year. In addition, you
will be more prepared for major annual updates that align to the organization’s fiscal year.

›› Use metrics to quantify cost avoidance and user productivity gains. IAM projects often
involve replacing security solutions that were built in-house, require manual processes, can’t
be refactored for modern use cases, and are expensive to maintain. Identity management and
governance (IMG) solutions, for instance, come with big price tags, but they automate tedious,
manual user account provisioning, deprovisioning, transfer, and recertification projects, which
can be a much bigger drain on IT budgets over time. Justify the costs by quantifying the financial
implications of the status quo — manual and inefficient processes, misdirected resources and
consultants to maintain, lost business productivity, etc. Capture before and after metrics related
to end user and admin productivity (e.g., average time for onboarding a new employee or for
application approval processes).

›› Track budget overruns. IAM has so many integrations and dependences with applications, IT
infrastructure, and business processes, that unforeseen costs are sure to arise. Understanding
the difference between planned and actual budgets for an IAM project after an implementation,
whether successful or unsuccessful, is key to tuning the factors such as project scoping, IAM team
composition, and, ultimately, your organization’s IAM strategy.9

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 30, 2020
Build Your Identity And Access Management Roadmap
Roadmap: The Identity And Access Management Playbook

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.

Analyst Inquiry Analyst Advisory Webinar

To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.

Forrester’s research apps for iOS and Android.

Stay ahead of your competition no matter where you are.

Endnotes
1
See the Forrester report “Build Your Identity And Access Management Strategy.”
2
See the Forrester report “Forrester’s Identity And Access Management Maturity Assessment.”
3
See the Forrester report “Making The Business Case For Identity And Access Management.”
4
See the Forrester report “Develop Actionable Business-Centric Identity And Access Management Metrics.”
5
See the Forrester report “A Practical Guide To A Zero Trust Implementation.”
6
See the Forrester report “Forrester’s Customer IAM Security Maturity Assessment Model.”
7
See the Forrester report “Making The Business Case For Identity And Access Management.”
8
See the Forrester report “The Zero Trust eXtended (ZTX) Ecosystem.”
9
See the Forrester report “Building A Customer-Obsessed IAM Team.”

© 2020 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
 forrester.com

We work with business and technology leaders to drive customer-

obsessed vision, strategy, and execution that accelerate growth.
Products and Services
›› Research and tools
›› Analyst engagement
›› Data and analytics
›› Peer collaboration
›› Consulting
›› Events
›› Certification programs

Forrester’s research and insights are tailored to your

role and critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel ›› Security & Risk
Strategy Sourcing & Vendor
Management

Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.

142514