Recipe for failure Six habits to ruin Identity and Access Management March 2013 KPMG in the Netherlands drs. Mike Chung RE
Facts and figures • Most large IT projects have significant cost
overruns, deliver far less than anticipated
and one in six projects is a ‘black swan’
(Oxford Business School 2011)
• Over 75% of IAM projects deliver less than
expected (KPMG 2009)
• Almost 50% of IAM projects outrightly fail
(KPMG 2009)
From mess to menace: your route to chaos
Automation of access
Proliferation of accounts
Rise of IAM
Push for compliance
Age of numbness
Lost to the cloud
Chaos • Myriad of access permissions
• Password madness
• Maze of interfaces
• Security leaks
• Incompliance
• Higher costs
Habit I: Assign to the wrong department • Burden IT with business responsibilities
• Expect IT has full understanding of business
processes, compliance and the value of data
• Do as you please
Why do we do that? • IAM is perceived as an IT issue
• IAM technology vendors talk to IT managers
• Deployment of directories and user repositories
are initiated by IT departments
Habit II: Never stop expanding • Increase the number of accounts blindly
• Create GPOs, groups, nested groups and more
groups
• .. And shares and SharePoint sites
Why do we do that? • We (people) are driven by providing instant
solutions without considering the consequences
• Integrating IAM landscapes after mergers and
acquisitions is often complex and labour-
intensive
• Applications often offer functionalities that are
easy-to-use but difficult to govern
Habit III: Work towards complexity • Deploy multiple directories, virtual directories
and repositories
• Implement that fancy IAM system, password
wallets, PAM, SIEM, access governance
application, data governance tool
• Rejoice your organisation with enterprise RBAC,
policy-based access, context-based IAM and
whatever sounds vaguely credible
Why do we do that? • IAM industry is a fast-moving industry with many
new technologies and products
• Issues from one application is patched by
another application with issues, and patched by..
• In theory, theory and practice are the same – in
practice, it is not (Albert Einstein)
Habit IV: Trivialize the importance • Remember: excessive access is far better than
no access
• Ignore security leaks, or better: convince yourself
that IAM has nothing to with security
• Pass audit findings to someone else – what about
the IT department?
Why do we do that? • Business users perceive access as a (human)
right, excessive access as a secondary
consideration
• Security awareness is often low
• Data security is seen as a sole issue of IT – so
does the IT department
Habit V: Hear no evil, see no evil • Keep the end-state of IAM obscure
• Keep the current state of IAM unknown to
everybody else, and you
• Then ask yourself: how do I suppose to know the
delta?
Why do we do that? • We have no protocol of behaviour for things we
don’t see (Nicolas Taleb)
• We take a lot of risks because we are comfortable
we don’t see them
• We are notoriously bad in estimating magnitude
of complex, abstract issues
Habit VI: Rush to the cloud • Bypass IT on your way to SaaS
• Believe in the next big thing
• Quit asking questions and stop thinking
Why do we do that? • Organisations are usually driven by costs,
seldom by rational insights
• Our mind is made for fitness, not for truth (Steve
Pinker)
• Many of us are not rational enough to be exposed
to hypes
Now act accordingly