Deployment of identity and access management (IAM) solutions in SA will be a mammoth task to achieve.
This was revealed by Nishka Harase, project manager for IAM at Standard Bank, speaking at the CA Southern Africa IT Management Symposium at the Sandton Convention Centre yesterday.
Defining IAM, Harase said it is a policy- and process-based approach to centralise the management of user identities and access associated with them in order to increase efficiency while reducing costs and risks.
“Typically, an IAM solution comprises an identity repository where identities are stored and managed. This will also have a provisioning component, which is used to manage user access and connect systems and applications.”
He added that IAM also consists of a workflow solution by means of which requests related to identity management and provisioning are routed and actioned.
“It must also have an auditing component which is used to track user activities within the IAM solution.”
Harase also explained that IAM also boasts of a user interface - usually with Web portal - that end users employ to interact with the solution, such as requesting access to systems and applications or updating their details.
However, he noted that in terms of maturity, the country is still dabbling in the early stages, as there are various operational challenges pulling back implementation in organisations.
“On a scale of one to 10, I can give IAM maturity in South Africa a two. This is mainly because in many organisations you will find that IAM is not taken seriously as it often lacks tangible results,” he said.
Among the other operational challenges that IAM faces, Harase pointed out to the confusion that organisations usually have when it comes to the structure of setting up an IAM operations department.
“Most organisations do not know whether to outsource, in-source or co-source IAM and they usually also fail to determine the roles and responsibilities of the department. Another issue they struggle with is what steps to put in place to ensure that there is sufficient back-up, if staff turn over becomes a problem,” said Harase.
He also pointed out that when companies put in place IAM departments in place, the departments usually find resistance from line managers who, at times, might deliberately fail to comply with the stipulations of IAM arguing that the solution doesn't fall under their key performance areas or is not part of their job description.
To overcome these challenges, Harase said organisations must prepare an operations 'blueprint' early in the process.
“Don't wait till the last minute to set up the IAM operations department as an afterthought. However, you should involve the business when setting up the department,” he said.
He also urged that when IAM is in project mode, companies should run the set-up of the operations department as a separate work stream and prepare a scope document and schedule accordingly.
Harase also expressed that for IAM to be successful, implementers must also secure sponsorships or support from the executive, human resources as well as line managers.
“Above all appoint the correct people for the IAM operations department. Also, consider multiple certification campaigns throughout the year.”
Related story:
Access control critical for security
Share