If you are managing identities and accesses within your organization, waiting for the regulators to write you up, is a bad policy. Getting ahead of them  and addressing gaps before they get too wide, puts you in control. Knee jerk costs money, and poor planning results in long term mistakes. So get ahead of the game and start the year right.

When it comes to jewelry and important papers we all know better than to hide them around the house in obscure spots, hoping they cannot be easily found! Right? Can we apply the same principle when it comes to passwords, especially those that secure what matters? Password vaulting has been around for a long time and there are plenty of good tools. Obfuscation is not the same as security especially as hackers today have the tools and the bandwidth to get at even complex passwords.

An IAM architect called me up the other day and told me his organization was struggling to implement an identity governance and administration (IGA) solution.  They had followed analyst recommendations in setting up project teams and selecting the best tool for the job and yet two years later they had very little to show for it.  Their problem, it turned out, was that the tool expected them to use roles to perform all the governance functions and nobody could figure out an effective way to get a meaningful set of roles.  Role mining left them with more roles than users; top down efforts failed due to lack of support from the business and stakeholders.  So they took the worst possible step - they threw out the tool and decided to start again.  Sound familiar? If you or anyone you know is going through this remember there is no silver bullet.  It takes a clear vision, well defined goals, planning and the involvement of the business, IT and InfoSec to get something like this off the ground.  Going it alone will not get you there.

Should an IAM program governance committee include the business? Absolutely. Otherwise the business teams will continue to build identity functions into their applications and IT or InfoSec will struggle to integrate them into their enterprise solution.