Key Considerations to Evaluate Identity Governance Solutions
The selection process for identity governance products can be a costly, drawn-out, and ineffective exercise, if not planned and executed carefully.
By Martin Kuhlmann, Lead Solution Consultant, Global Blackbelt Team
Eight Key Considerations to Evaluate Identity Governance Solutions in an Effective Way
You have realized that you need an identity governance solution in your organization. But how do you embark on this initiative? You have probably already asked yourself: “How do we find the right product that has the desired capabilities, a product that fulfills business requirements, fits into the IT architecture, is future-proof, and that can be implemented as easily as possible?”
The selection process for identity governance products can be a costly, drawn-out, and ineffective exercise, if not planned and executed carefully. That is why I would like to share some thoughts and experiences in this blog post on how you evaluate an identity governance solution and choose the right integration partner in a successful and cost-effective way.
Preparation is Key
A good preparation is key for a smooth selection process. Firstly, and naturally, although sometimes neglected, a clear understanding of the business goals and requirements is an indispensable prerequisite for making the right decision. The spectrum of pains related to identity governance can be broad in the organization, ranging from urgent audit issues to efficiency gains in user lifecycle, which makes it particularly important to set priorities. This makes it also easier for product vendors and system integrators to propose a spot-on solution. It is also important to orchestrate the stakeholders that need to be involved, ranging from HR and business organization to IT security people and system owners. You should define the selection process itself, including the decision criteria, the internal procurement process, how many and who needs to be involved in the decision process and who has the power to make the final decision on this.
As part of this, you should put together a timeline that on one hand keeps the momentum going, but on the other hand is realistic and not overstraining your organization and the people involved. If you are pretty new to the identity governance field, it might be a good idea to engage an independent consultant who can help you screen the market and who can drive the process from a technical point of view.
What is the need for detailed requirements in the preparation phase?
If you have a well-defined catalog of existing IAM processes which you want to translate to the new solution, this is a good starting point; however, a common mistake is to map these and stick to the mapping through the vendor selection process. You should instead be open minded and flexible enough to get inspired of best practices and advice during the selection process by vendors or integrators. In case you need to start setting up your requirements from scratch, it is a good idea to outline the desired processes and functions. There is no need for a detailed design mode at this stage, as it will both limit your flexibility but may also possibly delay the selection process.
Request for Information
To gain an understanding of the identity governance market and the products in the vendor selection criteria list that you have set up initially, you may issue a “Request for Information“(RFI). This might be a good option especially if you want to get solution proposals for concrete challenges or want to get a checklist of how the product manages specific key requirements. Keep in mind that an RFI with a list of common IAM features that most likely every vendor can fulfill does not provide much value to your process but will just delay it. An alternative to an RFI is a sequence of vendor presentations and workshops where you can have a dialogue with the experts, see the products live and get inspired by the options.
Request for Proposal
After having shortlisted a maximum of 3-4 vendors, you will most probably issue a Request for Proposal (RFP). In the RFP you formally check which vendor fulfills your requirements in the best possible way and which integrator can most likely deliver a successful integration project.
The RFP should cover the following topics:
- Relevant use cases/processes: How does the vendor provide these? The segmentation and key processes covered in detail in Omada’s IdentityProcess+ framework serves as a good guideline for this. You can identify which areas (Identity Lifecycle, Access Management, …) and which processes are most relevant for you, define any specific requirements and ask how vendors have implemented them in their products.
- Detailed further functional requirements, to be aligned with your specific situation. Some examples: You might for example want to know how easily the data model or the workflows of the product can be adapted to your needs. If you are a large organization with many independent business units, you need to know how the product can deal with importing identities from different HR systems. In the case of advanced governance requirements, you are probably keen to understand how versatile the recertification concept is and if it can be applied to roles, policies and other objects beyond accounts and access rights. Or you want to know how you can reconcile inconsistencies between actual and desired states of access. Role lifecycle management features might be of interest to you, or the capabilities for managing technical accounts.
- Coverage of the target systems for which access needs to be managed in your organization, including any specifically desired functional support for provisioning.
- Questions on the required technical infrastructure for the new solution, including the technical basis on which it runs, prerequisites, technical interfaces, as well as security and authentication.
- Further non-functional requirements, such as the logical architecture and how it fits into your target architecture, user friendliness for all types of users through a homogeneous web portal, scalability, ease of operation, documentation, and so forth.
- The integrator’s project methodology and the concrete proposed project approach, and the availability of the appropriate mix of experienced project staff.
- General vendor information, including vendor viability, customer references, support, options to exchange information with other customers, release policy, training offering, and high-level roadmap.
- Information on the licensing scheme for on-premises and SaaS versions, depending on your preference, service models, and SLAs.
Apart from commercial aspects, the identity governance product selection process is all about confidence in the fitting accuracy of the product to your needs, and in the capability and trust of the integrator. The RFP and any presentations, workshops and Q&A sessions should be tailored to this goal. Ideally, these activities result in a sound decision, and a pilot can be started that confirms the selection and provides some first benefits to the organization.
Proof of Concept
In case of doubt, you may do a Proof of Concept (PoC) before the final decision. To avoid a costly and long PoC phase and to make it as meaningful as possible at the same time, you should consider the following aspects:
- Select a maximum of 2-3 vendors
- Make sure to set up consistent test data and clearly defined use cases. To save time and effort, focus on the key requirements that you still need to evaluate for your decision. Agree on the use cases and on the PoC agenda with each vendor.
- Define the success criteria for the PoC
- The key goal of the PoC should be to understand if and how the concept and proposals of the vendors covers your needs. To achieve this, you can ask the vendors to provide a full PoC environment and demonstrate your use cases in this environment – this saves costs, ramp-up time, and can deliver sufficient information to remove your final concerns. If needed, you may provide a set of anonymized sample demo data to make the use cases even more illustrative.
- You should take as a given that leading identity governance solutions can connect with standard systems like Active Directory, AAD, AWS, SAP and other major business applications, which means that an on-premise PoC can usually be avoided. However, if you still have specific reasons to run the PoC in your data center, make sure that you plan the PoC diligently. Ask vendors for prerequisites and make sure they are fulfilled at the start of the PoC. Coordinate the involvement of your business and technical teams during preparation and execution of the PoC, to get the most out of the time spent.
The Internal Decision Process
Buying a new identity governance solution is not a frequent procedure. That means it is important to understand the internal decision process and procurement process in your organization.
You need to identify:
- Who should be involved in the decision process?
- Who needs to sign off on the project and investment?
- What budget does it come out of?
- When does procurement need to be involved?
The choice of an identity governance vendor and integrator establishes a year-long partner relationship. That makes the selection process so important. Check facts and features systematically and find out where you have the lowest project risk. And get a feeling of how well you can work with your partners. Because all in all, it’s all about trust.
Download the identity governance and administration (IGA) best practice process framework, IdentityPROCESS+, for further inspiration into your IGA initiatives.
Omada | July 2019
Dr. Martin Kuhlmann, Global Black Belt Senior Solution Architect, Omada, advises strategic customers and designs identity and access management solutions. Martin has been active in the IT security space for almost two decades and has been a frequent speaker and panelist at international conferences. As a consultant and strategist, he had a leading role in various security integration projects in large organizations, specializing in identity management and access governance, and risk and compliance. Martin has published numerous journal articles and several scientific papers on role-based access control (RBAC) and application security. In 1992, he completed his doctorate in mathematics from Bochum University, Germany.
Identity Governance and Administration (IGA) Best Practice Process Framework
The Omada IdentityPROCESS+ e-book is a comprehensive, best practice process framework, which describes the most important processes needed to ensure a successful IGA deployment. The framework has been developed with the goal of supporting successful IGA projects and has been created to help organizations implement well proven best practice processes.