The complexity of identity and access management (IAM) software requires adequate planning to ensure that the benefits filter through to the entire business.

According to Karel Rode, principal consultant for the Security Practice at IT management company CA, IAM is not off-the-shelf software. Rather than providing plug-and-play functionality, IAM is complex software that requires substantial planning and often staged deployments for success.
“While the benefits of IAM deployments – such as increased security, reduced IT costs and improved compliance and agility – have been well documented, planning is key to ensure that IAM has a positive impact on all business areas.”
The reason for IAM’s complexity is that it has a company-wide impact. It could, for example; affect organisational structures and business strategy, impact application development processes, influence compliance activities and shape customer interactions.  
According to the IT Policy Compliance Group, firms with better IT governance enjoy much better performance than other organisations when it comes to satisfying and retaining customers and growing their revenues and profits.
The group’s research found that companies with the most mature practices typically have 17% higher revenues, 14% higher profits, 18% higher satisfaction rates and a staggering 96% lower financial loss from the loss or theft of customer data.
“The importance and benefits of IAM are clear, however, we are still finding organisations grappling with their IAM initiatives,” adds Rode. To this end, Gartner has identified a set of high-level best practices that provide guidance for ensuring the success of IAM initiatives.
Grouped in three broad categories – planning and budgeting, design and deployment – the research firm based its best practices on insights gathered over the past few years and lessons learned from clients:
* Planning and budgeting practices: Aspects to consider include creating a cross-unit IAM programme with senior-level commitment and establishing a phased approach to delivering IAM solutions.
* Design practices – Repositories and role lifecycle management: During the design phase organisations need to, amongst others, strive for the fewest number of identity repositories, separate the authoritative repository from the enterprise directory and match the organisation’s culture and operations with a role framework.
* Deployment practices: Factors that need to be taken into account in terms of deployment include exploiting reduced or single sign-on infrastructures, using new authentication methods in unacceptably risky situations and monitoring the IAM market for managed services offerings.
“As the effects are potentially so broad, careful planning across all impacted areas is essential. The IT organisation needs to factor business, technical, political and regulatory issues into their planning to ensure the ongoing success of governance and compliance programmes,” concludes Rode.