Recipe for failure - why IAM projects fail

Recipe for failure Six habits to ruin Identity and Access Management March 2013 KPMG in the Netherlands drs. Mike Chung RE

Facts and figures • Most large IT projects have significant cost

overruns, deliver far less than anticipated

and one in six projects is a ‘black swan’

(Oxford Business School 2011)

• Over 75% of IAM projects deliver less than

expected (KPMG 2009)

• Almost 50% of IAM projects outrightly fail

(KPMG 2009)

From mess to menace: your route to chaos

Automation of access

Proliferation of accounts

Rise of IAM

Push for compliance

Age of numbness

Lost to the cloud

Chaos • Myriad of access permissions

• Password madness

• Maze of interfaces

• Security leaks

• Incompliance

• Higher costs

Habit I: Assign to the wrong department • Burden IT with business responsibilities

• Expect IT has full understanding of business

processes, compliance and the value of data

• Do as you please

Why do we do that? • IAM is perceived as an IT issue

• IAM technology vendors talk to IT managers

• Deployment of directories and user repositories

are initiated by IT departments

Habit II: Never stop expanding • Increase the number of accounts blindly

• Create GPOs, groups, nested groups and more

groups

• .. And shares and SharePoint sites

Why do we do that? • We (people) are driven by providing instant

solutions without considering the consequences

• Integrating IAM landscapes after mergers and

acquisitions is often complex and labour-

intensive

• Applications often offer functionalities that are

easy-to-use but difficult to govern

Habit III: Work towards complexity • Deploy multiple directories, virtual directories

and repositories

• Implement that fancy IAM system, password

wallets, PAM, SIEM, access governance

application, data governance tool

• Rejoice your organisation with enterprise RBAC,

policy-based access, context-based IAM and

whatever sounds vaguely credible

Why do we do that? • IAM industry is a fast-moving industry with many

new technologies and products

• Issues from one application is patched by

another application with issues, and patched by..

• In theory, theory and practice are the same – in

practice, it is not (Albert Einstein)

Habit IV: Trivialize the importance • Remember: excessive access is far better than

no access

• Ignore security leaks, or better: convince yourself

that IAM has nothing to with security

• Pass audit findings to someone else – what about

the IT department?

Why do we do that? • Business users perceive access as a (human)

right, excessive access as a secondary

consideration

• Security awareness is often low

• Data security is seen as a sole issue of IT – so

does the IT department

Habit V: Hear no evil, see no evil • Keep the end-state of IAM obscure

• Keep the current state of IAM unknown to

everybody else, and you

• Then ask yourself: how do I suppose to know the

delta?

Why do we do that? • We have no protocol of behaviour for things we

don’t see (Nicolas Taleb)

• We take a lot of risks because we are comfortable

we don’t see them

• We are notoriously bad in estimating magnitude

of complex, abstract issues

Habit VI: Rush to the cloud • Bypass IT on your way to SaaS

• Believe in the next big thing

• Quit asking questions and stop thinking

Why do we do that? • Organisations are usually driven by costs,

seldom by rational insights

• Our mind is made for fitness, not for truth (Steve

Pinker)

• Many of us are not rational enough to be exposed

to hypes

Now act accordingly

chung.mike@kpmg.nl