Identity Governance and Administration (IGA) by definition refers to a set of processes and tools which enable lifecycle management of human and non human identities and efficient management of access into the different systems in an enterprise.
Michelin like many large enterprises has a complex portfolio of applications and infrastructure. Each addressing a different business need. At the same time all applications and infrastructure have one common need, to authenticate using a digital identity and to manage access to different resources and systems.
For many years, nearly all the authentication and authorization needs at Michelin relied on different directories (some of which synchronise or share its content with other directories). The access management itself was done with the aid of different tools and applications like ITSM (IT Service Management) system, Excel, local databases. There were many issues with this way of managing accounts and access. The significant risks being, poor or complete absence of life cycle management, the lack of visibility to different accounts and privileges held by an identity.
To address this problem, we at Michelin decided to implement Identity Governance as a way to manage identity life cycle and accesses to critical applications.
I wanted to share some of the things we experienced and continue to experience in the last 2 years.
If one searches Identity Governance benefits on the internet, you are more or less going to find the same list. So here is mine, there are not many surprises.
Improved Security Posture
One of the biggest and immediate benefits which Michelin was able to experience was improved security and reduced risk. With a governance centric approach one of the first things we implemented was uniform and simplified identity lifecycle management. It helped us enforce and remediate risk around orphan accounts, identities with inappropriate accesses and have a central authoritative view of "who has access to what".
The speed at which we could manage and control actions like provisioning, deprovisioning, recertifying identities and access took a big leap. This helped not just the Identity Access Management (IAM) domain but also business applications which experienced increase in their efficiency and reduced waste of resources.
Reduced Operational Costs
This transformation automated many cost and operation intensive processes like user provisioning, access request, recertification. It also brought a sense of empowerment to users to manage their accesses autonomously without them needing the help of Service Desk and Assistants.
Mergers & Acquisitions and De-mergers
Michelin has a clear vision of growing beyond the core tyre business which is shared with the employees and rest of the world. This vision has increased the number of M&A and de-merger actions within the enterprise. Simplified and uniform identity lifecycle management has allowed Mergers & Acquisitions and De-merge process to be implemented with ease and speed. We were aware that this would be one of the benefits but we were pleasantly surprised by the magnitude of benefit we have achieved.
This transformation like most was filled with challenges some technical but the difficult ones were more process and organizational culture related. I am sharing few of the non obvious ones here.
Fighting the organisational culture, Enthusiasm is not shared
Implementing identity and access governance requires very strong collaboration between many teams like HR, Business, End User eXperience.
Often IAM initiatives are seen as an hinderance or "non-productive" additional effort by business applications. In the end it boils down to organizational culture, this I believe was the biggest challenge we faced. The ensure their buy-in is to demonstrate to them the value this initiative would bring to their objectives.
Justifying the Return on Investment (ROI)
When we started this transformation journey while the core implementation team was fully convinced, it took a bit to convince different stakeholders why such a big transformation and spend is required. Justifying the ROI is one of the biggest challenges for any IAM initiative. One of the ways of succeeding in this is to link the IAM initiatives with the business objectives of the enterprise.
Processes - Complex, Missing !!!
Most IAM tools and solutions rely on processes, during the course of the implementation we realized many processes around identity and access management were either non uniform or too complex. At times there was very little documentation available, even completely missing !!!
We had to accompany different stakeholders, help them define, simplify and document their processes. Nearly every time we (IAM team) and the stakeholders came out with something better and efficient than what is existing.
Source of truth for identities
Identity Governance relies heavily on the sources of truth for Identities to manage the life cycle.
Source of truth for employees is very simple: it's the Human Resources system. However, the real challenge we faced was around defining source of truth of contractors, partners or non human entities. For these we had to get back to the drawing board and work with different teams and often members of the same teams who were using different processes because of different geographical needs.
Arriving at a single uniform life cycle management process versus respecting all the exceptions was very hard. One thing which really helped us in the processes was setting up "Golden" rules for life cycle management and use them as a basis.
Onboard and Improve vs Improve and Onboard
Identity Governance as a discipline at Michelin is still in its early stages. It is important to identify early and mandatory adopters. The success of such a program also heavily relies on the benefits reaped by these adopters.
Choice had to be made whether we first wait for our partnering systems to improve their existing processes and onboard them or first onboard them and then improve their processes.
In the end we took the mid-way, for the first wave we decided to go with integrating our ERP (Enterprise Resource Planning) system and End User Computing systems. We focused on onboarding them and in parallel simplifying the processes and tooling. This ensured benefits were immediately felt and experienced at all levels of the organization and our end users.
Success in the first wave gave us the liberty to insist on simplification of the business processes before on boarding them on the governance platform.
IAM will do everything
One of the expectations some of the business process owners had was that since IAM is part of the Identity Governance, the IAM team would manage all aspects of the implementation and roll out.
IGA heavily relies on business processes for its effectiveness. Some key aspects of IGA like access rights management process, recertification or change management are best led by the business process owners. We put together a RACI matrix which detailed the different stakeholders and the responsibilities which needs to be adhered to.
IAM team took the responsibilities of the solutioning, implementation and accompanied business process owners during the governance process definition, change management and roll outs. This ensured that the integrating systems did not get overwhelmed by the task at hand and did not feel lost.
Why IGA when I use IT Service Management System (ITSM)
This has been one common theme across many of our integrating systems on why integrate with IGA while they were already integrated with ITSM. In many cases the motivation to integrate with IGA was just limited to be able to automating provisioning and deprovisioning of access and perform workflow management of requests.
With a very cautious approach, we defined the "eligibility" criteria on when a system should integrate with IGA. Some of the criteria applied were
- Need for Segregation of Duties
- Need for Recertification
- Systems holding privileged or confidential information
- Systems under internal or external audit control
- Maturity of access management processes
This definition of criteria helped integrating systems understand the true value of integrating with IGA and also help the IGA team to prioritize integrations.
Recertification : Danger of becoming a rubber stamp
Recertification is the process of continually auditing users' permissions to make sure they have access only to what they need.
IGA system simplifies the design and implementation of recertifications. The side effect of the ease of use is that business process owners want to either implement recertification on every access right or too frequently.
When recertifications are designed poorly e.g implemented on every possible access right or executed too frequently, it loses is importance and just becomes a "rubber stamp" for audit purposes. Special attention needs to be paid and business process owners must be made explicitly aware of this pitfall.
We have achieved the major objectives which were set at the start of this transformation, this however is a never ending journey.
A journey which when implemented with the correct principles would not just help secure your digital environment but also bring operational efficiency.