When hunting for a new IT solution, understand the problem first

Ian Hill of BAM Group warns against being distracted by bells and whistles

How do you decide on a new security solution for your company, when your IT is spread across more than 10 major businesses and 40 countries? When any product you adopt will have to account for hundreds of independent projects, thousands of pieces of equipment and huge numbers of temporary staff?

The first step - or at least the one Royal BAM Group is pursuing with its One BAM initiative - is consolidation, but that's easier said than done. Ian Hill, BAM's Global Director of Cyber Security, is one year in to choosing a new global identity and access management (IAM) solution; he stresses the importance of understanding the environment before launching any sort of transformation.

We need to assess and understand what the actual problem is before we go anywhere near solutions - Ian Hill

"What we're doing, primarily, is firstly analysing and assessing the problem at a Group level. As we digitally transform the company from a series of individual autonomous IT functions into one global corporate IT function, we need to assess and understand what the actual problem is before we go anywhere near solutions.

"That's a challenge in itself, because where you have got all these different autonomous functions, all doing their own thing, and doing it quite well - how you pull it all apart and look at it from a global perspective is the challenge."

These different IT functions - silos by any other name - could be different departments or whole operating companies under the BAM umbrella, each with its own approach to cybersecurity. Hill says that the first decision he had to make when evaluating BAM's IAM was whether to pursue the traditional role-based access control (RBAC) or attribute-based access control (ABAC).

"In a traditional corporate environment, where you've maybe not got a particularly mobile workforce, working out of offices, you can get away with RBAC. We're an international company with people moving all over the world, logging into different construction sites and using different diverse technologies. A hybrid RBAC/ABAC capability suits our digital landscape."

Adopting a hybrid of RBAC/ABAC adds complexity, but also enables new uses for IAM that are unique to BAM's sector. For example, combining the two systems with biometrics means that contractors can more easily operate machinery.

"The technology has moved on so that now you can use a thumbprint to start an excavator. Now the excavator knows who you are, that you are licensed to operate that particular vehicle and use it on that site at that time, and [can] track how long you've been using it for health and safety reasons. This sort of technology exists in the construction world. Again, identity is key, the excavator needs to know about the identity of who's about to operate it."

Progress and pitfalls

Hill is in what he calls the "discovery and analytics" phase, trying to assess the different challenges his team might face. For example, BAM is a Netherlands-based company and many Dutch employees have a ‘tussenvoegsel' (like ‘van' or ‘van der') between their fore- and surnames, which doesn't fit neatly into the text fields in most solutions - like Active Directory's UPNs.

"It might seem quite trivial, but actually it's a big issue from a cultural perspective, and can be difficult to accommodate properly when implementing an IAM system."

The tussenvoegsel is just one potential sticking point that BAM's future IAM solution will need to be able to handle. By identifying it - and other bottlenecks - now, rather than adopting a solution and trusting that it will fit the company's operations, Hill believes BAM will save money in the long run.

"I'd rather get it right and be able to save the company money getting it right, than trying to solutionise, spending a lot of money and still not being quite right…

"From a security perspective my biggest risk is ‘We don't know what we don't know'. We now know, a year or so on from the start of this journey, a lot more; and in essence, some of what we found might not be ideal, but it's better to know about it so you can make informed decisions, rather than not know about it, because that's where your real risk lies. And as we get better at moving forward down the One BAM route, the communication and sharing is actually bearing fruit. We're finding a lot more of what we didn't know and we're able to make objective and important decisions about what to do about it."

Sharing the load

As part of the discovery journey, Hill's team is working with different stakeholders in the business, and the business itself, to understand the nature of what they do and their requirements from an IT perspective. He stresses, though, that he is not there to make decisions about these requirements:

"BAM's IT department is a support function to the business. A lot of what we do, as far as managing the IT systems, is on behalf of the business - it's not our role to make decisions. It's not our role to decide which particular identity needs access to a certain asset: that's a business decision. We can facilitate on the technical or the functionality part of it, but someone needs to tell us who's allowed access to what. It's not our decision, and that can be really challenging…

"Sometimes you can have the problem that you become disconnected from what you do as a business. When you work in an IT function, you're so focused on the IT, the data, the systems and all that, you lose track of what we do as a business. So I've actually been out to some of our construction sites, I've done visits, and you realise, ‘This is what we do'. Remember that IT is a support function for the construction business."

When you work in an IT function, you're so focused you [can] lose track of what you do as a business

One of IT's essential partners in this work has been the HR department. Hill's team is working with their HR colleagues to gain a clearer understanding of the roles present within BAM, which is critical when defining RBAC.

"What HR are doing is helping by reducing the number of descriptions of roles and titles and things so we can clearly identify commonality between roles, because that will help us as we go down the journey from the process and technology perspective."

Thanks to the work between HR and IT, BAM has been able to consolidate from local implementations of Microsoft Active Directory to a single global implementation, using Microsoft Azure. That, in turn, is speeding the collaboration up still further.

The current round of discovery and analysis will occupy a large part of 2020, but Hill expects to start contacting vendors later this year - once he and his team have identified the pitfalls to avoid. He is keen to stress that while the One BAM transformation extends beyond just cybersecurity, IT is at its heart:

"IAM is just one of a whole number of things that we're involved in at the moment - but they're all interlinked, they're all interdependent, and one of the biggest challenges for us is it's part of a global transformation.

"There's lots of demand for the resources, so we're really aggressively pushing forward with our transformation programme. Some would say we're pushing too hard. BAM is on a journey and pushing hard to transform and become a world leader in digital construction, and we need a good, robust IT capability to do that."

How do you decide on a new security solution for your company, when your IT is spread across more than 10 major businesses and 40 countries? When any product you adopt will have to account for hundreds of independent projects, thousands of pieces of equipment and huge numbers of temporary staff?

The first step - or at least the one Royal BAM Group is pursuing with its One BAM initiative - is consolidation, but that's easier said than done. Ian Hill, BAM's Global Director of Cyber Security, is one year in to choosing a new global identity and access management (IAM) solution; he stresses the importance of understanding the environment before launching any sort of transformation.

"What we're doing, primarily, is firstly analysing and assessing the problem at a Group level. As we digitally transform the company from a series of individual autonomous IT functions into one global corporate IT function, we need to assess and understand what the actual problem is before we go anywhere near solutions.

"That's a challenge in itself, because where you have got all these different autonomous functions, all doing their own thing, and doing it quite well - how you pull it all apart and look at it from a global perspective is the challenge."

These different IT functions - silos by any other name - could be different departments or whole operating companies under the BAM umbrella, each with its own approach to cybersecurity. Hill says that the first decision he had to make when evaluating BAM's IAM was whether to pursue the traditional role-based access control (RBAC) or attribute-based access control (ABAC).

"In a traditional corporate environment, where you've maybe not got a particularly mobile workforce, working out of offices, you can get away with RBAC. We're an international company with people moving all over the world, logging into different construction sites and using different diverse technologies. A hybrid RBAC/ABAC capability suits our digital landscape."

Adopting a hybrid of RBAC/ABAC adds complexity, but also enables new uses for IAM that are unique to BAM's sector. For example, combining the two systems with biometrics means that contractors can more easily operate machinery.

"The technology has moved on so that now you can use a thumbprint to start an excavator. Now the excavator knows who you are, that you are licensed to operate that particular vehicle and use it on that site at that time, and [can] track how long you've been using it for health and safety reasons. This sort of technology exists in the construction world. Again, identity is key, the excavator needs to know about the identity of who's about to operate it."

Progress and pitfalls

Hill is in what he calls the "discovery and analytics" phase, trying to assess the different challenges his team might face. For example, BAM is a Netherlands-based company and many Dutch employees have a ‘tussenvoegsel' (like ‘van' or ‘van der') between their fore- and surnames, which doesn't fit neatly into fields in most solutions - like Active Directory's UPNs.

"It might seem quite trivial, but actually it's a big issue from a cultural perspective, and can be difficult to accommodate properly when implementing an IAM system."

The tussenvoegsel is just one potential sticking point that BAM's future IAM solution will need to be able to handle. By identifying it - and other bottlenecks - now, rather than adopting a solution and trusting that it will fit the company's operations, Hill believes BAM will save money in the long run.

"I'd rather get it right and be able to save the company money getting it right, than trying to solutionise, spending a lot of money and still not being quite right…

"From a security perspective my biggest risk is ‘We don't know what we don't know'. We now know, a year or so on from the start of this journey, a lot more; and in essence, some of what we found might not be ideal, but it's better to know about it so you can make informed decisions, rather than not know about it, because that's where your real risk lies. And as we get better at moving forward down the One BAM route, the communication and sharing is actually bearing fruit. We're finding a lot more of what we didn't know and we're able to make objective and important decisions about what to do about it."

Sharing the load

As part of the discovery journey, Hill's team is working with different stakeholders in the business, and the business itself, to understand the nature of what they do and their requirements from an IT perspective. He stresses, though, that he is not there to make decisions about these requirements:

"BAM's IT department is a support function to the business. A lot of what we do, as far as managing the IT systems, is on behalf of the business - it's not our role to make decisions. It's not our role to decide which particular identity needs access to a certain asset: that's a business decision. We can facilitate on the technical or the functionality part of it, but someone needs to tell us who's allowed access to what. It's not our decision, and that can be really challenging…

"Sometimes you can have the problem that you become disconnected from what you do as a business. When you work in an IT function, you're so focused on the IT, the data, the systems and all that, you lose track of what we do as a business. So I've actually been out to some of our construction sites, I've done visits, and you realise, ‘This is what we do'. Remember that IT is a support function for the construction business."

One of IT's essential partners in this work has been the HR department. Hill's team is working with their HR colleagues to gain a clearer understanding of the roles present within BAM, which is critical when defining RBAC.

"What HR are doing is helping by reducing the number of descriptions of roles and titles and things so we can clearly identify commonality between roles, because that will help us as we go down the journey from the process and technology perspective."

Thanks to the work between HR and IT, BAM has been able to consolidate from local implementations of Microsoft Active Directory to a single global implementation, using Microsoft Azure. That, in turn, is speeding the collaboration up still further.

The current round of discovery and analysis will occupy a large part of 2020, but Hill expects to start contacting vendors later this year - once he and his team have identified the pitfalls to avoid. He is keen to stress that while the One BAM transformation extends beyond just cybersecurity, IT is at its heart:

"IAM is just one of a whole number of things that we're involved in at the moment - but they're all interlinked, they're all interdependent, and one of the biggest challenges for us is it's part of a global transformation.

"There's lots of demand for the resources, so we're really aggressively pushing forward with our transformation programme. Some would say we're pushing too hard. BAM is on a journey and pushing hard to transform and become a world leader in digital construction, and we need a good, robust IT capability to do that."