Access management projects rarely achieve objectives, say analysts

Experts explain why identity and access management projects are failing

Most identity and access management (IAM) projects struggle to achieve their objectives, according to analyst firm Gartner.

It argues that companies should get away from basing their IAM projects around technologies and applications and instead make them part of an overall business strategy.

"Between half and two-thirds of organisations attempting to establish a truly-effective IAM programme approach it in the wrong way," said Earl Perkins, research vice president at Gartner.

Identity and access management specialist Courion explained that problems often stem from a disconnect between IT and the business.

"Traditionally an IT department will store its IAM data in an incredibly complex IT language that is incomprehensible to anyone else," said Kurt Johnson, vice president strategy at Courion.

"The business people are just as bad, it's all tribal knowledge carried around in their heads. They might think, 'I know Martin, he's been working for me for years, I know what he has access to'."

He added that often this knowledge is never documented, and the first step towards a successful IAM implementation is to formally capture this information.

"You need to map the business speak with the IT entitlements to help people define policies and roles. In its simplest form, what should people have access to?"

Johnson stated that it is also important to understand where the strictest controls need to be.

"Then you need to assess the risk, where do the strongest access controls need to be in place? What are the highest risk applications? We don't care about the SharePoint site tracking your favourite football club, but do about the ones handling trade secrets and financial data."

A project built on these fundamentals will have a far better chance of success, according to Courion.