recipe for failure by mike chung from kpmg (internet protection services)
DESCRIPTION
Recipe for failure: Six habits to ruin Identity and Access ManagementTRANSCRIPT
Recipe for failure Six habits to ruin Identity and Access Management March 2013 KPMG in the Netherlands drs. Mike Chung RE
Facts and figures • Most large IT projects have significant cost
overruns, deliver far less than anticipated
and one in six projects is a ‘black swan’
(Oxford Business School 2011)
• Over 75% of IAM projects deliver less than
expected (KPMG 2009)
• Almost 50% of IAM projects outrightly fail
(KPMG 2009)
From mess to menace: your route to chaos
Automation of access
Proliferation of accounts
Rise of IAM
Push for compliance
Age of numbness
Lost to the cloud
Chaos • Myriad of access permissions
• Password madness
• Maze of interfaces
• Security leaks
• Incompliance
• Higher costs
Habit I: Assign to the wrong department • Burden IT with business responsibilities
• Expect IT has full understanding of business
processes, compliance and the value of data
• Do as you please
Why do we do that? • IAM is perceived as an IT issue
• IAM technology vendors talk to IT managers
• Deployment of directories and user repositories
are initiated by IT departments
Habit II: Never stop expanding • Increase the number of accounts blindly
• Create GPOs, groups, nested groups and more
groups
• .. And shares and SharePoint sites
Why do we do that? • We (people) are driven by providing instant
solutions without considering the consequences
• Integrating IAM landscapes after mergers and
acquisitions is often complex and labour-
intensive
• Applications often offer functionalities that are
easy-to-use but difficult to govern
Habit III: Work towards complexity • Deploy multiple directories, virtual directories
and repositories
• Implement that fancy IAM system, password
wallets, PAM, SIEM, access governance
application, data governance tool
• Rejoice your organisation with enterprise RBAC,
policy-based access, context-based IAM and
whatever sounds vaguely credible
Why do we do that? • IAM industry is a fast-moving industry with many
new technologies and products
• Issues from one application is patched by
another application with issues, and patched by..
• In theory, theory and practice are the same – in
practice, it is not (Albert Einstein)
Habit IV: Trivialize the importance • Remember: excessive access is far better than
no access
• Ignore security leaks, or better: convince yourself
that IAM has nothing to with security
• Pass audit findings to someone else – what about
the IT department?
Why do we do that? • Business users perceive access as a (human)
right, excessive access as a secondary
consideration
• Security awareness is often low
• Data security is seen as a sole issue of IT – so
does the IT department
Habit V: Hear no evil, see no evil • Keep the end-state of IAM obscure
• Keep the current state of IAM unknown to
everybody else, and you
• Then ask yourself: how do I suppose to know the
delta?
Why do we do that? • We have no protocol of behaviour for things we
don’t see (Nicolas Taleb)
• We take a lot of risks because we are comfortable
we don’t see them
• We are notoriously bad in estimating magnitude
of complex, abstract issues
Habit VI: Rush to the cloud • Bypass IT on your way to SaaS
• Believe in the next big thing
• Quit asking questions and stop thinking
Why do we do that? • Organisations are usually driven by costs,
seldom by rational insights
• Our mind is made for fitness, not for truth (Steve
Pinker)
• Many of us are not rational enough to be exposed
to hypes
Now act accordingly