Identity in the Public Sector: Common IdAM Mistakes

One of our Think Digital Identity for Government conference sponsors, Amido brings you a blog highlighting some of the common mistakes made in Identity and Access Management.

Posted 30 April 2018 by

Investment in IdAM solutions is on the rise with the market forecast to grow to $18.3 billion by 2019.

Given the recent Cambridge Analytica scandal and with regulatory compliance requirements becoming increasingly complex and rigorous with the introduction of GDPR less than a month away, the need to demonstrate compliance is more prevalent than ever before.

Since 2013 the government has been championing a new way of thinking, favouring a ‘cloud first’ policy as part of its Technology Code of Practice, providing new opportunities for public sector organisations to source IT.

Couple this with GOV.UK Verify, which helps to provide companies with a framework for Identity assurance there is a wealth of information out there to help organisations navigate the complex task of implementing a robust Identity solution.

Unfortunately for some, a commitment to IdAM doesn’t always guarantee an effective implementation, with those early adopters often falling foul of the common mistakes.

As a Principal Consultant at Amido, and with more ID implementations under our belt than we care to remember, here are a few pearls of wisdom we have collected along the way.

  1. Who said IdAM was just a project?

Often IdAM is treated as a project from the very beginning, and frequently a project that needs to “just work” – the best IdAM solution is the one that no one realises is there, creating the impression that it has an end-date. This mentality can create all sorts of problems, with the solution doomed to fail without the necessary resources available to sustain it.

In terms of cyber security, it is important to see IdAM as a programme, ensuring current security systems and processes are continually and regularly updated with the relevant IdAM tools and practices that will help ensure the protection of the organisation, and with one in four public sector organisations already ill-prepared for a cyber-attack this is absolutely critical.

2. Everyone else wants your data

On the topic of cyber security; 2017 saw a proliferation of sophisticated cyber-attacks against identity platforms both from independent groups and state actors.  The threat of data breaches is so prevalent that NCSC and the NCA have highlighted it as the second most serious trend in 2017/18.  Amongst the targets were Equifax, Verizon and Uber – in this type of crime the real victims are the consumers whose personal data has been leaked compounding the reputational, financial and regulatory damage to those companies.

3. Automation expectations

Too often organisations have tried to push all IT applications and platforms under IdAM at once. The solution does promise to streamline processes that involve access management, as well as automating identity lifecycle management. However, this can complicate the design, making programme management incredibly difficult. Chunking up the process and staggering the move of applications to IdAM can prevent this from happening.

4. Customisation: The 80/20 rule

How can your IdAM solution be expected to run smoothly if its very foundations are flawed? Customisation is a popular way of delivering unique features, however too much can result in difficulties in maintenance and eventual abandonment of the solution. Pareto’s law applies here with his 80/20 divide. Only 20% of the IdAM solutions functionality should be made up of customised features, the rest should be out the box standards-based functionality of the product. Beyond this, the infrastructure can quickly become unsupportable, resulting in a lack of longevity for the solution, and difficulty keeping up with the constantly changing landscape.

5. Failure to recognise the need for scalability

Overlooking the need to scale is a far too common mistake that befalls IAM project plans, after all if we make the services we offer more accessible we want them to be a runaway success. It isn’t just growing IT size or emerging tech trends that need to be accommodated. The architecture must be able to scale over time in terms of response time performance as well as the administrative staff required to support it. An IdAM solution is not a one off, it is a growing and evolving entity, and this must not be overlooked in the roadmap.

Being strategic when it comes to IdAM implementation can mitigate a lot of these mistakes. It’s all about aligning the solution with an organisation’s objectives and ensuring that the plan caters for the evolution of this alignment. Identity and Access Management programmes serve as business enablers for organisations, and with 79% of IT security professionals planning to, or already invested in IdAM, it is more important than ever before to make sure the implementation goes without a hitch.

Richard Slater is a Principal Consultant at Amido, an independent technical consultancy that specialises in implementing cloud-first solutions.

To hear more from Richard, you can catch his seminar at the Think Digital Identity for Government Conference: Understanding the Ethos & Ethics of Identity in Public Services on Friday 18th May.

Follow this link to grab your tickets here