All articles

How To Mature and Create an Effective IAM Framework

February 23, 2024
headshot
Ed Rothwell-Brooks
Business Analyst

Most IAM frameworks are designed to distribute responsibility of authorising user access across the organisation which allows for an efficient and robust process. However, when implemented these frameworks and processes often become low priority events for management which produces results similar to automated re-authorisation of all user access.

This common scenario means that risk management is not being given the correct attention it requires and results in a low level of security throughout an organisation. In many cases a compliance check into user access cannot provide any evidence further than explanations of the IAM framework and fails to show who, and more importantly why, users have access to what they do.

What Should IAM Answer


A successful IAM framework should allow an organisation to answer two questions:

  • What do users have access to?
  • What does that access allow them to do?

With these two questions in mind an IAM framework can be constructed to produce processes which result in user access being managed correctly.

Problems Answering These Questions


Many organisations think that they can answer 'What do users have access to?' as there is often a centralised user entitlement system which manages this information but this is not enough. Understanding what users have access should be focused on 'why' they have access to it and is a stage that comes before looking at the current state of user access.

Trying to answer 'What does that access allow them to do?' can be difficult, often requiring a very repetitive and extended project to create and elaborate a asset catalogue for the entire organisation. A common method for doing so is by taking a system first approach where key systems are identified individual catalogues are created for each. Although this will eventually result in the desired outcome, correctly identifying the key systems can lead to missed opportunities or wrong direction for the project.

How We Help


We can help run a programme which quickly answers the first question, helping you understand why people have to what they do, and provide tools and techniques for answering the second.

Creating A Top-Down Model Of Your Entitlement Landscape


We assume that the current IAM framework is tacitly managed with the two questions in mind. Often a user's job requirements results in some structure around what they have access to and that distributed knowledge of systems creates order to what different users can do in systems.

With these assumptions we can model the associated business risk of every entitlement across your organisation by looking at how it is assigned between users.

We can then construct a risk score to every user which can be used to highlight ares of the business which might require more urgent attention.

We do this by:

  • Each asset is assigned a relative risk score, based on its' assignment distribution
  • A user's associated asset risk score set is then used to create an individual risk score
    - Users are benchmarked based on the average asset risk score they have
    - We weight this score based on how similar their risk profile matches other users with similar job functions
    - This weighting means that local standard deviations can be made for each user which adjusts their global average

This results in two sets of data points:

  1. User risk scores, which provide users and business areas which are less standardised in their entitlement landscape and helps answer 'Who has access to what?'
  2. Asset risk scores. we can rank order all entitlements which can be used to prioritise tranches of work to discover 'What does that access allow them to do?'

Constructing Bottom-Up Templates Of Users


In addition to finding anomalies and outliers across your organisation we can start the process of producing a user birth rights.

We do this by identifying statistically significant entitlement patterns between user groups which are used to create user templates. This can be used as a starting point for creating a repeatable and robust IAM process which focuses on what users have access to and why they have access to it.

Want to know more?

You can find out more about our how we help with your IAM framework on out 'Entitlement Discovery' service.

Let us make an impact on your next project

Whether you have a project in mind, are interested in working with us or just want to learn more about what we do, please get in touch.
By submitting this form, you consent to receive email communications from The Impact Team. You can unsubscribe at any time, and you can read about how we handle your data in our Privacy Policy.
Thanks for your message, we'll be in touch soon!
Sorry, Something went wrong while submitting the form. Please try again or drop us a line at hello@theimpact.team.
© 2018 – Year The Impact Team. All rights reserved.
HomeAboutServicesCareers
ArticlesPodcastResourcesDownloads
ContactPrivacy PolicyTerms of ServiceModern Slavery Policy