Simplify Identity and Access Management

Leverage risk- and role-based access control to quantify and simplify IAM.

If you're already a member, click here to log in.

Major Business Pain Points

  • Identity and access management (IAM) is the foundation of all usability within the environment and needs to be well defined and documented. Every organization has users, and every user needs access.
  • Organizations have watched their systems become more entangled as more processes are moved to the cloud and more security threats present themselves.
  • Auditing a long list of users is a tedious task that nobody wants to do. Unclassified data exacerbates the problem.
Simplify Identity and Access Management-Pain Points


Key Points

  • Role-based access control (RBAC) doesn’t have to be hard.
    Document the information that people inherently know. Having a strong repository of permission-role and user-role assignments is key to ensuring that the RBAC process lives on and remains effective despite changes within the organization.
  • Focus on permission and role engineering.
    Managing identity and access starts with identifying and classifying what requires access, considering where it exists and identifying who needs access to it. This first process is termed permission engineering. The latter part is termed role engineering. While not covered in this research, it will be explored in future iterations.
  • The primary goal should be to minimize privilege creep.
    RBAC improves the efficiency of managing IAM by reducing the amount of privilege creep that exists among the users of the organization. When roles are designed, the principle of least privilege is employed, and therefore users are granted only the roles, and consequently permissions, required to do their job.


Simplify Identity and Access Management-Recommendations
  • The research will lay the groundwork for establishing a centralized, effective, and efficient system for managing identity and access. We will help organizations take back control of their IAM environment by creating and implementing a RBAC model.
  • Working with the tools associated with this research will help create a repeatable, simplified auditing process and minimize the amount of entitlement sprawl.
  • This research will educate readers on selecting and implementing IAM vendors and will assist in producing vendor RFPs and shortlisting vendors to help ensure that selected vendor solutions offer capabilities required by the organization (e.g. multi-factor authentication) based on business goals, compliance, and other gaps, and will offer integration functionality with the different cloud vendors (e.g. SaaS) used by the organization.

Methodology and Tools

Executive Brief

Read the concise Executive Brief to find out why you should simplify identity and access management and review the methodology.

  • Simplify Identity and Access Management – Executive Brief
  • Simplify Identity and Access Management – Phases 1-4

1. Audit and classify existing data

This phase will assist users with cleaning their current user directory and laying the foundations for implementing a more robust process for managing identities and access.

  • Simplify Identity and Access Management – Phase 1: Audit and Classify Existing Data

2. Implement a risk- and role-based access control model

This phase will guide readers through the process of creating and implementing a RBAC model. This includes the definition of metrics that can be used to refine future iterations of the RBAC model.

  • Simplify Identity and Access Management – Phase 2: Implement a Risk- and Role-Based Access Control Model
  • RBAC Implementation Workbook

3. Create an RBAC maintenance plan

This phase covers best practices regarding exception handling and maintaining the RBAC system over time.

  • Simplify Identity and Access Management – Phase 3: Create an RBAC Maintenance Plan
  • IAM Task Prioritization Tool

4. Consider an IAM vendor

This phase explores the selection and implementation of an IAM solution. Several tools are available to assist project owners with this typically challenging task.

  • Simplify Identity and Access Management – Phase 4: Consider an IAM Vendor
  • IAM Procurement Project Charter Template
  • IAM Use-Case Fit Assessment Tool
  • IAM System RFP Template
  • IAM System Evaluation and RFP Scoring Tool
  • IAM Vendor Demo Script Template
  • Vendor Response Template

All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.