Identity & Access Management is Risky Business at Gartner’s Security & Risk Summit

Today I had the pleasure of moderating a panel at Gartner’s Security & Risk Summit in National Harbor, just outside of Washington, D.C. The topic was the risks inherent in an Identity & Access Management (IAM) project. Not the risks you’re trying to mitigate with the IAM results, but rather we focused on the risks in choosing to embark on an IAM project in the first place. That may sound like a strange thing for a company trying to sell solutions to bring up. However, we find that making sure our customers are ready to face the realities of doing IAM right is better for us and them. Having the right kind of technology powering the project doesn’t hurt, either. By the end, it seemed like the audience understood that, too, based on the questions they asked.

Joining me on stage were folks from three organizations using Dell’s solutions, Walt DisneyCompany, Williams Energy, and Dell IT. Yes; we put the chief identity management architect from Dell IT on the panel. Why? Because they have a long, complex identity management story that seemed like the kind of thing others could learn from. Each of these organizations had their own risk factors they had to overcome. Both Williams Energy and Dell IT had similar situations, where they were replacing aging IAM platforms with Dell’s next generation solution – Dell One Identity Manager. Williams was facing risks to their operations. Their home grown system was not sustainable, and their attempt to replace that with another vendor’s product did not yield the results they needed. After 3 years of work, Williams was faced with starting over. But after they found Identity Manager, they were able to get to feature parity with the replacement system in a scant 3 months. Now they are a little over a year into it and have feature parity with their original homegrown system and are pushing on to build new solutions the business is demanding. That takes them completely out of the red zone from an operational risk standpoint.

Dell IT also had an aging platform built from many instances of similar technology. They brought in another technology to attempt a replacement, but after more than 18 months of working and going back to the well for round after round of extending the project they were nowhere near ready to go live. On stage, Dell IT explained how they would run test transactions through the system 100 times and get 70 different types of results even though it was the same transaction every time. Their chief risk was financial. If they didn’t get the replacement system done in time, they were facing a payment to the vendor of the system they were trying to replace on top of the investment they had made in the replacement project. Even though the clock is ticking and they were far into the project, after seeing the power of Dell One Identity Manager they decided to switch gears and make that the new replacement. Now they are a few months in and already hitting milestones they never reached with the first replacement project.

Disney’s situation is quite different. They have been using Dell’s access governance technology for years. It is core to how the application security works in the massive engines that run one of the world’s largest and most complicated businesses. Their chief risk is about staying in compliance with all the regulatory burdens they have globally, while also satisfying the needs of a changing set of business demands. In other words, Disney needs to be able to change the tires on their security racecar without slowing down the race. Dell gives them the power to do that.

One common thread for Williams, Dell IT, and Disney was the personal risks that are also involved. When you charge up the IAM hill, you’re going to need to take a lot of folks with you. You need HR, procurement, corporate governance, and many other business functions flanking you to be successful. And if you fall on that charge, it’s going to be seen by all. It seemed appropriate that the session just before our panel was Keith Ferrazzi, author of Who’s Got Your Back and Never Eat Alone, presenting a session called "Who's Got Your Back – Creating & Developing Great Relationships". When the team at Williams had to embark on their third try at making IAM a success, they knew it had to work. They don’t want to be the team who gets that third strike. When the Dell IT team needed to ask to scrap a large investment to take a chance on something they believed would save in the long run and achieve the right results, they were putting their reputation on the line. Every day the Disney team needs to tell the business when they color outside the lines from a policy and compliance stand point. The only way you can take the personal risk out of demanding the business changes, or telling the business to bet on your vision, or asking the business for one more chance to get it right is to make sure you develop the right relationships. To do that, you need confidence. You get confidence by being sure you’ve brought all the right ideas and tools to solve a problem.

When we shifted from our panel discussion to the audience Q&A, the very first question asked was how a different product could make them so sure they would not fail again. Williams and Dell IT agreed that it’s not *all* about a product. A lot of the success comes from learning from the past. But the product was what made taking those lessons and turning them into results possible. And their confidence flowed from seeing how easily they could take ideas from the whiteboard to the workflow using the power of Dell’s solutions. It was clear from that first question and those that followed that many in the audience were surprised by the discussion. Anyone who has come to Gartner’s conferences and heard them talk about the history of failed and incomplete projects in IAM has a good understanding of how risky these projects seem to be. Having three organizations stand up and say that they had found a way to get IAM success got them all thinking, for sure. Of course, no technology is a wand – not even at Disney. But the confidence portrayed by the panel and the possibilities opened up by next generation platforms from Dell may have made that room feel like they could take a run at IAM again with a little less risk.

Watch this video to learn more about Walt Disney’s IAM initiative. 

About the Author: Jonathan Sander