Identity and Access Management (IAM) is typically thought of as an operational function encompassing the granting, removal, transfer and certification of logical access to technology resources. While not untrue, it certainly isn’t all encompassing of what IAM is evolving into in the ever-changing business landscape. An example of that is the migration to an Agile model. The challenge this brings about is in creating a flexible IAM program to keep up with Agile organizations.
"To establish an agile IAM program, we need to begin with establishing agile roles within the organization. Those roles need to be high level enough to be flexible: developer, tester, PM, etc."
At its core, IAM is a control function grounded in adherence to user access policies, principles of least privilege, and segregation of duties matrices. In days past, the IAM department would onboard a new employee with the same access that everyone else in the new employee’s department / job function had. The employee would maintain that access until changing jobs or leaving the organization, necessitating a transfer or termination of access, respectively. The IAM department, in this case, is analogous to a helpdesk which takes inbound tickets, works them (with proper approvals), documents the work and closes the tickets in an operational fashion. On a periodic basis, IAM would certify that the access granted is still in alignment with the employee’s job duties. Voila! A control function which manages what employees get access to and makes sure they need to keep it.
So the question remaining is how do we alter that methodology and our processes to meet the organizational shift to Agile? I think the answer is that we have to become more agile along with the organization. In order to establish an agile IAM program, we need to begin with establishing agile roles within the organization. Those roles need to be high level enough to be flexible: developer, tester, PM, etc. Once you have an agreed upon set of agile roles for all projects, you can begin to have your IAM program integrated into the project pipeline. Each project should have dependencies assigned to the IAM department for assigning the specific project roles to the specific resources needed for said project. Aligning with the project roadmap and associating resources for each project helps to assign the role only for the allotted time the project is active. Diligence for removal of project associated roles is critical to maintain the principle of least privilege within the organization. Adhering to project timelines is paramount for the IAM team as assigning roles and terminating roles will become paramount to the success of each project as well as to maintaining the threat landscape of the organization.
The tricky part comes with performance of access certifications which will also need an overhaul with a shift to Agile. Essentially, the Sr. Management team will need to be dedicated to establishing and maintaining roles for all Agile projects. Once the roles are agreed upon, Sr. Management will need to periodically (read: frequently) certify the roles and the users in said role. Add a privileged access management tool to the efficient management of roles and your organization is ready for an agile transition.