When is an IAM needs analysis appropriate?
There are a number of factors to consider when acquiring an IAM solution, and situations that make it appropriate for a company to conduct a needs analysis.
For instance, the company may need help preparing an IAM requirements specification or choosing a suitable solution, or it may need to modernize an existing IAM solution. Many companies are also in a transition phase from an on-prem IT architecture to cloud solutions, which can also trigger the need for an extensive analysis.
A needs analysis can also be useful for companies that experience challenges with identity management - such as a lot of manual work, poor control or former employees who still have access. The same applies to companies that need to comply with regulatory requirements such as GDPR or ISO 27.00x, and to document change and audit processes in connection with access management.
A desire to implement a Zero Trust security architecture, or the need for a more secure and user-friendly login solution, can also be great reasons for conducting a needs analysis.
What is a needs analysis?
The needs analysis is a mapping and advisory service, and the main part of the mapping is carried out in the form of interviews and workshops.
In this process, the company should dedicate at least one professional manager who has insight into the system portfolio, knowledge of the security work in the company, and a good understanding of the business’ needs. In addition, it will strengthen the process if additional resources such as the security manager, the HR manager and the application owners, also participate when needed.
The service will be adapted to the customer's situation and needs, and will include:
- Structure and roles: What is the business structure, which user categories should the solution include, and who authorizes the accesses?
- On- and offboarding: How are existing routines for starting and closing users and managing accesses?
- Self-service and automation: What processes can be automated, what can be solved by self-service, and which systems and applications can be integrated?
- Risk and vulnerability: Which systems are business critical or contain classified information, and what are the risks of unwanted access?
- Governance and compliance: What requirements does the company have for security and compliance, and which processes can or should be improved?
What is the result of the analysis?
The needs analysis results in a comprehensive report that is handed over and reviewed with the company.
The report provides an overview of the company's current situation and objectives, and presents a thorough and comprehensive concept proposal with recommendations for how the needs and objectives should be addressed.
The concept proposal typically includes:
- Draft of the role model adjusted to the company's organization
- Basis for a long-term IAM strategy with grouping and prioritization of measures
- Overview of integration technology for priority applications
- Overview of sources of identity information and any other business information
- Overview of automation plan and recommended self-service functions
- Recommended design of processes in connection with on- and offboarding of users
The concept proposal will also be useful as a requirements specification in the event of a subsequent procurement process. In addition, the company's understanding of the subject area will increase - which both improves the competence in regard to future procurements and contributes to raising awareness for the organization as a whole.
