Serg Nvns - Fotolia

Four identity management strategy pitfalls to avoid

An IT pro at Cloud Identity Summit shares his experience implementing identity management at the University of Oklahoma and describes what pitfalls to avoid.

CHICAGO -- When drawing up an identity management strategy, it's important to keep in mind some common mistakes.

The University of Oklahoma rolled out identity management software and multifactor authentication to protect important apps and data for 37,000 students and 12,000 employees over the last two and a half years. Along the way, the school encountered several pitfalls regarding planning, product choice and user education. Dave Shields, managing director of identity access management at the university in Norman, Okla., explained how other organizations can learn from those mistakes in a session here at the Cloud Identity Summit.

Identity management allows an organization to keep a digital profile of each of its users and set policies on what business applications and data they are allowed to access. Identity management software protects content from unauthorized access by placing authentication layers between the users and the critical apps and data.

Bad planning

It's a common mistake to not plan your rollout of new software. If it's not carefully planned, the software and initiative won't last long, Shields said. Identity management dictates how users access apps and data, which is a major part of the day-to-day process of users, so this requires careful planning. IT has to plan their identity management strategy for the long term and identify goals they want to reach before implementing it, he said.

"Bad planning kills new ideas," he added.

The University of Oklahoma put together a roundtable of IT staff, end users and executives to talk about their identity management strategy. The discussion included how to introduce the process to users, how the authentication would work, how to decide which users would go through certain authentication layers, what content needed more protection and more. The weekly meeting was open to anyone at the school; it shouldn't just be high-up executives, because other people may have important insight, as well, Shields said.

"Sometimes, the ones who have been here the longest have tribal knowledge," he said. "[They] can tell you what happened last time you did something like this. Those people are important."

Wrong product choice

The best product for a given organization may not be the most popular choice. Don't pick a tool just because it's a leader in the Gartner Magic Quadrant, because that doesn't necessarily mean it will fit the company's specific needs, Shields said.

"You will be living with that product for the rest of your professional career or your time with that organization," he said. "Make sure you know what you're getting this for."

Hold the product vendors accountable.
Dave Shieldsmanaging director of identity access management, University of Oklahoma

A good way to avoid choosing a product that doesn't fit the organization's needs is to create a list of at least five business requirements you need the product to meet, and then see which vendors can meet them. Examples include whether it is a cloud-based or on-premises product, whether it offers auditing, if the software supports biometrics or other emerging technologies, and more.  

"Hold the product vendors accountable," Shields said.

Creating these requirements builds support and buy-in across the organization, he said.

No dedicated IT staff

Many organizations don't take identity management seriously enough from an IT resources standpoint, resulting in too few staff members with too many responsibilities.

"Identity management is a platform," Shields said. "Too many organizations treat it as a side project."

Identity management requires IT to oversee auditing of user activity. It also needs IT to manage what applications and data need multifactor authentication for which users. Additionally, IT needs to integrate new and current software, such as business applications, into the platform. And lastly, administrators have to spend time addressing users' needs and concerns regarding the authentication process.

For those reasons, Shields suggested dedicating at least one full-time IT professional to identity management. Even better is an identity management team consisting of one leader and one or two other staff members. This way, the project doesn't stagnate from overworked staff, and IT can ensure it continues to be funded properly.

Lack of engagement

If IT isn't transparent with users, it may lead to them rebelling against what IT is trying to do. An identity management strategy needs to be transparent to end users. Users don't like having to go through extra steps to reach their business content, so it's important that IT educates them on why authentication is required.

IT should communicate with employees about what they're doing and encourage them to share their concerns or needs regarding what they would like to see going forward, as well as what's working for them now. For instance, users may ask whether certain apps require less authentication, and the administrators can work with them.

"By keeping communication open, it gives more people a voice," Shields said. "If one person has a concern ... they aren't the only one."

If users understand it, they'll be more open to the identity management strategy, he said.

Next Steps

Follow ID management market changes

Identity management basics for IT

ID management can boost cybersecurity

Dig Deeper on Enterprise mobile security