Date: 02 June 2022
The most important and sometimes overlooked part of a successful Identity and Access Management Solution (IAMS) implementation is…people.
While many companies’ approach IAMS implementation from a technology perspective, it is far more than that. Typically, an IAMS solution is implemented to help people safely and securely access the applications and services necessary for productivity, it makes sense to put them at the very centre of IAMS projects. This is complemented by a Process that determines the ‘how’ users experience the access via the IAMS product.
That’s why Assurity Consulting would recommend the concept of using human-centred testing approach which is all about understanding what is important for people using the solution and then testing what really matters to them.
Background
IAM framework is a set of policies and technologies that allow user access to technology resources, ensuring everyone only has access to those applications and services necessary for his or her work. IAMS implementations shouldn’t be undertaken lightly as they can be highly complex to implement. Often spanning several months or more, introducing an IAMS solution may impact internal users, applications, processes and potentially your extended value chain. That may include your customers and suppliers integrating with your applications and services. In other words, many rests on getting it right. And getting it wrong can have serious consequences, including anything from frustrated or annoyed employees (impacting productivity) to the well-documented risks of poor security controls.
The fundamental challenge
While IAMS is 100% necessary for the protection of company technology assets (especially as we are more distributed than ever before), it is at its core an impediment to your people. Though there are great tools out there making use of things like biometrics (face and fingerprint recognition), single sign-on and two-factor authentication, the reality is IAMS is something of a tradeoff. Even the best solutions can hamper useability. For example, if one of your employees wants access to a server to do daily maintenance tasks. With the implementation of IAMS, he/she will now have to MFA (multi factor authentication), receive permissions and appropriate approvals etc. depending on complexity of the design. If these steps are cut down you lose the value of IAMS implementation, if you do it right, then it means additional steps for your employee to do a simple task. If usability considerations are not put in place this may cause frustration for employees and impact their job satisfaction.
The problem with most IAMS project implementations (and testing)
Generally, IAMS projects are approached by the IT department as a purely technical exercise. On the face of it, this makes sense because from a technology perspective IAMS implementation is facilitated through Application Programming Interfaces (APIs) for systems integration and is purely a software implementation exercise. Today’s cutting edge IAMS solutions have all required connectors that are ready to integrate with any products available in the market. This means there is very little from input perspective that is required from your organisation. This means testing tends to follow the ‘traditional’ technology specific approach which is inadequate. As you can imagine, the focus falls on the technology things – API testing from a systems integration perspective, with perhaps some (but not enough) coverage of the process. And all too often, no acknowledgement of that most crucial P, people.
This is where the tech focus fails, because while IAMS is enabled by technology which is an important aspect to get right. It is about people and their access to the things required to do their jobs. That access might be enabled by technology, but it is also facilitated by process – and so, the focus must fall on the (well recognised) two Ps and a T. People, process, and technology. And it is no accident that ‘people’ come first.
The Assurity difference
Every IAMS implementation project we take on starts with the ‘Assurity Way’, where we engage various business teams , design a human centric test approach and then deliver the agreed test outcomes. This puts everyone on the same page, accurately articulating value and the path necessary to make testing successful for all involved.
Our Human Centric Test approach includes the human perspective in all steps of the problem-solving and quality management process. By asking ‘who uses IAM’ we combine the technology and API integration aspects of the testing with the people who will be using it. We understand their experiences, challenges, likes and dislikes about using the IAMS to form an understanding of what’s important from the user’s perspective to test. This approach places the people at the heart of testing, making sure that success is defined by your people.
For the technology integration aspects, we use DevOps and the ‘shift left’ mindset. This allows for testing early and testing often on technology implementation aspects, identifying, and resolving any faults early. This ensures a better User experience when users are involved in Business testing or User acceptance testing of the product. We encourage teams to think beyond the technology and focus on things such as notifications that the IAMS application sends, jargon that non- technical users may see with frontend; every aspect of useability is assessed and refined, fully optimising the customer experience.
The core aspect to ensuring your teams see value in technology implementation and for them to comfortably embrace change it is important to access the “process” side of things as well. By engaging people and testing real world scenarios with them, the process is understood, refined, and optimised. This way the solution developed works well for your people AND your organisation.
It’s all about outcomes: Better IAMS means better security
Bringing your people on the IAMS journey doesn’t just make change management easier but that with an addition of optimised systems and solutions brings enthusiasm to embrace the change. Even the best applications aren’t any good if people avoid using them. By keeping your people at the core, they become advocates for your technology which is a key component of a successful IAMS implementation; your people will understand why IAMS is necessary, how it works, and what it does.
The result is not only happier people but also a more secure business and who doesn’t want that.