A maturity level is a well-defined evolutionary plateau toward achieving a mature software process. Each maturity level provides a layer in the foundation for continuous process improvement. A maturity model is set of attributes that represent the ability of an organization to achieve continuous improvement in a particular discipline or domain. It is a descriptive model of the stages through which organizations progress as they define, implement, evolve, and improve their processes. It is an indicator of progress that can identify an organization’s weaknesses or limitations and when an assessment is done against a maturity model, the result is a list of recommendations to improve and climb up the maturity ladder. The Maturity model acts as a guide for selecting process, improvement strategies by assisting the determination of the current process capabilities and the identification of issues most critical to quality and process improvement within a particular domain, like software engineering or systems engineering.

 In the past organizations used goal driven indicators like KPIs and OKRs to measure their performance but that would not necessarily apply to qualitative data. Maturity models were born basically to fill this gap. The primary goal of a maturity model is to qualitatively assess people, process and technology within an organization. Any maturity model can be implemented in two ways. First is the top-down approach where the maturity levels are defined and then these levels are associated with characteristics involved. The second is a bottom-up approach where the initial characteristics are defined first and then clustered with the maturity levels. Continuous improvement is often achieved by creating review or auditing processes which you then use on the day to day business processes to evaluate their effectiveness, identify improvements, and implement them. It is an iterative process and not a one-time implementation.

One proven maturity model for organizations needing to develop and refine a software development process is the Capability Maturity Model (CMM). The CMM describes a five-level evolutionary path of increasingly organized and systematically more mature processes. CMM was developed and is promoted by the Software Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DoD). It establishes a framework needed for a continuous process improvement for a given organization. Even though this model refers to a set of software development practices, this can be applied to related domains as well. The Capability Maturity Model describes five maturity levels in which an organization manages its processes. 

The five stages of the CMM are as follows −

·  Initial − Processes are improvised, chaotic, rarely defined.

·  Repeatable − Basic processes are established, and a level of discipline is maintained to stick to these processes.

·  Defined − All processes are precisely defined, documented, standardized, and integrated into each other.

·  Managed − Processes are managed by collecting detailed data on the processes and their quality requirements.

·  Optimizing − Continuous process improvement is affiliated and in place by quantitative feedback and from piloting new ideas and technologies.

If we just project these concepts and frameworks to an Identity and Access Management program, it makes sense to come up with an IAM Maturity Model – a counterpart maturity model for the Identity and Access Management world. There have been many IAM maturity models developed over time with iterative revisions to ensure portrayal of consolidated and comprehensive characteristics needed for a successful IAM program.

One such IAM maturity model that gained traction among many IAM programs is the Gartner IAM Maturity Model. According to this model, the maturity of an enterprise's information identity and access management (IAM) program is a key indicator of the effectiveness and efficiency of IAM activities, and of the overall business value of its investments in IAM. The Gartner IAM Maturity Model has the following levels of maturity defined that are used to assess and improve IAM program maturity.

Maturity levels in Gartner IAM Maturity Model:

• Initial
• Developing
• Defined
• Managed
• Optimized

Many organizations have used these reference maturity models over the years to assess their IAM program and have developed roadmaps based on the recommendations to improve their people, process and technology vectors as they relate specifically to IAM. The following section of the document explains in detail an organization’s typical IAM journey and how it fits into the whole maturity level reference.  

Identity and Access Management is a framework of policies and technologies put in place to ensure proper people have the right access to technological data/resources to perform their job responsibilities. Businesses leaders and IT departments are under increased regulatory and organizational pressure to protect access to corporate resources. As a result, they can no longer rely on manual and error-prone processes to assign and track user privileges. IAM automates these tasks and enables granular access control and auditing access to all corporate assets on premises and in the cloud.

Improved security is not simply the act of piling on more security processes, but it is about demonstrating that there are processes and technologies in place to secure the environment. IAM meets this standard by adhering to the principle of least privilege, where a user is granted only the access rights necessary to fulfill his work duties, and separation of duties, where one person is never responsible for every task. With a combination of pre-determined and real-time access control, IAM enables organizations to meet their regulatory, risk management and compliance mandates. Identity and Access Management principles are used to initiate, capture, record and manage user identities and their related access permissions in an automated and consolidated manner.  

Below are some of the benefits of having a comprehensive IAM solution:

Ø  Access privileges are granted according to policy, and all individuals and services are properly authenticated, authorized and audited.

Ø  Companies that properly manage identities have greater control of user access, which reduces the risk of internal and external data breaches.

Ø  Automating IAM systems allows businesses to operate more efficiently by decreasing the effort, time and money that would be required to manually manage access to their networks.

Ø  In terms of security, the use of an IAM framework can make it easier to enforce policies around user authentication, validation and privileges, and address issues regarding excess privileges.

Ø  IAM solutions help companies better comply with government regulations by demonstrating that any access data or reports needed for auditing can be made available on demand.

Organizations can gain competitive advantages by implementing Identity and Access Management tools and following related best practices. These solutions enable better collaboration, enhanced productivity, increased efficiency and reduced operating costs.

All the above steps in the IAM journey of an organization explain in detail what it means to the organization’s IAM program and how it would necessarily impact the organizations’ ability to improve the maturity levels. The above maturity model levels and the steps that define the maturity along the way are pretty good and a well-balanced way to gauge the current state and list the appropriate steps needed to climb up the IAM maturity ladder. However, this is not comprehensive and definitely not granular enough in our humble opinion. The main thing that is missing in the current IAM maturity models is the granularity and the intuitiveness for the organizations to consider a comprehensive IAM program journey to achieve IAM maturity utopia.

Assessments according to a common maturity model may lead to several advantages. It allows for a positioning of the current achievements within a framework. It can therefore be used for benchmarking purposes, to compare with others, e.g. competitors, peers or best of breed. As a useful side-effect they lead to a quantification of otherwise qualitative information. For compliance & certification purposes they may provide the necessary evidence. They can give helpful orientation, to define the starting point for change activities. In this way they may strengthen the reputation of an organization, as it is fancy not to rely on gut feelings. And as an overall effect they add to the general transparency, hereby serving as the foundation for any good governance. It’s useful to assess the maturity of your identity and access management environment for at least two reasons: it provides advice as to the potential benefits of investing in improving the environment and it provides some direction as to the priority of the projects in the development roadmap.

Now since we know what an IAM maturity model is, the importance of using a maturity model to evaluate your IAM program, and what’s missing in the current IAM maturity models, lets shed some light on Identopia’s version of evaluating your IAM program. 

Identopia’s version of the IAM maturity model takes the current IAM maturity model and adds an additional dimension, makes it more granular and also makes it more intuitive for the organizations to get a clear understanding of the IAM maturity path. It basically takes the current IAM maturity model and adds a layer to account for Zero Trust concepts. 

The concept of Zero Trust is not new. No matter what your point of view, Zero Trust is a reality. Recently, Zero Trust has taken on a larger than life persona fueled by the endless cycle of data and identity breaches in the news, big buzz from vendors preaching their technologies, and the customer rush to adopt a Zero Trust strategy. While there are many references and publications describing Zero Trust, for the most part, they articulate security from a single vendor’s vantage point. 

At the core, Identopia believes and agrees that identity serves as the keystone in any Zero Trust based strategy. 

Since inception, the concept of Zero Trust has extended the original model beyond traditional infrastructure, databases, and network devices, to include cloud environments, big data projects, DevOps environments, containers, and microservices. 

The extended ecosystem includes the following elements and associated processes:

Ø  Zero Trust Networks 

Ø  Zero Trust Data 

Ø  Zero Trust Workloads 

Ø  Zero Trust Devices 

Ø  Zero Trust People 

Ø  Automation and Orchestration 

Ø  Visibility and Analytics 

In all cases, the approaches are becoming increasingly more risk-based and identity-centric. 

All of the attacks happening nowadays are not very sophisticated in the sense that the attackers do not hack into enterprise networks. They just target the credentials of privileged accounts and then laterally move across the network hunting for other credentials that help them gain access to organization’s critical data. It just takes one stolen credential for the attacker to gain access to infrastructure and sensitive data. The traditional concept of zero trust by securing endpoints, networks, and firewalls will not entirely protect the organization from identity and credential based threats. 

Keeping in mind how important taking the identity-centric approach to Zero-Trust is, Identopia evaluates IAM maturity models based on the assessment done on the following vector dynamics.

Ø  Users

Ø  Device

Ø  Network

Ø  Application

Ø  Data

An assessment will be done on all the above parameters for the feature functionality discussed in the above IAM journey section of this document. Specific questions will be asked and based on the responses from each section, the IAM program will be evaluated and an IAM maturity level will be determined in reference to the IAM maturity model Feature functionality:

Ø  Provisioning and Deprovisioning

Ø  Lifecycle Management

Ø  Single Sign-On and Multi-Factor Authentication

Ø  Access Reviews

Ø  Password Management

Ø  System Integration

Ø  Privileged Identity Management

Ø  Auditing and Reporting

Ø  Role/Risk Based Access Control

Ø  Data Normalization

Ø  Cloud Move Initiatives

Ø  Robotic Process Automation

Mature organizations are achieving Zero Trust through the integration of existing identity and security technologies. They have implemented architectures that share identity context and provide risk-based access to critical resources, improving security without compromising the user experience. Learn more about how these organizations are succeeding. Identity-defined Zero Trust is a complex topic that touches almost every aspect of an organization’s IT and security infrastructure. Identopia has added a dimension to the current industry IAM maturity model by taking into account the current functionality vectors and folding identity driven Zero-Trust into the mix. The result of this is a more intuitive, more granular and more comprehensive assessment to evaluate your IAM program’s maturity model and a roadmap that defines your IAM journey in the quest of improving your IAM maturity.

1.  https://en.wikipedia.org/wiki/Capability_Maturity_Model

2.  https://www.process.st/maturity-model/

3.  https://www.gartner.com/en/documents/1203314/gartner-identity-and-access-management-program-maturity

4.  https://searchsecurity.techtarget.com/definition/identity-access-management-IAM-system

5.  https://www.infotech.com/research/ss/mature-your-identity-and-access-management-program

6.  https://www.idenhaus.com/4-key-benefits-of-process-analysis-in-identity-management/

7.  https://www.herjavecgroup.com/top-5-building-blocks-for-a-successful-iam-project/

8.  https://medium.com/@robert.broeckelmann/authentication-vs-federation-vs-sso-9586b06b1380

9.  https://www.identitymanagementinstitute.org/access-certification/

10.  https://www.sailpoint.com/identity-library/addressing-the-identity-lifecycle-management-gap/

11.  https://it-benchmarking-journal.com/2020/11/10-identity-metrics-to-measure-iam-performance/

12.  https://www.idsalliance.org/blog/