2018 Gartner IAM Highlights: Looking Back at Looking Forward

This past December, Idenhaus attended the 2018 Gartner IAM Summit in Las Vegas. The annual Gartner IAM conference is all about learning from the best. No subject matter expert, no matter how talented, can know everything about everything. We benefit from the new ideas, shared knowledge, and lessons learned from those who have tried a new direction or a new technology.

After December’s #GartnerIAM, we shared highlights from one session that stood out in particular, Panel Discussion: CISO Perspectives on the PAM Journey. Now that we’ve had the opportunity to reflect on the conference as a whole, I want to highlight several themes that headlined #GartnerIAM 2018.

2018 Gartner IAM Summit Themes and Highlights:

Identity Management (IAM) and Identity Governance (IGA) are more complicated than simply going for a jog in the park; it’s a crawl, a walk, and then a run! 

    1. First, crawl around and explore the Frameworks and Solutions that are in place. The more time you take to look over the journey you are about to embark upon, the more likely you are to set realistic expectations for improving business processes.
      • Begin by identifying your organization’s IAM and IGA maturity
      • Clearly identify the business processes that cause the most challenges and present the greatest opportunity to improve
    2. Evaluate existing solutions against new Operational and Regulatory Requirements and make an informed judgment call whether a change in technology and services would be beneficial.
    3. Then, as you start walking through Role-Based Access Control (RBAC), be aware that it is not a panacea. Role Mining and Role Attestation isn’t a “one and done” activity. RBAC is an ongoing endeavor that requires walking slowly and intentionally. Just like a shipping and receiving warehouse receives new packages that have different sizes, weights, and storage needs, roles and resources can change daily. Here are a few reminders as you walk through Role Administration:
      • RBAC should not be a “boil the ocean” approach. Instead, applying the 80-20 rule to automate access management for sensitive applications and those with a high volume of transactions (e.g. lots of new users, or high user turnover) is a great starting point. The goal is not to try to automate everything, it’s to automate what adds the most value.
      • Roles are best assessed following a Bottom-Up approach after an inventory of existing access control data. Role Mining campaigns should focus on which roles will bring the biggest value to the organization by reducing business operational debt (e.g. wait time to perform job duties in applications).
    4. Finally, as you begin to run through your Governance Compliance reviews, it is best to shift to a Top-Down approach and look at what a person’s HR profile drives in terms of Roles and Responsibility.  
      • What are the IGA Campaign objectives and how are they aligned with strategic and compliance goals of the company?
      • Can the Campaign identify if people are in the right Business Roles and if they are provisioned correctly?
      • Will the next Person to join the organization be able to perform the same duties and will they need the same provisioned access?
      • Are the approvals for the roles set up such that the person doesn’t need to request multiple resources and then have to wait a long time to receive them?
      • Can reports be run to show who approved the access, or change to access, and when?

Be honest with how mature your organization is in its progression from IAM through IGA. If you start out running too fast, you’ll burn out those involved and the system will ultimately break down or your best resources will leave. If you spend too much time crawling, your organization runs the risk of missing out on new talent or customers due to delays in agility. 

Finally, as we look over the horizon to the future and consider the new paths Identity Management may take, we cannot run past the beautiful and flowery ideas of Self-Sovereign Identities as if it is a fairy tale. If you haven’t been following any of the efforts of the Sovrin Foundation, consider it worthwhile to take a quick look at their progress every now and then. Concepts like “Anonymous Credentials Architecture”, Identity “Trustees and Stewards”, “Zero-Knowledge Proofs” are very complex but necessary solutions to addressing Identity Theft and Credential-based breaches. The Sovrin Foundation has been working on some Pre-Production Pilots such as CULedger and others that are making significant progress to allow individuals to once again own their identities.

Were you at the 2018 Gartner IAM Summit? Which session did you find the most interesting, and why? I’d be pleased to hear your thoughts below.

To read more highlights from 2018 Gartner IAM Summit, check out these articles:

Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.


An IAM Assessment is a quick, expert evaluation of your environment that identifies and addresses the most common issues organizations face when implementing a solution.

This is ideal for organizations that:

  • Are struggling to get their IAM solutions deployed
  • Have a misalignment between their processes and technology
  • Have an immature IAM solution with too many workarounds
  • Companies that want to accelerate their IAM programs

Click here to learn more about the IAM Assessment.


By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Contact us 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top