This winter in Boston has been a record breaker. Bostonians are tired of the weather, while non-Bostonians are tired of hearing Bostonians complain about the weather. However, this never-ending winter provides a useful analogy for assessing your organization’s identity and access management (IAM) processes.

My analogy is based on two words that strike fear into many Boston-area homeowners: ice dams. Ice dams are ice structures that form on roofs, following heavy snowfall, that can cause leaks.[1]



Ice dams often dissipate naturally, but record snowfalls and persistent cold temps have exacerbated ice dams this winter.

Just as ice dams can cause leaks, “identity dams” can cause data leaks and other internal problems. Identity dams may result from reorganizations or may just be existing business processes, but they should be removed.  

The challenge is overcoming complacency. Just as many homeowners hope ice dams will dissipate naturally, organizations delude themselves with “This is how we’ve always done it,” and conclude that therefore removing identity dams is not necessary. For complacent organizations, the worst case is having users become accustomed to complicated manual processes for requesting access to new applications, waiting weeks to get access to new applications, and having multiple passwords.

Organizations and homeowners should follow these three steps to minimize the potential damage caused by ice dams and identity dams:

1.       Assess your infrastructure. My colleague Andras Cser has pointed out how the steeper pitch and larger overhang of European roofs help minimize snow build-up and ice dams compared with the typical Boston roof design. The same holds with identity architectures. Are they flexible enough to evolve with changing business requirements? Could your systems quickly incorporate thousands of users from an acquisition? Could you quickly reset all passwords following a data leak? If not, maybe your identity architecture needs some adjustments.

2.       Proactively remove dams. Homeowners often chisel ice off the roof as a stop-gap measure, but it often creates other structural problems. For IAM, it’s often tempting to only look at password reset and enterprise single sign-on (eSSO). But just as there is no substitute for a long-term structural solution for ice dams (proper attic insulation and ample venting and insulation), there is no substitute for a proper structural IAM solution, including optimizing and centralizing your identity processes, assessing and consolidating your directory infrastructures, and creating secure password policies and change regimes. If you address these structural IAM issues, you can improve productivity and help prevent data leaks. Just as homeowners do not want to evacuate their home while expensive roof repairs are made, IAM professionals don’t want to be forced out because of data leaks caused by an underlying architectural identity issue.

3.       Rely on professionals. Please don’t shovel the roof yourself and risk major injuries — pay an insured and trained professional. And don’t try to remove/solve all your IAM problems independently — institutional bias often clouds the ability to see the most optimal approaches. Engage with IAM vendors who can provide best practices and solutions to remove the identity dams permanently.

Forrester’s Identity And Access Management Playbook includes several relevant reports to help optimize your IAM implementation and minimize potential identity dams. For those in the Boston area, I highly recommend reading these reports while a professional shovels your roof.