Digital identities are at the heart of digital transformation, information security and privacy. Therefore, if organisations have not done so already, no time should be wasted in reviewing their identity governance and administration (IGA) capability, which is at the heart of identity and access management (IAM).
While most organisations understand the importance of IGA, business cases for new IGA projects may be difficult to make because of past project failures and the resultant reticence of the business to invest further.
However, by outlining the business benefits and drawing up a plan to avoid and/or mitigate the risks of failure, security professionals are more likely to get new IGA projects approved.
Why IGA is important to the business
IGA is a key element of any organisation’s IAM architecture, covering identity lifecycle management and access governance. IGA is essentially the ability to reduce the risk that comes with excessive or unnecessary user access to applications, systems and data.
This is achieved by enabling policy-based centralised orchestration of user identity management and access control, and by working with other IAM processes to automate workflows and meet compliance requirements.
Business drivers for improving IGA capabilities include improved competitive advantage, easier partnering and reduced costs. Effective IGA is key to improved IAM, which enables businesses to deliver better services tailored to customer requirements.
The risks associated with poor IGA
A lack of IGA capabilities can expose an organisation to security and compliance risks due to inefficient administration of identities and access entitlements, poor role management and inadequate auditing and reporting, resulting in: identity theft; unapproved/unauthorised change; access/entitlement creep; and separation of duties (SoD) conflicts.
A high proportion of cyber attacks exploit stolen credentials and there are growing regulatory requirements to limit access to sensitive information to an absolute minimum and provide audit logs of all user activity. Therefore, there is an undeniable need for all sizes of organisations in all industry sectors to have effective IGA controls.
Risks and pitfalls of IGA projects
In light of the fact that IGA projects are prone to several common risks and pitfalls that can potentially lead to failure, it is important to identify these risks at the outset. This enables the business to make risk-based decisions to address them before embarking on individual projects and thereby avoid failure.
These risks and pitfalls may be grouped in five key areas:
- Business alignment.
The success of any IGA project requires the support and agreement of all stakeholders.
To ensure this support, it is essential to:
- Explain the business value of proposed IGA projects in clear, simple terms to win executive support.
- Identify the biggest business benefit of the IGA project and make this the overall goal.
- Make it clear to executive sponsors when they will see tangible benefits of an IGA project and what these will be to avoid unrealistic expectations.
- Explain all the benefits to the business to get business support and involvement.
- Ensure that the business drives projects and leads the technology, not vice versa.
- Set compliance as a business requirement early in the process to ensure that audit requirements are met without becoming the drivers of the programme or projects.
- Appoint a specialist IGA programme manager where the business lacks the necessary technical skills to support the business at the project level.
- Communicate progress and successes regularly to all stakeholders throughout the project.
- Ensure the business works with system integrators and vendors to match IGA products with business needs.
- Set realistic goals and keep technical and business teams informed on the progress of IGA projects and the work the other team is doing and reward them for meeting deadlines.
It is important to ensure that the business understands that the benefits of IGA are not confined to meeting regulatory and audit requirements, but also:
- Achieve an overall view of users.
- Have the ability to connect new business partners quickly.
- Add agility for the business.
Because IGA projects typically span an entire organisation and involve both technical and business teams, failure to ensure that policies and processes are accurately and consistently defined, that roles are understood, and that rules are correctly formed and related back to the business could easily result in failure.
To avoid these and other organisational pitfalls:
- Create a new cross-functional group to create, support and report on IGA project policies and processes to all stakeholders.
- Ensure change management is part of any IGA project by creating a change management program and change management team to manage all organisational changes that will occur as a result of implementing new IGA processes and/or technologies.
- Fill any skills gaps with specialists and set up training/skills transfer programs to ensure that the organisation has people with the correct levels of experience and expertise necessary for the sort-term success and long-term sustainability of IGA projects.
Complexity is the enemy of success in most projects, and this is particularly true when it comes to IGA projects which typically involved a wide range of stakeholders across the business and increasingly involve a wide range of identity types.
In addition to standard employees, IGA capabilities need to include identities of contractors, partners, consumers, customers and even non-human identities of devices and processes. This is essential to digital transformation and to the competitive advantage of every company.
New IGA projects, therefore, should seek to implement consistent, logical architectures that allow access for everyone using every kind of app and device to every service from everywhere and enable the use of access policies that can be defined centrally, and then applied across all control points (on-premise and in the cloud) to enable automated and consistent access governance across an enterprise.
Organisations looking to the future of identity management should consider re-defining access governance by adopting a perspective that is beyond static entitlements in systems, applications and services to include the governance of all types of access.
This broader definition will ensure that policy-based governance is applied to identity, data and enterprise risk management, including IT risk management and access risk management.
Through the implementation phase it is important to:
- Demonstrate the success of IGA deployments early on to build credibility and gather support.
- Implement consistent, logical architectures that allow access of every kind of app and device to every service.
- Define and implement an integrated approach on security, where IAM and IGA work with other services to address security requirements.
- Seek to future proof investments through the adoption of a service-based architecture and the enablement of policy-based governance across all enterprise access control points.
Complex projects that do not follow a single strategy set by the business are typically difficult to control and tend to be prone to delays and failure.
During the planning phase of any IGA project, it is important to:
- Adopt a structured programme approach, in which the overall business goal for the IGA program is broken into smaller, manageable, strategy-led projects that are tightly linked.
- Identify the biggest business benefit of each project and make this the project goal.
- Each project should build on the one before, providing incremental value to the business.
- These projects should also be led by a single strategy set by the business to define the business rules, processes and governance.
- Scope projects correctly by taking IGA maturity, business needs, IGA gaps and customisation requirements into account
- Customisation can be reduced and even eliminated by implementing standardised, best-practice processes wherever possible. Failure to scope a project correctly and avoid complexity could result in delays, challenges and failure.
Choosing the right IGA product is extremely important. Choosing the wrong product or trying to get value from existing failed products can lead to project failure. It is also inadvisable to allow IGA and other projects to be driven by system integrators (SIs) or suppliers because IGA stakeholders in an organisation understand their organisation and its needs best.
They should work closely with SIs and suppliers to identify which IGA product/s best match all the current and future requirements of the business. Start with the business requirements and then identify which IGA products support that. Do not start with a product.
When choosing technology for an IGA project, organisations should:
- Think carefully before choosing a single big supplier over a variety of smaller, independent specialists because packaged products from big suppliers do not necessarily make more commercial sense than loosely coupled components from multiple sources competing to win a larger market share.
- Give strong consideration to switching to cloud-based IGA capabilities wherever possible to enable shorter deployment cycles, faster upgrades and lower TCO in the short term.
- Avoid products that have already been purchased, partially implemented or resulted in failed roll outs if they do not support the IGA needs of the business.
When making technology choices, it is also important to ensure that any IGA programme:
- Can support the entire breadth of today’s IT infrastructure and business applications by covering all types of applications and all types of business access risks, as well as implementing security controls at various levels.
- Can manage the increasing number of non-human identities within enterprise IT environments.
- Includes provision for governing the access rights of privileged accounts in terms of policies and processes.
- Can meet the regulatory requirements for formal processes for consent management, access requests and approval, regular access review, and the management and enforcement of SoD rules.
- Includes a pilot installation under real-world conditions to gather evidence before confirming any IGA product choice.
Using and orchestrating services from the cloud will simplify the journey to a future-proof IT security infrastructure and IAM, including IGA. Therefore, IGA projects should define and implement an integrated approach on security, where IAM and IGA work seamlessly with other services such as CASBs, threat intelligence, and enterprise mobility management (EMM) to address security needs.
A cloud-based approach is also key to implementing consistent, logical architectures that allow access for everyone from anywhere using every kind of app and device to every service.
For most businesses, this will mean making changes to their IT architecture to become more agile and flexible by separating identity and applications, and providing the back-end systems required to make all the necessary connections using application programming interfaces (APIs) that bridge services, microservices and containers in the cloud and on-premise.
These changes will result in a converged digital identity back end or “identity fabric” that can deliver as a utility all the identity services (including security and privacy) required by the growing number of new digital services enabled by digital transformation that will actively consume identity services.
By setting up an identity fabric, organisations are more likely to meet the demands of digital transformation initiatives quickly, while at the same time enabling a gradual migration of legacy identity management systems to the new identity-as-a-service paradigm.