It’s a story I have seen play out many times over two decades in the Identity and Access Management (IAM) field: An organization determines that it needs a more robust Identity Governance and Administration (IGA) program, they kick off a project to realize this goal, but after a promising start, the whole effort falls apart within six to twelve months.
What an IGA program does
People become frustrated about wasted time and money. The audit and compliance teams who need IGA grow disappointed, perhaps even anxious. The regulatory risks they are trying to mitigate continue to loom large. Finger pointing ensues, arguing and discord follow.
Don’t get me wrong, a fine-tuned and efficient IGA program is well worth it. An IGA program helps ensure an organization’s data security, assist in completing audits, and support significant boosts in operational agility.
The three common IGA project mistakes
The specific things that can go wrong vary by company, but they follow a sadly familiar pattern. Three common mistakes stand out in particular:
1. Underestimating the costs
An IGA project is an IT project, but it’s so much more. Viewing IGA simply as a matter of buying and installing software is an avoidable error. To work, IGA usually needs advisory services on top of in-house resources. Application integration costs may get under-counted as well, as project stakeholders fail to grasp the interconnected nature of the IGA process. For example, the IGA solution usually has to link with HR management systems and so forth. Training costs can be higher than people predict. Finding people with IGA skills also tends to take longer and cost more than anyone might guess at the outset.
2. Not building for user experience (UX)
IGA end users need to feel comfortable and confident on the system, or the whole project finds itself in jeopardy. People want to get their jobs done. They generally don’t have the time or interest in learning a new system and lexicon. If using the solution isn’t a basically effortless part of their day-to-day work lives, users will seek ways around it. They’ll call the help desk or contact a colleague, claiming they cannot complete IGA tasks. This sort of slow-building mutiny can wreck an IGA program.
3. Failing to secure or sustain C-suite sponsorship
IGA projects can be challenging. They require collaboration across departments. Strong executive sponsorship is critical for success for overcoming potential points of friction. In my experience, one can predict that trouble is on the horizon as soon as the executive sponsor stops coming to status meetings. This usually isn’t the executive’s fault. He or she is simply quite busy and has not been properly briefed on the importance of his or her role in ensuring a good outcome for the investment in IGA.
How to avoid IGA project problems
These pitfalls need not sink an IGA program. Being conscious of the potential problems and addressing them in the project planning stage helps a great deal. Budgeting accurately, thinking through UX, and making expectations clear with executive sponsors provide the basis for IGA success.
There’s also a new approach in IGA implementation that can make a huge difference. It involves integrating the IGA toolset with the existing application platform, a system that everyone is already using for IT-related workloads. These platforms exist in most organizations, a popular example is ServiceNow.
Building IGA on top of an existing platform delivers a number of distinct advantages for the program:
- It maximizes the current investment in the platform
- It’s less expensive than purchasing an IGA solution that is its own stack—a savings that applies to both the build and manage phases of its life cycle
- No new skillsets are required, either, which avoids the costly recruit/train/retain struggles that can arise with standalone IGA solutions
- Changes to the IGA system are more economical as well when it runs atop a familiar incumbent platform in the organization.
Employees are already using the platform interfaces, so there are few training issues or UX problems inherent in launching an IGA program that is seamlessly integrated into existing processes. Knowledge workers know the interfaces and workflows to request and approve identity governance services. They won’t have to bookmark a new URL or learn a new way of doing things, speeding overall acceptance.
Application platforms are also increasingly becoming one of the main vehicles for digital transformation (DX) projects. This makes sense, given the importance of IT agility and smooth IT operations in the DX vision. By linking IGA with DX, it becomes easier to attract sustainable executive interest in the IGA program.
C-level executives sponsor DX projects, bonuses may hinge on them. They know DX projects are ambitious and potential generators of strong return on investment. With IGA built into DX, the identity governance program will not be neglected.
Avoiding the common pitfalls inherent in launching an IGA program will take some focus and work, but the resulting benefits are well worth the effort. As you look to refresh or improve your current IGA program, consider leveraging what platforms you already have in place to achieve the most successful outcome.
Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time.
History clearly shows that the iPod and a few of its competitors were very successful in driving revenue and taking market share away from the legacy Personal Music Players. History also shows that the reign of these devices was short-lived. Just a decade after the release of MP3 players, they were almost entirely replaced by personal music player technology on a smart phone. Why did this happen?
The world slowly realized that the way MP3 players solved the problem of my music anywhere, carried a cost that significantly reduced the value of the solution. You had to carry a phone and an iPod, keep them both charged, and, in many cases, both synced with your PC.
Today, stand-alone PMPs are purely niche devices for specific use cases while everyone else plays music through their phones. The smartphone is the perfect platform to consolidate the “music anywhere” capability with the messaging, mapping and gaming anywhere that those platforms provide. This allows you to carry, charge and sync only one device and manage one set of configuration settings.
Having spent the last decade in the identity governance market, I believe a similar sea of change is about to happen. Identity governance solutions require the following set of capabilities:
1. Lifecycle management
Organizations need to provide some set of automation that follows a knowledge worker (employee, contractor, partner, etc.) from the time they start their association with the company until they end their relationship. This automation should be responsible for giving each knowledge worker access to the core set of applications they need to do their jobs, from their first role throughout many possible promotions and role changes over the years.
This capability is critical as it provides the organization the speed and agility they need to ensure everyone can spend their time working, as opposed to dealing with the IT team. Additionally, at every step in the lifecycle, permissions that were relevant for the last job role that no longer are needed should be removed to maintain a least-privilege security stance. This process typically concludes at the end of a long employment journey, which conceivably included many role changes, where it is critical to ensure that the departing team member no longer has access to ANY company resource.
2. Self-service access request
Automated lifecycle management is critical but even the most organized enterprises can’t predict all of the applications and data a particular colleague will need. Projects come and go, oftentimes staffed with matrixed teams, making it hard to completely define every application an employee will need for all their duties. This is where self-service access request comes in. This capability enables all knowledge workers to simply request access to an application when the need arises through an online portal.
These requests are then evaluated against compliance and security policies, then routed directly to the application owner or employee manager for approval. If approved, these new application permissions are automatically fulfilled without the IT group needing to be involved outside of defining the key policies and workflows. This approach allows the business to manage day-to-day decisions over business data access, which is critical to ensuring speed and competitiveness.
3. Automated access certification
The Sarbanes-Oxley of 2002 act made a huge impact on organizations of all types. It was followed by a continuously growing set of additionally regulations, such as HIPAA and GDPR, which all focused on the need for documented and provable controls on all manner of systems and data. Access to applications and the data inside them was a key control metric in all of these regulations.
Access certification is the process meant to arm internal teams with the data they need to prove compliance to these external regulations, or in some cases just internal policies. Access certification requires that on a regular basis (usually every quarter) application owners review the users and permissions that have been assigned within the applications they are responsible for.
During this process, each combination of user, application and permission must be certified, or attested. In cases where a user is believed to have more permissions than they need to do their jobs, these entitlements are flagged for removal. Organizations used to perform these functions with spreadsheets and email (some still do sadly), but today this functionality typically automated through Identity Governance and Administration (IGA) solutions.
4. Auditing and analytics
The average number of applications for an enterprise organization with more than 5000 employees is now more than 400. Assuming each application has only two types of permissions (which is not reality) this gives organizations more than 4 million possible entitlements that are changing all the time and need to be kept track of.
The main value proposition IGA solutions can provide is to consolidate and present this ever-changing data in a way that makes sense to mere mortals. At its core, this provides the value of visibility, but the value explodes during preparation for an audit. What used to take months of manual work, now takes days of preparing for that team of auditors. Modern IGA systems now also frame this information with signals from other silos (GRC, Incident Response, SEIM) to make the data even more usable to audit and risk teams.
These four capabilities sound simple on the page but in practice can be very difficult to implement. This is one of the reasons people have been making stand-alone IGA solutions for more than 15 years now. This is a complicated problem that the market has met with complicated solutions.
And after 15 years, we still see that most IGA programs are categorized as “at risk,” meaning there is a gap between the value expected at program start vs. current reality. I firmly believe we are about to see a revolt against big, heavy solutions to this problem. This revolt will not be just because people are tired of projects that are 3 years behind and 200 percent over budget. People are also starting to see similarities in this problem set to the other IT challenges their organizations have been solving.
In the case of IGA, a high-level view of the solutions show that the main needs of an effective solution include:
- Connectivity to key IT systems
- Consolidation and presentation of data from multiple systems
- Strong workflow-based automation
- Interfaces that all stakeholders can use
Coincidentally, these same building blocks are also key to many of the IaaS and PaaS solutions that have become so popular over the past decade. The very reasons organizations invest in platforms such as AWS, Azure, ServiceNow and others is to provide a foundation for all IT workloads to take advantage of. These platforms are the smartphones of enterprise IT, allowing for applications to be created that take advantage of these key design blocks, and are easier to integrate with the rest of the critical IT systems.
Frustrated IGA program owners are ready to ditch the stand-alone solutions (MP3 players) and take advantage of what these platforms can offer by using IGA solutions that are built directly into these key platforms. We have already proven that the current path of making bigger and more powerful siloed solutions results only in vendor growth and doesn’t solve the problem. As these new solutions gain adoption, we will see benefits beyond just reduced complexity and friction.
Just like when we started listening to music on our phones, we immediately saw the obvious benefits. But over time, the market found new benefits that they had not even dreamed about when this phase began. Without the move from PMPs to phones we would not be able to “share” music via social media and messaging, nor do I believe streaming music would have taken off without the phones built in connectivity.
Building IAG solutions on top of key IT platforms will open the door for many similar valuable integrations. As more people leverage Human Resources, Incident Response and GRC on these platforms there will be many integrations that can ONLY be done by IGA solutions that live natively on that same platform.