Looking at the history of Identity Governance & Administration (IGA), it is clear to see how far it has evolved in the last 20 years. From Operational IT projects focussing on efficiency, to dedicated IAM teams, and now to IGA as a crucial function within Information Security. The security and technology landscape has also changed drastically in this time. Solutions were traditionally deployed on-site with a view to managing on-prem systems within an established perimeter. However, as digital transformation and “cloud-first” strategies continue to grow in prominence – ask yourself, “If my critical systems, applications and data are in the cloud, why not my IGA solution?”
Today, across industries, realization of the importance of identity-first security strategies is at the forefront of CIO and CISO’s minds. Organizations are seeking cloud-based identity solutions to fit cloud and identity first strategies. This is where Modern IGA comes in – let’s explore the need for IGA, what modern IGA looks like, and four considerations when assessing your options.
The need for Identity-Centric security
In the report, IAM Leaders’ Guide to Identity Governance and Administration, Gartner noted that “IGA leads to improved identity process maturity, facilitated compliance and reduced risk of unauthorized access, and also provides more visible and efficient controls to the identity life cycle administration processes.”
Given that Broken Access Control is currently top of the OWASP Top 10 Web Application Security Risks, these visible and efficient controls provided by Modern IGA will ensure the principle of least privilege is adhered to, something that is more important than ever.
Legacy or homegrown IGA solutions are often dated and borne out of necessity to fix a specific problem. They’ve typically been cobbled together, patchwork-style, by means of complex and costly customizations. These cumbersome, on-premise deployments are difficult to maintain, scale, upgrade and, most importantly, they often no longer meet the modern challenges of today’s information security landscape.
In addition to technological challenges, there are procedural and cultural ones as well. Too often when migrating services to the cloud, there’s a status quo mentality. Organizations may try to take a “lift and shift” approach to IGA, it is often seen to be the path of least resistance. When it comes to future-proofing your Modern IGA implementation, this is not the way forward.
Migrating to Modern IGA
Modern IGA solutions should be cloud-native and easy to deploy, maintain, upgrade and scale. With these solutions you should get all the strong Identity Lifecycle Management capabilities legacy solutions provided plus more sophisticated access automation, intelligent decision support, and higher governance and audit standards. However, technology alone is not enough and it is crucial your processes and people are modernized too.
I spoke of procedural and cultural challenges, migrating to a Modern IGA solution is the perfect time to address these. Analyze your current IGA business processes and the skillsets you need to support these. Identify gaps or areas of improvements and ensure that the processes you configure in your new solution are fit-for-purpose. In doing so, you will be able to take advantage of all a Modern IGA solution can provide.
Moreover, this is a perfect opportunity to realign your IGA implementation with critical risks identified in your organization. Identify stakeholders across your business and ensure you communicate the benefits Modern IGA will bring, the risks Modern IGA will mitigate, and the challenges Modern IGA will resolve.
Aligning this messaging with the right people, processes and technology in place will ensure the success of your IGA implementation.
What to look for from Modern IGA
I touched briefly on what Modern IGA should be, but how do you ensure you select the correct IGA solution. To me, a Modern IGA solution should be:
- Simplified: Identity is complex but by taking a configuration-first approach that utilizes best practice use cases and removes complex customizations, you are able to deliver value quickly and lower the total cost of ownership. Simplified maintenance, expansions, and upgrades ultimately improves end user experience.
- Scalable: The solution must be able to handle all types of identities; systems and applications, as well as support Digital Transformation and organizational change as and when it happens, without disruption.
- Agile: Speed of deployment, upgrades and change is critical. Your solution should enable rapid ROI and make it easy for end users to quickly and easily interact with the solution.
- Intelligent: By providing analytical insight to identify and mitigate Key Risk Indicators and provide decision support for end users, your solution will enable a risk based approach to IGA. Thus allowing end users and administrators to focus on the things that matter.
Above all, make sure you have clearly defined use cases that align with your IGA processes and that the IGA solution you opt for can meet these challenges in a simplified, scalable, agile and intelligent manner.
Conclusion
IGA has come a long way from being an Operational IT project with a very narrow focus. It is now a crucial part of any Information Security function and Identity-Centric approaches are an important part in enabling Zero Trust and Software Defined Security (SDS) strategies.
Choosing the right Modern IGA solution is a vital part of this, but a holistic approach is needed. Align your people and processes against your key business risks, engage with stakeholders across the entire business, and ensure your Modern IGA solution is simplified, scalable, agile and intelligent. By doing so, you can be in control of all of your identities in an increasingly complex cloud-first era.
