Enterprises with a successful data governance model have a significant competitive advantage. As the ability to manage, control, analyze, and interpret data becomes increasingly crucial in driving business-decision making, the future success of an enterprise may well depend on it.
An IGA (Identity Governance & Administration) solution is the key to ensuring IAM process integrate fully with business processes, and is essential in allowing organizations to utilize their data to maximize profits and improve ROI.
An umbrella term, IGA touches upon all aspects of an enterprise: it includes the technical side and the more business-oriented side, as well as covering legal and regulatory perspectives – e.g., audit and compliance requirements.
IGA may be confused with IAM (Information and Access Management). However, they are not the same. IAM refers to the technology used in managing identities and access privileges. IGA, in contrast, focuses first on the people and the business processes – emphasizing these aspects rather than on technology per se.
So is there a secret sauce to creating an IGA solution that does everything you need it to do? There are certainly “dos and don’ts.” Best practices in implementing IGA involves, at the outset, buy-in at the highest levels to the basic concepts of data governance.
As outlined in this article about IGA specifically in academic settings, “buy-in” means investment in a roadmap: defining transparency expectations; choosing data trustees; determining a high-level development process; finding the right technologies.
Establishing clear principles of operation is key – creating a basis of expectations for both the business side and the tech side, and a system to resolve conflicts that arise.
IGA is integrated only by large organizations. In fact, it primarily applies to enterprises with over 2,500 users – though some organizations have 700 users.
There’s a good reason smaller organizations aren’t opting in: Substantial CapEx and OpEx are involved: in setting up a solution, hiring the necessary services, and maintaining the system. Because the cost is high, defining a roadmap “up front” is crucial – allowing an organization to assess the cost.
Careful definition also avoids a mismatch between an IGA solution and the enterprise’ business needs. It is typical for problems to arise, for example, when an enterprise approaches IGA as a technology project, rather than as a form of business transformation. Initial guidelines force consideration of all aspects of the process.
Looking to the future, Gartner’s latest 2017 Access Management Magic Quadrant points out some of the trends to consider when looking at vendors. For example, you may prefer a vendor who is building out cloud-delivered IGA and adding SaaS connectors for on-premise solutions – providing new options that enhance control in an era of growing proliferation of identities, resources, and data.
There are functional differences, and trade-offs between traditional, on-premise IGA and IGA delivered as a service. It’s important to know what you are getting with each option. IGA in the cloud and IGA hosted in the cloud, each has its advantages and disadvantages.
It is essential that IAM professionals gain the necessary understanding of the differences between the platforms, understanding what each solution can and cannot do – and convey the benefits of each solution to business leaders within the organization.
IGA of the future will place a greater focus on analytics capabilities. This is because solutions that apply analytics in establishing identity management policies offer on-demand visibility to identity audit reporting with comprehensive identity intelligence.
This capability grants Risk & Compliance officers complete visibility into what exists, the logic behind decisions, and how it works in real time.
User and Entity Behavior Analytics (UEBA) are being integrated by some vendors and are important in facilitating more intelligent, real-time response – evaluating user behavior, providing input to governance (such as when access is used), and spotting anomalous usage. This is exactly the kind of data that business users want to see. According to Gartner, enterprises are looking for IGA tools that integrate advanced analytics – that support risk analysis and fine-grained SoD (separation of duties) analysis, providing a more comprehensive level of insight.
Another growing trend in IGA relates to the fundamental question of user authorizations. Traditional approaches to authorization were focused on RBAC, as a means of limiting access to data only to those who need it.
But as organizations increase adoption of cloud-based technologies and security becomes complicated by the growth of BYOD, IoT, SaaS, IaaS, and mobile – and as features like analytics and UEBA are implemented – RBAC and ABAC are being replaced by PBAC, a more dynamic and fine-grained approach that provides greater control. (See our recent post about IT complexity, and its impact on IAM.)
PBAC changes the way policies are created and audited, utilizing context-based security policies to allow greater flexibility of definition. By implementing better policy management capabilities, enterprises can streamline administrative processes, saving time and money – by using connections among groupings of people with comparable entitlements and dramatically reducing the number of definitions required
The more fine-tuned IGA of the future depends on having this degree of automated control, access restriction, and security – helping enterprises manage identity and access life cycles across multiple systems within a complex IT landscape while leading to increased business productivity and lower ongoing expenses of user administration.
From a technical vantage point, IGA provides a unified management portal that offers delegated account management and provisioning while maximizing security – creating a smooth interface between IT and business priorities.
Development of an IGA solution successfully requires an investment of time, thought, and discussion, and the determination of precisely what is needed to create a solution that effectively facilitates the business transformation of an organization. Business leaders can take IGA to the next level with PBAC, giving them the required flexibility and comprehensive view they need to manage policies.