Building a successful Identity Governance & Administration (IGA) framework
Why do we need IGA?
Today every industry is going through massive digital transformation initiatives to provide faster, better and cheaper services to their customers. Significant progress in development technologies like API & microservices, agile hosting services like cloud and high-speed mobility solutions are propelling the adoption of digital initiatives around the world. It has become even more important to look at the security aspects of the applications with cloud and mobile enablement where the traditional perimeter is diminishing at a fast pace. Managing identities and their access to the applications with full granular visibility is extremely crucial for the security teams. It is indeed a complex task to manage provisioning & deprovisioning of accesses needs across employees, customers and partners for an enterprise. IGA or identity governance and administration solutions form the backbone of a solid security foundation in today’s agile organizations.
IGA Components & Market Forecast
It is important to understand what functions are expected out of an IGA solution. Access provisioning, deprovisioning, entitlements management, ensuring separation of duty, access reviews & certifications, identity lifecycle management, analytics & reporting are some of the common themes across the vendors playing in this segment. According to a recent report published by the research firm Marketsandmarkets.com, IGA market is projected to grow up to $7.7B by 2023. Clearly there is a focus and interest in this segment from the security industry driven by risk & compliance needs.
Focus areas of a successful IGA Implementation – is it a technology or business problem to solve?
Often organizations spend more time in selecting a technical feature rich product to implement IGA where as the success the of the program lies on the proper integration of technology with the business processes. If an organization does not have the right processes and governance in place at HR or Finance departments to identity and track an employee in its journey through the organization, technology solution alone will not be able to enforce a proper identity governance. There are organizations where voluntary or involuntarily terminated employees maintain access to the corporate system for extended duration of time, vendor partners retain system access after the closure of the contract. These loopholes in identity and access governance lead to security incidents and data breaches. The following are the focus areas for security teams to implement a solid identity governance program.
• Understand the business process
Understanding the interactions between HR, finance, administration departments during the lifecycle of an employee, customer or contractor is critical. One should focus on reviewing the processes, make changes if necessary to detect employment and contract statusor reflect change in the job or role immediately.
• Workflow & integration
IGA tools should be able to build workflow between different organizational functions and integrate with departmental information systems. For example, an organization may use Workday for HR and custom home-grown software for fiancé department, if the identity governance solution cannot build integration through the connectors between these application systems, it will not be a successful implementation.
• Analytics & automation
The solution should have good analytics and reporting capability to detect anomalies leading to improper or over permissive access, create security risk and compliance violations. Automation should be at the core of any IGA solution to make it agile in building integration with organizational business processes.
• Training & awareness
Everyone has a role in ensuring a proper identity and access governance in the organization. Adequate time and energy should be spent to build the awareness program and ensure people know their roles, available tools and responsibilities in completing timely access reviews and compliance certifications.
Disrupting Technologies in IGA Space
RPA or robotic process automation is going to disrupt the IGA industry as building connectors with discrete administrative systems in any organization will rely heavily on automation. We need to keep a tab on vendors investing on RPA technologies in their IGA tools. Artificial intelligence(AI) is another area that will take IGA to the next level. AI is the new way of life, it is disrupting every technical field and IGA will not be any exception. Futuristic IGA tools should be able to understand the business process and adapt with the needed change in automation scripts to make it agile in closing the governance needs. The shift from on-prem to cloud bases subscription services will be something to watch for to reduce the operating cost and increasing the agility of IGA solutions.