Sergej Khackimullin – Fotolia
Digital identities are at the heart of digital transformation, information security and privacy. Therefore, if organisations have not done so already, no time should be wasted in reviewing their identity governance and administration (IGA) capability, which is at the heart of identity and access management (IAM).
While most organisations understand the importance of IGA, business cases for new IGA projects may be difficult to make because of past project failures and the resultant reticence of the business to invest further.
However, by outlining the business benefits and drawing up a plan to avoid and/or mitigate the risks of failure, security professionals are more likely to get new IGA projects approved.
IGA is a key element of any organisation’s IAM architecture, covering identity lifecycle management and access governance. IGA is essentially the ability to reduce the risk that comes with excessive or unnecessary user access to applications, systems and data.
This is achieved by enabling policy-based centralised orchestration of user identity management and access control, and by working with other IAM processes to automate workflows and meet compliance requirements.
Business drivers for improving IGA capabilities include improved competitive advantage, easier partnering and reduced costs. Effective IGA is key to improved IAM, which enables businesses to deliver better services tailored to customer requirements.
A lack of IGA capabilities can expose an organisation to security and compliance risks due to inefficient administration of identities and access entitlements, poor role management and inadequate auditing and reporting, resulting in: identity theft; unapproved/unauthorised change; access/entitlement creep; and separation of duties (SoD) conflicts.
A high proportion of cyber attacks exploit stolen credentials and there are growing regulatory requirements to limit access to sensitive information to an absolute minimum and provide audit logs of all user activity. Therefore, there is an undeniable need for all sizes of organisations in all industry sectors to have effective IGA controls.
In light of the fact that IGA projects are prone to several common risks and pitfalls that can potentially lead to failure, it is important to identify these risks at the outset. This enables the business to make risk-based decisions to address them before embarking on individual projects and thereby avoid failure.
These risks and pitfalls may be grouped in five key areas:
The success of any IGA project requires the support and agreement of all stakeholders.
To ensure this support, it is essential to:
It is important to ensure that the business understands that the benefits of IGA are not confined to meeting regulatory and audit requirements, but also:
Because IGA projects typically span an entire organisation and involve both technical and business teams, failure to ensure that policies and processes are accurately and consistently defined, that roles are understood, and that rules are correctly formed and related back to the business could easily result in failure.
To avoid these and other organisational pitfalls:
Complexity is the enemy of success in most projects, and this is particularly true when it comes to IGA projects which typically involved a wide range of stakeholders across the business and increasingly involve a wide range of identity types.
In addition to standard employees, IGA capabilities need to include identities of contractors, partners, consumers, customers and even non-human identities of devices and processes. This is essential to digital transformation and to the competitive advantage of every company.
New IGA projects, therefore, should seek to implement consistent, logical architectures that allow access for everyone using every kind of app and device to every service from everywhere and enable the use of access policies that can be defined centrally, and then applied across all control points (on-premise and in the cloud) to enable automated and consistent access governance across an enterprise.
Organisations looking to the future of identity management should consider re-defining access governance by adopting a perspective that is beyond static entitlements in systems, applications and services to include the governance of all types of access.
This broader definition will ensure that policy-based governance is applied to identity, data and enterprise risk management, including IT risk management and access risk management.
Through the implementation phase it is important to:
Complex projects that do not follow a single strategy set by the business are typically difficult to control and tend to be prone to delays and failure.
During the planning phase of any IGA project, it is important to:
Choosing the right IGA product is extremely important. Choosing the wrong product or trying to get value from existing failed products can lead to project failure. It is also inadvisable to allow IGA and other projects to be driven by system integrators (SIs) or suppliers because IGA stakeholders in an organisation understand their organisation and its needs best.
They should work closely with SIs and suppliers to identify which IGA product/s best match all the current and future requirements of the business. Start with the business requirements and then identify which IGA products support that. Do not start with a product.
When choosing technology for an IGA project, organisations should:
When making technology choices, it is also important to ensure that any IGA programme:
Using and orchestrating services from the cloud will simplify the journey to a future-proof IT security infrastructure and IAM, including IGA. Therefore, IGA projects should define and implement an integrated approach on security, where IAM and IGA work seamlessly with other services such as CASBs, threat intelligence, and enterprise mobility management (EMM) to address security needs.
A cloud-based approach is also key to implementing consistent, logical architectures that allow access for everyone from anywhere using every kind of app and device to every service.
For most businesses, this will mean making changes to their IT architecture to become more agile and flexible by separating identity and applications, and providing the back-end systems required to make all the necessary connections using application programming interfaces (APIs) that bridge services, microservices and containers in the cloud and on-premise.
These changes will result in a converged digital identity back end or “identity fabric” that can deliver as a utility all the identity services (including security and privacy) required by the growing number of new digital services enabled by digital transformation that will actively consume identity services.
By setting up an identity fabric, organisations are more likely to meet the demands of digital transformation initiatives quickly, while at the same time enabling a gradual migration of legacy identity management systems to the new identity-as-a-service paradigm.
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
