Strategies to Ensure Success for Your Identity and Access Management (IAM) Project

What is Identity and Access Governance (IAG)? Gartner defines the combination of identity governance and administration as follows: “Identity governance and administration (IGA) solutions manage identity and access life cycles across multiple systems. Core functionality includes automated provisioning of accounts among heterogeneous systems, fulfillment of access requests (including self-service), password management, governance over user access to target systems via workflows and automated policies, and access certification processes. Additional capabilities often included in IGA systems are risk scoring of a user’s combined entitlements, segregation of duties (SOD) enforcement, role management, role mining, audit case incident management, and analytics (historical change, performance, recommendations for entitlements or certifications, and so on). ” 1 In other words, while identity administration pertains to granting and maintaining access, governance is the process of ensuring that access is correct and auditable, and that it follows the rules, be they internal policies, best-practices frameworks or regulatory requirements. Think of governance as ensuring that: • the right people • have the right access • to the right stuff • at the right time • in the right way and that all the right people know about it and agree that it is right. That’s a lot of “rights” — which may be why IAG projects often go so wrong. Governance is the process of ensuring that access is correct and auditable, and that it follows the rules. Felix Gaehtgens, Brian Iverson, Steve Krapes, “Magic Quadrant for Identity Governance and Administration,” Gartner Inc., January 12, 2015, https://www.gartner.com/doc/2960417/magic-quadrant-identity-governance-administration. 1 3 Why IAG is important Organizations wouldn’t focus on governance if it weren’t important, But many question why they need an IAG program when identity administration is difficult enough. resulting in significant gains in efficiency, major improvements in security and an enhanced ability to satisfy compliance and audit demands. Here are four main reasons for IAG, based on years of our interaction with real-world organizations like yours. This is a combination of reasons provided by potential customers and internal justification by security teams to get executive buy-off for an IAG expenditure. Reason #2: Too many siloes Reason #1: Risk is everywhere Siloed identity stores and their corresponding collections of identities, workflows, authorizations and policies hamper security and disrupt business operations. By approaching IAG on a point-by point basis it becomes nearly impossible to quantify and manage risk for four reasons: Everyone has a different mix of applications, a different set of user requirements and a different set of “crown jewels” that must be protected, but all require that protection. IAG ensures that the proper protections and controls are in place to remove as much risk as possible. 1. The very thing the organization is trying to govern — individual user access rights — stretches across disparate, unconnected systems with no auditable view of access rights and no automated, policy-based way to modify those rights. A common question is, “Aren’t we already protecting everything with passwords, role-based access control and all the rest?” The answer is, “Yes you are, but do you even know who can access what? How can you prove it?” Anyone who has attempted an enterprise-wide access recertification exercise knows how long it takes and how the information it yields can be inaccurate or incomplete. 2. There is no way for systems to verify user identities consistently through a unified identity store. If done properly, IAG places a unified umbrella of governance over all that difficult-to-quantify access, 3. Conflicting identity attributes in siloed, unconnected systems result in disruption to business operations. 4. Different teams in IT use different tools and processes to perform roughly the same governance task in their domain but no other. IAG ensures that the proper protections and controls are in place to remove as much risk as possible. 4
Please complete the form to gain access to this content