AllStrategies to Ensure Success for Your Identity and Access Management (IAM) Project
Strategies to Ensure Success for Your Identity and Access Management (IAM) Project
What is Identity and Access Governance (IAG)?
Gartner defines the combination of identity governance
and administration as follows:
“Identity governance and administration (IGA)
solutions manage identity and access life cycles
across multiple systems. Core functionality
includes automated provisioning of accounts
among heterogeneous systems, fulfillment of
access requests (including self-service), password
management, governance over user access to
target systems via workflows and automated
policies, and access certification processes.
Additional capabilities often included in IGA
systems are risk scoring of a user’s combined
entitlements, segregation of duties (SOD)
enforcement, role management, role mining,
audit case incident management, and analytics
(historical change, performance, recommendations
for entitlements or certifications, and so on). ”
1
In other words, while identity administration pertains
to granting and maintaining access, governance is the
process of ensuring that access is correct and auditable,
and that it follows the rules, be they internal policies,
best-practices frameworks or regulatory requirements.
Think of governance as ensuring that:
• the right people
• have the right access
• to the right stuff
• at the right time
• in the right way
and that all the right people know about it and agree that
it is right.
That’s a lot of “rights” — which may be why IAG projects
often go so wrong.
Governance is the process of ensuring that
access is correct and auditable, and that it
follows the rules.
Felix Gaehtgens, Brian Iverson, Steve Krapes, “Magic Quadrant for Identity Governance and Administration,” Gartner Inc., January 12, 2015,
https://www.gartner.com/doc/2960417/magic-quadrant-identity-governance-administration.
1
3
Why IAG is important
Organizations wouldn’t focus on governance if it weren’t
important, But many question why they need an IAG
program when identity administration is difficult enough.
resulting in significant gains in efficiency, major
improvements in security and an enhanced ability to
satisfy compliance and audit demands.
Here are four main reasons for IAG, based on years of
our interaction with real-world organizations like yours.
This is a combination of reasons provided by potential
customers and internal justification by security teams to
get executive buy-off for an IAG expenditure.
Reason #2: Too many siloes
Reason #1: Risk is everywhere
Siloed identity stores and their corresponding collections
of identities, workflows, authorizations and policies hamper
security and disrupt business operations. By approaching
IAG on a point-by point basis it becomes nearly impossible
to quantify and manage risk for four reasons:
Everyone has a different mix of applications, a different
set of user requirements and a different set of “crown
jewels” that must be protected, but all require that
protection. IAG ensures that the proper protections and
controls are in place to remove as much risk as possible.
1. The very thing the organization is trying to govern
— individual user access rights — stretches across
disparate, unconnected systems with no auditable
view of access rights and no automated, policy-based
way to modify those rights.
A common question is, “Aren’t we already protecting
everything with passwords, role-based access control
and all the rest?” The answer is, “Yes you are, but do you
even know who can access what? How can you prove it?”
Anyone who has attempted an enterprise-wide access
recertification exercise knows how long it takes and how
the information it yields can be inaccurate or incomplete.
2. There is no way for systems to verify user identities
consistently through a unified identity store.
If done properly, IAG places a unified umbrella of
governance over all that difficult-to-quantify access,
3. Conflicting identity attributes in siloed, unconnected
systems result in disruption to business operations.
4. Different teams in IT use different tools and
processes to perform roughly the same governance
task in their domain but no other.
IAG ensures that the proper protections and controls are in place to remove as much risk
as possible.
4
Please complete the form to gain access to this content