Enterprises are recognizing the importance of properly managing the lifecycle of identities, yet recognition alone is not the basis for solving identity governance challenges. Challenges have been amplified by numerous factors, such as adopting cloud services, meeting compliance requirements and enforcing security policy, while also supporting a mobile or remote workforce.
Perhaps the increased importance of identity governance can be attributed to how businesses have had to change to deal with the complications of functioning during a global pandemic, or perhaps due to the rise in cybercrime, including ransomware attacks. Regardless, knowing who can access what and establishing control and management over that access has become one of the most critical tenets of cybersecurity.
Defining IGA
Identity Governance and Administration (IGA) is able to do several valuable things simultaneously: reduce security risk, strengthen compliance and improve efficiency through automation of processes. IGA is a key enabler of digital transformation, allowing secure and efficient collaboration with partners or contractors. Therefore, implementing or upgrading to the latest IGA solutions has become a high priority for many organizations.
However, projects can be incredibly complex, and success is not guaranteed. Many are turning to full-featured, cloud-native IGA solutions to reduce risk and ensure rapid time to value.
With most users now outside the reach of perimeter-based security tools, an identity and access governance solution has become critical. That’s because identity is the last line of corporate data defense – and stolen employee accounts, the most common and most costly events, carry an average price tag of more than $4.7 million.
In this eWEEK Data Points article, Morten Boel Sigurdsson, founder and president of Omada North America, shares five key success factors to keep in mind when it comes to avoiding costly mistakes during an IGA upgrade.
Data Point No. 1: Get all stakeholders on board.
Underestimating the need to get these various stakeholders on board early in the project can lead to delays and poor adoption. So it’s important to involve all stakeholders (including the project or program sponsor) early in the project to secure their buy-in. This includes managers of teams, who need to make sure each team member has access to the right level of information at the right time. It includes the CISO and their IT security staff, who are responsible for the overall security of the IT infrastructure.
It’s also critical to get buy-in from the business application owners, who want to control access to the systems they manage; the internal auditors, who need a transparent access rights overview; and the compliance officers and intellectual property controllers, who need to ensure that access to business-critical systems is limited by the least privilege approach.
Build a communication plan to prepare the organization for changes they will experience when a new IGA system with standard processes is introduced. Communicate the project progress to relevant stakeholders on a regular basis. Communicating and aligning expectations within the organization creates awareness and reduces the resistance to change that exists in all organizations.
Data Point No. 2: Use proven best practices.
In the past, many consultants started with sketching processes on a blank whiteboard. Today, there are process frameworks that allow you to get best-practice processes served on a plate. For instance, how do you automate Identity Lifecycle Management? How should your organization perform approvals of access requests? How do you conduct access reviews in an optimized way, and how do you best implement cross-application segregation of duties (SoD)? How do you implement a least privilege, fine-grained, role-based access model?
Applying and actively using best practices is a huge accelerator that helps you to create value early and deliver strong ROI because you avoid having to reinvent the wheel when it comes to implementing optimized business processes.
Data Point No. 3: Apply a standardized fit-gap analysis.
During your project’s design phase, take on a fit-gap approach, which consists of four steps: The first is to map business priorities to best-practice identity processes. The second is to perform a fit-gap analysis to evaluate each functional area in a business project or business process to achieve a specific goal. This includes identifying key data or components that fit within the business system and gaps that need solutions.
Next, detect deviations from best practices and propose/document solutions. And finally, generate a business blueprint.
Data Point No. 4: Take advantage of SaaS.
According to Gartner, through 2021, customers using a cloud-architected IGA solution will save an average of 30% in initial integration costs and 40% in overall professional services over a three-year period; they also will accelerate time-to-value by an average of 25%.
When you choose the IGA SaaS, make sure you can “check the box” for the following items:
- Does the solution offer high availability (99.9%) of service, geo-redundancy and full access to operational insights?
- Can it be configured to your business needs with enough flexibility to provide the features you need within the standard product? It should, for instance, be possible to define and modify business processes and controls through configuration (which is different from customization) without the need for compilation.
- Does it support the deployment of passing configuration changes through a tiered deployment environment? To support ROI, it is important that your configuration changes can be transported in changesets between the environments, so you don’t have to re-enter the changes made and you know the environments are always consistent.
- Does it support automated updates, but with a flexible update window?
- Does it support easy hybrid connectivity, including a web-based experience to connect to your on-prem (and cloud) environment?
Data Point No. 5: Use a phased approach.
Use a phased project approach to deliver value fast to the business. You want to avoid a big-bang implementation. You do not want to start with a “decoupled role-mining project” that runs the risk of going on for a century while the world continues to evolve. Attempting to implement everything in the initial business case in the first phase, rather than identifying and delivering value early and often, can lead to unnecessary resource expenditure and poor adoption.
Here are some tips to avoid biting off more than you can chew:
- Adhere as closely as possible to the solution’s standard features and functionality, such as the account concept and best-practice survey flow.
- Avoid custom code and third-party libraries as much as possible to enable seamless upgrades to newer versions.
- Configure the standard solution to fit your business needs.
- Aim for smaller chunks of value to be delivered in your project in short phases. The order of the phases is important to accomplish the fastest time to value. With a modern IGA solution and the right phasing, you can go live within three months and demonstrate value to your stakeholders.
Here are the phases you should follow:
Phase 1 – Take Control: Get an overview of the situation in your most critical systems and remediate the discovered findings. Many are surprised when they see the result of this overview.
Phase 2 – Perform Recertification: Start building your desired state of access and automate the closed loop auditing circle further.
Phase 3 – Rinse and Repeat: Continue automating more, e.g., via role-based assignment policies.
If you have a suggestion for an eWEEK Data Points article, email cpreimesberger@eweek.com.