The complexities of Identity Governance Administration (IGA) and the high cost of failure can lead to neglect of a key requirement: IGA must balance security and risk management against enabling employees to do their jobs.
We highlight three ways that organizations can lose sight of the big picture and, ironically, end up with an IGA that subverts the business operations it was intended to protect.
#1 - Managing exponential growth of access inputs overwhelms IT.
Workforce changes, new threats, and new IT systems drive an increasingly complex IGA environment. Without visibility into how the many pieces fit together, it’s much harder to translate a platform workflow into reasonably straight-forward business processes. IGA leaders need to continually increase coverage as new systems and new people come online. As the enterprise grows organically or through acquisitions, every new asset and application must be incorporated into policies, programs, and technologies.
The dramatic increase in employees needing remote access during the COVID-19 pandemic exacerbated an existing IT coverage gap. The hybrid workforce needs to access systems at any time, from anywhere, and from any device. Offsite employees naturally become attractive targets, leaving organizations with older protections exposed.
Continual growth of application inputs and outputs leaves organizations with no opportunity to strategically arrange them into workflows that are effective for the business. IT departments have difficulty prioritizing and sorting input traffic jams. Customizations increase complexity and make it harder to capture and implement best practices. All this added workload can crush IT administrators. Administrative and procedural friction leads to an inordinate number of requests and approvals for users to get the access they need.
Are you forcing your users to engage with entitlements that are far too granular? Are you stacking too many levels into your approval workflows?
#2 - Focusing solely on audit defenses stifles productivity.
Audits and regulatory compliance requirements lead many organizations to run audit driven IAM programs without consideration of the business context. Fear of audit failures is a common distraction for IGA leaders. Audit and regulatory risks seem to scare some organizations even more than access risks and data breaches. IAM processes should not merely to appease the auditor, but instead balance access risk with business risk.
The stakes of restrictive access management are even higher when personal data is involved. That is why stringent regulations such as in the healthcare and financial services sectors often command the direction of IGA. This focus on security and audits can lead teams to a point where risk is indeed minimized, but at what cost? Achieving compliance is of little value if it stifles productivity and blocks business objectives.
How many of your departments are involved in access certification? It's a valid fear when your deprovisioning process lags after offboarding should be complete, but does your provisioning process delay onboarding or prevent access for employees who need it?
#3 - Forcing an IT-centric user experience creates opaque and onerous workflows.
While IT leaders consider IAM tools as a series of inputs and outputs, that approach can miss the context and connectivity between disparate systems. Transparency and smooth business operations are often casualties of IT-centric process flows.
The bulk of modern IAM process models was built for IT by IT. Onerous reporting, dashboards that are not actionable, and metrics that obscure proper context end up hindering rather than improving business processes. Recent IAM user interfaces are more attractively designed, but that does not counteract the non-intuitive IT-centric user experience. A more holistic view of IAM as a component of the greater business operations is needed to achieve lower IT helpdesk costs, higher productivity, and better business outcomes.
Are you using form-driven access requests? How much of your IT environment do you expect your business users to understand? Is your access environment sufficiently commoditized, offering business-friendly abstractions that map into the IT structures that control user access?
A new approach: Post-modern IGA
Meeting IGA requirements seems like a complex and costly endeavor with a never-ending chase to expand coverage as people and IT systems come and go. It’s not surprising that supporting business goals falls down the list of high priorities.
An innovative post-modern IGA approach to this struggle charts a path to immediate and continuous progress. Finding solutions that add to current strategies and solutions allows you to ratchet up coverage where it counts most without losing ground where you’ve already had success.
A post-modern IGA approach bypasses many of the challenges of legacy systems and of high-cost, high-risk replacements and is architected to grow and flex in today’s dynamic marketplace. This new approach yields the immediate benefits of adding coverage and reducing overhead in as few as five weeks. To learn more, read our whitepaper: How Post-Modern IGA Transforms Problematic Deployments into Breakthrough Outcomes.
References:
• Ask These Questions Before Deploying Remote Access Technology (April 2020):
https://www.gartner.com/smarterwithgartner/ask-these-questions-before-deploying-remote-access-technology