So you thought IAG was meant only for large companies that have thousands of employees and hundreds of applications? And IAG should primarily be used for mandated compliance? Not really….at the heart of governance is very simple principle – ensuring that there is a continuous and optimally matched set of identities and resources within the organization. More or less access to resources can result in losses to a business. More access can lead to fraud or misuse, while less access can lead to under-utilized resources or not meeting SLAs.
So why is governance only relevant to large companies? Should an SMB (or even a department such as finance in a larger organization) not be equally concerned, and in fact more so how their primary resources are being used or more importantly misused?
IAG has been marketed and sold to enterprise customers primarily because it was initially driven by compliance. Heavily regulated industries like BFSI were the early adopters, and so were publicly listed companies. The ROI was very evident (avoiding costly penalties) and so the adoption of the earlier solutions by the larger enterprises. But if you accept the defining principles, every company should benefit from IAG in some form.
To illustrate the point, let me give an example of an IAG pilot done at medium-sized business with operations in 3 countries. Google Apps (Google Docs used to share content with customers/partners), and an online content management system among other applications formed the core of their business applications. Doing an Access Audit, the most basic of IAG functions, revealed that:
Needless to say, the company exposed itself to potentially critical damage with the un-authorized access, and granting of more privileges than needed to some employees. So how could this or similar SMB’s reduce such risks? These are companies that do not have any significant, IT infrastructure or formal IT team, internal network security, application business owners typically do the provisioning, and most of the applications on the cloud. To begin with, even periodic audits such as the one done in the pilot would have helped. Formal certifications may not be much use for these companies as there is no external compliance. However, a simple Joiner/Leaver governance control would have ensured that terminated employees access was flagged and automatic or manual action taken.
So SMB’s can definitely benefit from IAG. The key is for the solutions to be available at a scale, cost, and a deployment model that makes sense for these companies.