Seems like a strange question for a hardened and pragmatic cybersecurity practice, right? But it’s actually quite necessary to the ongoing and rapid evolution of Identity Access Management (IAM). We are at the forefront of an IAM revolution. IAM has always striven for better automation and the possibility of how machines could make more informed decisions due to the necessity, ubiquity, and potentially overwhelming nature of the IAM presence in an organization. This can quickly become a “whack-a-mole” exercise as humans manually review and make decisions that can have rippling effects within their infrastructure. Artificial Intelligence (AI), previously the stuff of science fiction, with a rote implementation that has yet to fulfill the prophecy of Isaac Asimov is now seeing arguably great strides with the fervor over facets like ChatGPT and its growing list of possibilities. But still, automation, machine learning, and even AI must be curated. Nowhere is this more true and intense than in cybersecurity. At some point and typically many points, a human must review, ensure, check, double check, talk to another human(s) to validate, and then perform the whole process over again at various points in the life cycle. We always try to lessen this need, but it never fully goes away. The real challenge though, is perception; the blurry ideals and expectations that inherently exist in human nature and understanding. And it’s not human fault, much like the shortcomings of AI are not its fault. Information output is only as good as information input. You don’t know what you don’t know. For humans, erroneous and/or incomplete information creates extraneous cognitive load, doubt, and ultimately anxiety. That’s a recipe for disaster in an IAM environment. So how do we solve it in the now and not wait upon the robot dreams of some future state?
Identity Governance and Administration (IGA) leaders know that implementing IAM solutions comes with unique challenges:
As Identity Governance and Administration (IGA) leaders strive to keep up with a changing workforce and new IT systems, innovative Identity and Access Management (IAM) solutions offer a faster path to increasing coverage. The post-modern IGA approach encourages collaboration between internal business stakeholders as well as multiple external IAM vendors. Instead of playing a zero-sum game where IAM platform providers are gunning for one contract, post-modern IGA takes a more holistic view, surfacing persistent IAM challenges and accommodating emergent solutions from both existing and new vendors.
The complexities of Identity Governance Administration (IGA) and the high cost of failure can lead to neglect of a key requirement: IGA must balance security and risk management against enabling employees to do their jobs.
We highlight three ways that organizations can lose sight of the big picture and, ironically, end up with an IGA that subverts the business operations it was intended to protect.
#1 - Managing exponential growth of access inputs overwhelms IT.
Workforce changes, new threats, and new IT systems drive an increasingly complex IGA environment. Without visibility into how the many pieces fit together, it’s much harder to translate a platform workflow into reasonably straight-forward business processes. IGA leaders need to continually increase coverage as new systems and new people come online. As the enterprise grows organically or through acquisitions, every new asset and application must be incorporated into policies, programs, and technologies.
The dramatic increase in employees needing remote access during the COVID-19 pandemic exacerbated an existing IT coverage gap. The hybrid workforce needs to access systems at any time, from anywhere, and from any device. Offsite employees naturally become attractive targets, leaving organizations with older protections exposed.
Continual growth of application inputs and outputs leaves organizations with no opportunity to strategically arrange them into workflows that are effective for the business. IT departments have difficulty prioritizing and sorting input traffic jams. Customizations increase complexity and make it harder to capture and implement best practices. All this added workload can crush IT administrators. Administrative and procedural friction leads to an inordinate number of requests and approvals for users to get the access they need.
Are you forcing your users to engage with entitlements that are far too granular? Are you stacking too many levels into your approval workflows?
#2 - Focusing solely on audit defenses stifles productivity.
Audits and regulatory compliance requirements lead many organizations to run audit driven IAM programs without consideration of the business context. Fear of audit failures is a common distraction for IGA leaders. Audit and regulatory risks seem to scare some organizations even more than access risks and data breaches. IAM processes should not merely to appease the auditor, but instead balance access risk with business risk.
The stakes of restrictive access management are even higher when personal data is involved. That is why stringent regulations such as in the healthcare and financial services sectors often command the direction of IGA. This focus on security and audits can lead teams to a point where risk is indeed minimized, but at what cost? Achieving compliance is of little value if it stifles productivity and blocks business objectives.
How many of your departments are involved in access certification? It's a valid fear when your deprovisioning process lags after offboarding should be complete, but does your provisioning process delay onboarding or prevent access for employees who need it?
#3 - Forcing an IT-centric user experience creates opaque and onerous workflows.
While IT leaders consider IAM tools as a series of inputs and outputs, that approach can miss the context and connectivity between disparate systems. Transparency and smooth business operations are often casualties of IT-centric process flows.
The bulk of modern IAM process models was built for IT by IT. Onerous reporting, dashboards that are not actionable, and metrics that obscure proper context end up hindering rather than improving business processes. Recent IAM user interfaces are more attractively designed, but that does not counteract the non-intuitive IT-centric user experience. A more holistic view of IAM as a component of the greater business operations is needed to achieve lower IT helpdesk costs, higher productivity, and better business outcomes.
Are you using form-driven access requests? How much of your IT environment do you expect your business users to understand? Is your access environment sufficiently commoditized, offering business-friendly abstractions that map into the IT structures that control user access?
A new approach: Post-modern IGA
Meeting IGA requirements seems like a complex and costly endeavor with a never-ending chase to expand coverage as people and IT systems come and go. It’s not surprising that supporting business goals falls down the list of high priorities.
An innovative post-modern IGA approach to this struggle charts a path to immediate and continuous progress. Finding solutions that add to current strategies and solutions allows you to ratchet up coverage where it counts most without losing ground where you’ve already had success.
A post-modern IGA approach bypasses many of the challenges of legacy systems and of high-cost, high-risk replacements and is architected to grow and flex in today’s dynamic marketplace. This new approach yields the immediate benefits of adding coverage and reducing overhead in as few as five weeks. To learn more, read our whitepaper: How Post-Modern IGA Transforms Problematic Deployments into Breakthrough Outcomes.
• Ask These Questions Before Deploying Remote Access Technology (April 2020):
Gone are the days when the castle wall perimeter approach could protect your corporate network. The distributed nature of modern enterprise systems and the lack of an obvious physical boundary calls for a better solution – where identity is the new gatekeeper.Read More
Identity governance solutions help businesses efficiently manage user access to applications and other network resources over the lifecycle of each user identity. Granting access and maintaining visibility over that access and ensuring compliance with internal and external policies is a full-time job. Too much reliance on manual identity governance is expensive, inefficient, and risky.Read More
Hi, I'm Brian Iverson, Tuebora's new Chief Product Officer. I'm excited to be working with Tuebora and our customers to advance the practice of identity governance and administration (IGA) in the marketplace. This is a passion project for me and there isn't anything I would rather be doing right now.
Although I have evaluated Tuebora's products over the years, first as a Gartner analyst and then as a potential customer, there is so much more for me to learn about Tuebora. Before I can be confident enough to jump in and add or change items on our products' roadmaps, I will be working with my colleagues and talking with customers to gain a deeper understanding of Tuebora's products. I can't wait to meet everyone in and around the world of Tuebora. I'm confident that we will do great things together.
I'm excited about the opportunity to use Tuebora's blog to communicate with the community not only about Tuebora's products, but also to talk about general IAM topics. Over the years I have accumulated a wide-ranging philosophy around IAM, only a small part of which was revealed in my published research and conference presentations while I was at Gartner. Having this blog as an outlet will give me an opportunity to "stretch my legs" and explore a variety of IAM-related topics.
(Register for my first Tuebora Webinar on the topic of Building Intuitive Identity Governance which will occur on September 14th at 11 am CT)
Readers should expect to see me pop up here on the blog at least once a week. Although some of my posts will be overtly marketing-oriented (I am responsible for product management after all), you can expect the majority of my content to be focused on IAM technology and practices that should be applicable to most IAM practitioners, customers and non-customers alike. I’ll also be doing a few webinars about what I’ve seen and experienced during my five years as a Gartner analyst specializing in identity and access management and as former VP of IAM Strategy for Bank of America. The first webinar will be Building Intuitive Identity Governance. Just click the link if you’d like to get more information and register.
Feel free to reach out to me (e-mail link is above) if you would like me to consider a specific topic or question in a future blog post.
As with many other business strategies and solutions, it’s useful to track metrics and get tangible performance measurements. Without metrics, decision-making is slower and you lack proper visibility into the security hazards associated with digital identities. Here are five useful IAM metrics to help monitor the implementation of an IAM system.Read More
Whether to deliver a better customer experience or to improve productivity, digital transformation integrates technology into all areas of the business to help achieve these types of goals. This article describes how a dedicated, modern IAM solution empowers a successful digital transformation strategy.Read More
Identity governance solutions help businesses efficiently manage user access to applications and other network resources over the lifecycle of each user identity. Granting access and maintaining visibility over that access and ensuring compliance with internal and external policies is a full-time job. Too much reliance on manual identity governance is expensive, inefficient, and risky.