August 15, 2017 By Johnny K. Shin 4 min read

This is Part 1 of a three-part series on identity governance and administration. Be sure to read Part 2 and Part 3 for the whole story.

We’ve witnessed almost a decade of identity governance and administration (IAG) disasters. In my experience implementing identity and access management (IAM) solutions for Fortune 100 companies around the world, I’ve seen my fair share of challenges. I’ve been called in to help fix problems related to too many manual processes, user complaints and high maintenance costs, just to name a few. History keeps repeating itself, so why are companies still struggling to solve these problems?

Three Common Identity Governance and Administration Struggles

Organizations that fail to prioritize IGA as an integral part of the business risk being caught in an endless cycle of inefficient, technology-driven processes. Over the years, I’ve identified three common distractions that cause companies to struggle to address their IGA challenges.

Join the webinar: Climb the Mountain to a Successful Identity Governance and Administration Program

1. Too Much Focus on Fixing Short-Term Problems

These companies often deploy a mixture of commercial and custom point solutions to quickly patch up audit issues or put out other fires. Since they don’t have strategies or standards, they just build and buy whatever seems right at the time.

For example, one large financial services company I worked with had three different vendor solutions for IGA. One solution handled access request, approval workflow and some back-end provisioning services, while another took care of access recertification and the third addressed role engineering. There were also several other point solutions for handling integrations. This made the environment very complex and resulted in high operational costs.

Recognizing the redundancies in the vendor solutions, I worked with this client to first document the existing processes related to identity governance. Next, I overlaid the technology capabilities to streamline the processes, including the technology comparison across the IGA products. I provided recommendations on how to consolidate and migrate the three solutions into one in the most effective manner. This resulted in significant savings in the licensing and operational costs, and significant improvement to the user experience.

2. Insufficient Focus on the Business Case

These companies never seem to find the time or budget to fix anything, so they live with painful and inconsistent manual processes. As a result, most of their temporary solutions become permanent strategies, and their actual costs are almost certainly higher than they would be with a proper IGA solution.

This situation requires a clear business case for the time and budget needed to upgrade the IGA program. I typically draw a comparison between the company’s manual or incomplete solutions to the benefits of a full IGA transformation. Again, I start by defining the existing processes, then outlining the new processes and highlighting expected savings. With clear descriptions of the business case, executives usually see the difference quickly and gather proper funding for the transformation.

It’s also important to show new and different approaches to transformation. With the latest solutions in cloud and as-a-service models, IGA can be transformed much more quickly and cost effectively.

3. Technology-Driven Solutions

IGA is all about business processes. Technology is there to support the business processes, enable efficiencies and improve the user experience. In many companies, however, this implementation is the sole responsibility of the IT team. This results in building a technology-focused solution rather than addressing the business challenges. Other areas of the business don’t typically get involved until the solution is rolled out, but by then it’s often too late.

For example, I was brought on to fix an IGA program for a company that had already spent over $2 million. The company had a technology integrator implementing an IGA product for access recertification, but ended up bringing in only the technical definition of the accesses (e.g., “[email protected] from a UNIX server”), when the company needed something more descriptive in plain English (e.g., “Support Group Permission, providing first-level maintenance access on UNIX servers located in the U.S. region”). The business basically rejected the solution and the project stakeholders had to switch directions very late in the game.

To help fix the problem, I quickly involved the business from the start. These departments became the main drivers and solution owners while IT supported the business needs. As a result, the solution was finally accepted and used across the enterprise. Over the years, we have seen consistent improvement of the user experience and adoption of new applications into the IGA environment.

Avoiding IGA Pitfalls

Imagine you are setting out for an overnight hike on your favorite mountain. You wouldn’t just start walking one morning with no map, no backpack and no supplies. If you aren’t an experienced hiker, you wouldn’t set out without a guide, either. Building an effective IGA program for your business is no different. You need to prepare and lay out a clear itinerary for your expedition by taking the following steps.

1. Build a Long-Term Strategy

Ensure that your IGA strategy is in lockstep with your business goals. Start with the process definition of how your future state should look rather than focusing on the technology. Start by defining the existing process for handling IGA. For example, draw the end-to-end steps for joiner process in a swim lane diagram. Then, analyze the process to define gaps, bottlenecks and other issues. This will provide insight into the root cause.

2. Build a Business Case With All Stakeholders

Define projects with clear objectives and value for the business. Using the processes defined during the strategy, convert the steps into time duration and compute the level of effort required for each process. This will give you a clear idea of time and budget requirements to achieve your results. Make the case for your request by providing the comparison to the new process, and the associated time and monetary savings.

3. Focus IGA Solutions From the Business User Perspective

We advise clients to play out the scenarios with both IT and business stakeholders when defining the to-be processes. One method is called the design thinking approach, whereby a specialist leads workshops to gather detailed requirements on user experience and process flows. The key to deploying a truly business-oriented IGA solution is to keep all stakeholders working together.

A Step in the Right Direction

IGA services can help companies develop a direction, conceptual architecture and detailed adoption road map. By prioritizing IGA integrations, these organizations can improve the overall user experience, streamline technology-focused processes to better serve the business and migrate their IAM programs to the next maturity level.

View our infographic to learn how identity governance and administration services can help your business chart its IGA adoption road map and avoid disaster.

Join the webinar: Climb the Mountain to a Successful Identity Governance and Administration Program

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today