Identity governance and administration (IGA) is a strategic component of identity and access management (IAM). It is designed to help manage digital identities and entitlements across multiple systems and applications. IGA tools are paramount to achieving compliance, as they help ensure that only the right people get access to the right applications and data at the right times and for the right reasons.
To accomplish this, IGA tools aggregate and correlate disparate identity and entitlement data that is distributed throughout the IT landscape to enhance control over user access. IGA solutions should provide several basic functions: identity life cycle, entitlement management, access requests, workflow, policy and role management, access certification, fulfillment, auditing, identity analytics, and reporting. At its core, IGA helps support enterprise IT security and regulatory compliance by informing on who has access, what they have access to, and why they have that access.
Gartner’s new assessment of the IGA market, the “2019 Gartner Magic Quadrant for Identity Governance and Administration,” provided an expert update on this mature market and the client trends impacting it. The report examined the increased client demand for cloud-delivered solutions as well as “cleanup” identity analytics. For the fifth consecutive year, IBM was named a Leader in the Gartner Magic Quadrant for IGA.
Saving With Cloud Architected IGA Solutions
Gartner predicted: “Through 2021, customers using a cloud architected IGA solution will save an average of 30 percent in initial integration costs and 40 percent in overall professional services over a three-year period and accelerate time to value by an average of 25 percent.” Enterprises are looking to manage applications from the cloud for identity life cycle and access requests. These functions from the cloud provide scalability, speed and cost savings.
Organizations can simply scale up and scale down their cloud resources based on short-term usage requirements. Cloud provisioning also allows you to pay for only what you consume. In addition, an organization’s developers can quickly spin up an array of workloads on demand, taking away the need for an IT administrator who provisions and manages computing resources.
Prioritizing Identity Analytics to Uncover Access Risks
Identity governance and administration has evolved over the years from simple provisioning use cases to more proactive, risk-aware governance. This is due in large part to the major influx in the number of identities within an organization and what those identities encompass — i.e., going beyond just employees to include partners, vendors, customers, internet of things (IoT) devices and robotic process automation (RPA) bots. With the increase of users, entitlements and applications to manage across the IAM environment, it’s becoming more and more critical to integrate identity analytics into your security posture to provide a holistic view of risk.
Identity analytics provide a way to evaluate risk based on identity information insights; apply techniques to clean up excessive, outlier or wrongful entitlements; and enhance the continuous process of identity governance, including risk reporting. Role mining and engineering was one of the first examples for analytics. Identity analytics has evolved to enable smarter micro-certification campaigns, contextualized access requests and approvals, and enhanced policy violation detection, among other use cases.
According to Gartner, “Through 2022, identity governance and administration implementations that start with cleanup analytics will show twice the ROI as ones that don’t.” Cleanup analytics, such as decision support and “help me decide” functionality, provide quick insights to support informed access and certification decisions and prevent simply approving everything. This can take the form of providing risk scores alongside evaluations that can invoke confidence in a decision to suspend, recertify or revoke. This is especially useful when scaled up, since many organizations grow and are unable to keep up with the number of users and applications. This additional support will prevent the risk that comes with group certifications and can alert you to anomalous activity.
The Importance of Business Activity-Based Policy Modeling for SOD
A key function within IGA solutions is entitlement management, or the ability to administer, revoke or change fine-grained access entitlements to users. Security teams must determine whether each entitlement is in conflict, toxic or nontoxic to another entitlement. This is where separation of duties (SoD) comes into play, a concept of internal security whereby conflicting application permissions are distributed among multiple people so you don’t give a single individual complete control of a process through application permissions. What’s needed for effective SoD is a complete, enterprisewide view of fine-grained access privileges and entitlements to determine what actions a user can perform within a given application.
IGA solutions should use business activities for SoD management to help make access more understandable. This approach also provides visibility for managers in terms of who users are, their assigned access and permissions, and what that access means in terms of business activities. The ability to translate technical IT jargon into business-relevant context is absolutely critical to better, more informed decision-making when it comes to access. This approach makes it easy for business users to understand application permissions and entitlements and quickly and effectively demonstrate compliance for audits.
IBM Named a Leader in Identity Governance and Administration
On the heels of being named a Leader in the “Magic Quadrant for Access Management,” IBM was also named a Leader in the “2019 Gartner Magic Quadrant for Identity Governance and Administration” for its ability to execute and completeness of vision. IBM’s integrated portfolio for identity governance evaluated in this year’s report includes a full featured, on-premises solution, a multitenant software-as-a-service (SaaS)-delivered IAM solution with light IGA capabilities for hybrid deployment, and an identity analytics beta product.
We believe these offerings allow our clients to consume a full breadth of IGA capabilities on their journey to the cloud, including the ability to leverage strong hybrid use cases and integrate risk awareness in ever-growing IGA security environments.
Gartner, Magic Quadrant for Identity Governance and Administration, Felix Gaehtgens, Kevin Kampman, Abhyuday Data, Henrique Teixeira, David Collinson, 9 October 2019.
Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixeira, 12 August 2019.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Product Marketing Manager, IBM
Katherine Cola is a contributor for SecurityIntelligence.