July 31, 2017 By Jas Johal 3 min read

When was the last time you heard an identity governance and administration (IGA) success story? If you’re thinking “not in my organization,” you’re in good company. IGA projects have a reputation for being hard to complete, drawn out and costly. But why are they so difficult to get right?

Measuring the Business Value of IGA

Part of the issue is that IGA projects are not differentiated from other identity and access management (IAM) efforts. IAM technologies are implemented to support one or more business process improvements or compliance initiatives. Mature IAM technologies provide solid support to organizations that need the fundamentals to integrate traditional and new applications. As such, they are predominantly infrastructure technologies.

IGA is different. Many enterprises expect IGA to deliver business value, but they are finding that it is difficult to get right primarily due to a mismatch between the IAM program road map and business priorities.

Three Tips for Identity Governance Success

The problem usually begins when a business approaches IGA as a technology project when it’s really a business transformation program. When such an approach is taken, more problems usually follow, such as:

  • Failure to deliver value early and on an ongoing basis. This undermines the trust in the effectiveness of the IGA program and can cause stakeholders to divert budget and eliminate resources for the completion of these efforts.
  • Automating already broken processes. This bandage solution often fails to eliminate manual interventions and results in hard-to-understand customization.
  • Mismatch between the IGA road map and business needs. This leads to poor adoption of the technology by the lines of business, and may jeopardize future program funding and progress.

The business benefits of IGA adoption are indirect and not immediately visible to the organization. This is a key reason why companies often lose their will for business participation, which is key for IGA project success. As a result, many organizations today are asking security professionals the question: How do we regularly demonstrate business impact and value from IGA?

Here are our recommendations, starting with a three-step deployment planning model:

1. Understand the Business Requirements for IGA Strategy

Before you begin, work with stakeholders to understand business requirements and create a clear vision of the end state you’re working toward. Document dependencies and identify gaps to address before beginning an IGA project. A good identity governance vision maps stakeholder needs to objectives and priorities, resulting in a project’s road map. An IGA road map with business cases helps justify IAM program funding by demonstrating how governance objectives align with business objectives.

2. Start Small and Keep It Simple

To win business interest in your project, deliver high-value and low-risk functionality early to build trust. Evaluate risks, value, costs and dependencies for deployment elements. Use readily available, out-of-the-box IGA capabilities to deploy features fast and leave customization for later. Encourage business stakeholders to share their enthusiasm and support with users and peers.

3. Plan for Success and Get It Right With IGA Deployment Prioritization

Once you have successfully deployed basic IGA functionality, you should have the support and momentum necessary to broaden your implementation. IGA offers many capabilities to support identity life cycle capabilities, such as application onboarding, access request approval, access recertification, role/segregation of duties (SoD) management, advanced auditing and intelligence. At this stage, prioritize business needs when approaching the automation of processes.

Putting People and Business First

Identity governance and administration services from IBM focus on people and business process before technology. Our three modular service packages are available to procure separately or together, depending on your IAM program maturity and IGA needs:

  1. IGA Adoption assists with the prioritization of your IGA integrations, providing conceptual architecture and a detailed adoption road map.
  2. IGA Accelerated Deployment helps demonstrate IGA capabilities to deliver high-value and low-risk functionality early with foundational capabilities. It also integrates select in-scope business applications.
  3. IGA Advanced Integration uses IGA capabilities to organize deployment. It provides a detailed design for broader governance services enablement, including expanded integrations with custom development and operationalization of end-to-end IGA services.

View the infographic to learn more about building an effective IGA program

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today