Why Is Identity Governance So Difficult to Get Right?

When was the last time you heard an identity governance and administration (IGA) success story? If you’re thinking “not in my organization,” you’re in good company. IGA projects have a reputation for being hard to complete, drawn out and costly. But why are they so difficult to get right?

Measuring the Business Value of IGA

Part of the issue is that IGA projects are not differentiated from other identity and access management (IAM) efforts. IAM technologies are implemented to support one or more business process improvements or compliance initiatives. Mature IAM technologies provide solid support to organizations that need the fundamentals to integrate traditional and new applications. As such, they are predominantly infrastructure technologies.

IGA is different. Many enterprises expect IGA to deliver business value, but they are finding that it is difficult to get right primarily due to a mismatch between the IAM program road map and business priorities.

Three Tips for Identity Governance Success

The problem usually begins when a business approaches IGA as a technology project when it’s really a business transformation program. When such an approach is taken, more problems usually follow, such as:

  • Failure to deliver value early and on an ongoing basis. This undermines the trust in the effectiveness of the IGA program and can cause stakeholders to divert budget and eliminate resources for the completion of these efforts.
  • Automating already broken processes. This bandage solution often fails to eliminate manual interventions and results in hard-to-understand customization.
  • Mismatch between the IGA road map and business needs. This leads to poor adoption of the technology by the lines of business, and may jeopardize future program funding and progress.

The business benefits of IGA adoption are indirect and not immediately visible to the organization. This is a key reason why companies often lose their will for business participation, which is key for IGA project success. As a result, many organizations today are asking security professionals the question: How do we regularly demonstrate business impact and value from IGA?

Here are our recommendations, starting with a three-step deployment planning model:

1. Understand the Business Requirements for IGA Strategy

Before you begin, work with stakeholders to understand business requirements and create a clear vision of the end state you’re working toward. Document dependencies and identify gaps to address before beginning an IGA project. A good identity governance vision maps stakeholder needs to objectives and priorities, resulting in a project’s road map. An IGA road map with business cases helps justify IAM program funding by demonstrating how governance objectives align with business objectives.

2. Start Small and Keep It Simple

To win business interest in your project, deliver high-value and low-risk functionality early to build trust. Evaluate risks, value, costs and dependencies for deployment elements. Use readily available, out-of-the-box IGA capabilities to deploy features fast and leave customization for later. Encourage business stakeholders to share their enthusiasm and support with users and peers.

3. Plan for Success and Get It Right With IGA Deployment Prioritization

Once you have successfully deployed basic IGA functionality, you should have the support and momentum necessary to broaden your implementation. IGA offers many capabilities to support identity life cycle capabilities, such as application onboarding, access request approval, access recertification, role/segregation of duties (SoD) management, advanced auditing and intelligence. At this stage, prioritize business needs when approaching the automation of processes.

Putting People and Business First

Identity governance and administration services from IBM focus on people and business process before technology. Our three modular service packages are available to procure separately or together, depending on your IAM program maturity and IGA needs:

  1. IGA Adoption assists with the prioritization of your IGA integrations, providing conceptual architecture and a detailed adoption road map.
  2. IGA Accelerated Deployment helps demonstrate IGA capabilities to deliver high-value and low-risk functionality early with foundational capabilities. It also integrates select in-scope business applications.
  3. IGA Advanced Integration uses IGA capabilities to organize deployment. It provides a detailed design for broader governance services enablement, including expanded integrations with custom development and operationalization of end-to-end IGA services.

View the infographic to learn more about building an effective IGA program

Share this Article:
Jas Johal

Security Product Manager, IBM

Jas Johal is Sr. Product Manager of Managed Security Services for IBM Security. Jas is responsible to develop strategy and service product for compliance and integrated security intelligence solutions. Previously, Jas also worked on development of Managed Identity and Managed Security Information Event Management service offers. During his 14 years career at IBM, Jas has also worked on numerous worldwide projects as IBM certified consulting architect for complex networking and IAM solutions till 2009.