If your organization has more than a few employees, who use more than a few applications to do
their jobs, then you are already doing identity governance and administration, even though you
might not realize it and might not have a specific IT system to help you with it!
Put simply, Identity Governance and Administration (IGA) refers to the activities an organization must
perform in order to make sure that all users that interact with the organization - be they employees,
contractors, partners or customers – have just the right level of access to systems and applications
that they need in order to be effective in their role, whilst ensuring that nobody has any access that
they don’t need or shouldn’t have. This is the ‘Identity Administration’ part. In addition to this, the
organization needs to be able to prove that access is being managed properly, for example as part of
the internal audit process or to support regulatory compliance efforts. This is the ‘Governance’ part.
It is possible to do IGA using a combination of spreadsheets, helpdesk tickets and elbow grease –
‘Homegrown IGA’ - and indeed many organizations do; however it quickly becomes apparent, even
for small businesses, that there are serious limitations to this approach – both in terms of efficiency
and security – which mean it is not viable beyond low hundreds of users.
Problems associated with a manual, spreadsheet and ticket driven approach – which we will cover in
more detail in a later chapter – essentially boil down to the fact that that humans tend to be focused
on the job at hand – meaning that they are quite good at giving access but very poor at remembering
to take it away when no longer needed. In addition to this, the actual process of managing user
accounts across many different applications is extremely time consuming, which can lead to long
delays in granting access or taking it away.
The answer to these challenges lies in IGA systems – these are software platforms that are built to
fully automate the processes involved in managing access as outlined above. They typically automate
the management of user accounts across all of the applications in the organization, automatically
calculate access rights according to a user’s role and provide tools to prove that access is being
managed in accordance with policy.
IGA solutions have been available for some time, but due to the complexity and cost of the
technology have typically been the preserve of very large enterprises – the license fees and
consultancy costs associated with deployment have typically meant that IGA systems have been out
of the reach of SMEs and midmarket organizations. However, with the increase in regulation and
compliance requirements – think ISO27001, HIPPA or PCI-DSS – even smaller organizations face the
same need to manage and govern access – and just because they are smaller, it doesn’t follow that it
is easier. Happily there is a new breed of IGA solutions which aim to simplify the technology and
make it available to all organizations regardless of size.
Comments
0 comments
Please sign in to leave a comment.