Many companies view the topic of identity management and administration (IGA) like the referee in soccer: if the referee makes the right decisions, it is hardly rewarded.
If he keeps making mistakes, the game becomes a minor matter and the referee’s performance becomes the main topic of the match. Just as it is not enough for a referee to simply stand on the pitch during sporting competitions, the mere presence of an access management system does not guarantee that all critical decisions are made in the best possible way at the IGA.
Many companies are lulled into a false sense of security with regard to their IGA solutions. As companies grow, security threats become increasingly complex and difficult to manage. Identity governance practices that have proven successful in the past may be outdated today. CISOs must regularly take stock and take a relentlessly objective look at their own IGA. It is important to ensure that it has all the functions to grant or withdraw access to data and applications and to protect identities from being hijacked by hackers and infiltrating the network.
Six criteria are sufficient to check whether your own IGA solution still stands the test of time:
Is the IGA solution outdated? Then it is expensive and involves unnecessary risks.
IT professionals using an outdated or homegrown IGA solution need to be much more concerned about identity-related threats. In general, the older the solution, the more expensive it is to maintain. The TCO(Total Cost of Ownership) then continues to rise over time. This increase in costs is largely due to the number of adjustments that companies have to make to meet new requirements and the effort required to maintain a legacy system in the long term. Software patches, the ongoing development support required to integrate each new system, and the programming it takes to add new workflows to the solution all contribute to these costs.
It is often difficult and expensive to update and customize the IGA capabilities of a single vendor’s IAM platforms, so a configurable best-of-breed IGA solution is usually the more financially lucrative choice.
Eliminate user accounts that have excessive access to systems and applications.
Unnecessary access to systems and applications is one of the main causes of identity security breaches, compromised user accounts and unauthorized access to sensitive data by hackers. Rigorous identity verification, rapid identification and blocking of suspicious accounts and compliance reporting can only reduce identity-related risks if the CISO knows for sure that each user has the right access rights to perform their tasks. Organizations need a modern IGA to manage identity lifecycles, access requests, provisioning, role and policy changes, and breach response in real time if they want to prevent over-authorized accounts and unnecessary access. This is also the most important prerequisite for implementing a mature zero trust security model.
Ensure that IGA tools provide the functionality for a zero trust model.
IT organizations using legacy or homegrown IGA tools are often more concerned about identity-related threats than users of modern IGA solutions. Modern IGA tools are much more effective in preventing risky processes – be it unnecessarily granted access to systems or undrawn account authorizations. Most organizations have an increasing number of users working remotely, and traditional and homegrown IGA solutions struggle to manage these identities effectively.
Even in companies that have implemented modern IGA solutions for all environments, these are often not managed according to best practice frameworks. Anyone using a legacy IGA solution should follow current best practices, create a migration plan and ensure that the new system is used with optimal functionality.
The IGA must be able to prove the actual and target status of access rights.
Managers need to be able to demonstrate that their identity governance strategy is effective, even when their organization introduces new identities and applications. A modern IGA solution should make the creation of accurate compliance reports more efficient. As business processes become more complex, the IGA must also determine who has access to data and applications and who does not, but above all it must be able to prove this information at any time. The ability to map at any time that users only have the necessary access levels is crucial for any compliance audit. Equally important is the ability to ensure consistent and repeatable reporting.
Individualized best-of-breed IGA instead of IAM platform.
Many companies that use modern IGA tend to opt for individual IAM solutions (e.g. IGA, PAM, CIEM, DAG, ITDR, etc.) rather than a single product that offers many IAM components. Although opting for a single product may initially be cheaper, there are also disadvantages. Firstly, the company is tied to a single provider, which makes switching difficult and expensive. Secondly, it becomes more complicated to add external systems that could improve the IAM if required. Finally, as other products evolve faster, the organization may be forced to live with outdated technology that can impact overall IAM performance and increase identity risks.
The most important thing: adaptability is key.
Adaptability must have absolute priority. After all, if you opt for an individual IGA solution that offers best-of-breed functions, it must be configurable for other systems and applications to meet the company’s specific requirements. When evaluating a new solution, most executives and IT professionals are looking for a connectivity framework that will allow their organization to apply IGA to their assets in real time and without costly customization. This is why the “Governance for Identity Fabric” approach has recently become established in IT security: This offers the configurability, connectivity and adaptability to work seamlessly with a company’s existing applications and infrastructures and other IAM solutions.
It also enables interoperability with support functions such as generative AI, which contribute to the automation of identity and access management in real time. SaaS-based Identity Fabric offers faster data ingestion, the ability to quickly synchronize applications and enables users to continuously optimize business processes. Benefits also include centralized management and governance support in decentralized environments with multiple access points while maintaining control requirements and performance levels.
CISOs who put the above six points at the top of their checklist when reviewing their in-house IGA will get a clearer picture of where they are on the journey to securing identities and assets and creating a mature, sustainable zero trust security model. Starting with a modern IGA solution in the context of Governance for Identity Fabric mitigates identity-related security risks and enables IT teams to perform tasks in the company with the greatest possible security.
Stephen Lowing, Vice President Marketing, Omada