Saviynt Blog | Security News and Research

How Mistaking Configuration for Customization Spoils IGA Improvements

Written by Greg Liewer | Aug 4, 2022 7:00:00 AM
Configurability Simplifies Security, Management, and Improves IGA Modernization ROI, Without Slowing Down Deployments or System Updates.

When upgrading your IGA solution, failing to deliver early value slows adoption and can limit security improvements. Poor results also jeopardize buy-in on future identity and access initiatives. The primary culprit of underperformance? Excessive customization. 

During the platform selection process, discussions around flexibility get murky. 

Enterprises want versatile solutions. What they don’t need is onerous customization that slows down deployments or system updates. Configurability is what actually matters. The challenge is understanding the difference – especially given all the slick sales speak out there.

In this blog, you’ll learn two key things:

  • The difference between configuration and customization (plus, examples of each)
  • How configurability simplifies security, management, and improves IGA modernization ROI
Configuration vs. Customization: What They Really Mean 

Navigating these two ideas is unusually difficult because many industry vendors hide behind vague marketing speak.

Some vendors call their products configurable, when they really require manual customization. Other vendors promote configurability, but they leave out the part about limiting functionality.   

Labels matter, but what they mean matters most. 

In general, customization reflects the need to code features, attributes, or connections – rather than using a method like drag-and-drop or other integrated capabilities within the application’s user interface

Instances of required customization (even for seemingly simple capabilities) are more common than one might expect. 

Here is one example: If an enterprise wants to connect a Microsoft Active Directory environment to their identity governance platform, they need to write specific code to fulfill this. Then, if they wanted to add specific fields for user attributes (such as department or location) they would have to add code to account for these parameters.

Another example in healthcare surrounds the challenge of handling users in multiple roles (e.g. – nurse and student). These roles require different access levels and provisioning; naturally, maintaining custom code for access policies is difficult at scale. In response, healthcare organizations may limit the number of supported policies, reducing a security team’s ability to manage identities. 

Why Configuration Beats Customization When Modernizing IGA 

The term customization has a nice ring to it. For some IT leaders, the idea implies expanded integrations and services, or richer operationalization of security features. 

The idea that a platform can be customized adds a sense of promise: “Finallya platform flexible enough to meet all our enterprise use cases.”

With respect to IGA solutions, customization is not this. 

Gartner notes that “Many organizations waste time on legacy security technologies that have lost efficacy.” This weak performance is often attributed to highly customized code that demands ongoing maintenance. Unfortunately, this is the reality of IGA solutions – custom development baggage and a host of operational land mines. 

In past discussions on hidden IGA upgrade costs, we highlighted how enterprises that embrace configurability (and reject heavy platform customization) tend to unlock better, earlier, ROI. While customization may provide a bit of functionality, companies “custom develop themselves” into a corner. Basic tasks like troubleshooting or security and compliance updates grow complex and costly.


In general, cloud-architected solutions provide flexibility 
via configurability. 

And isn’t that what enterprises are after in their hunt for a better platform anyway? This approach also lets you start small, deploy features, and get quick returns to build project momentum.

Configurable, Cloud-Driven Connectivity 

Your IGA architecture is only as effective as the identity tool and services integrations it supports. Everything from visibility to privileged access management relies on this. Agile organizations should rely on connectors and application onboarding that are configurable, and template or API-driven, rather than code based. 

Let’s revisit our Microsoft AD and healthcare examples. Building unique parameters may be manageable early on, but the issues compound as platforms and applications change, or attribute shifts pick up pace. Then, the cascading effect of old code needing support and maintenance kicks in.

Configurable rules make management easy – enterprises can measure the update process in minutes, not days.

Saviynt’s cloud-architected solution, for example, provides complete visibility while delivering governance benefits that others can only support through customization. Features can be simply configured without supporting custom code. These include risk-based enterprise grade identity workflows, complex access policies, Separation of Duties (SoD) management, and granular access provisioning. 

Configurability Means Better Compliance & Control  

Some vendors point to security controls and risk signatures as one arena where customization is a must. But as the internet-age adage goes, don’t believe everything you read or see online.

Modern solutions make compliance manageable whether on-prem or throughout a multi-cloud and multi-site IT ecosystem. 

Saviynt offers out-of-the-box security controls mapped to compliance frameworks like SOX, HIPAA, HITECH, and PCI. Security teams can easily configure rules and then use them throughout the entire decision-making and risk-evaluation process. Controls do everything from alerting you about thresholds crossed to automatically remediating violations.

It’s also now possible to connect nearly any enterprise application, simply and securely. Saviynt Exchange enables this across a range of apps including AWS, Microsoft 365, Cerner, Epic, Databricks, Oracle ERP, and hundreds of others. Other platforms may offer similar, configurable, code-free security controls and application integration too. 

Configurability Checks All The Boxes

Don’t be fooled about capability and complexity tradeoffs. Full-featured, cloud-architected IGA does away with complex customization and time-consuming maintenance. And it succeeds with better security, efficiency, and resourcefulness. These are the true measures of configurability.

Stay tuned for the remaining two blogs in this series on legacy deployments versus cloud-native ones, and fine-grained versus coarse-grained entitlements. The first blog in the series discussed vital information in our new IGA Buyer’s Guide.