Top Reasons Companies Are Moving to PAM on a CIP, Part 1

Amid the evolving demands of modern identity security, converged identity platforms shine as a more flexible and sustainable way to handle change. 

As the IAM market continues to evolve, tool and business process consolidation is becoming a top priority for customers who are looking for a more sustainable way to handle their growing needs to manage access as well as govern them. In fact, Gartner predicts that by 2025, 70% of new access management, governance, administration and privileged access deployments will be cloud-based, converged identity and access management platforms. 

Until now, organizations were spending more time and professional services dollars to integrate separate IAM products into the same target systems and interoperate these products – often from multiple vendors – to provide appropriate access and perform necessary governance functions. Realizing that this approach was unsustainable, Saviynt introduced a series of innovations starting in 2015 with the industry’s first converged identity platform to solve the governance needs for all identities, apps and clouds.

I sat down with Saviynt’s Chief Product Officer, Vibhuti Sinha, to get some perspective on PAM and IGA convergence.

Q: Why should customers operate privileged access management on a converged identity platform vs. a standalone solution?

Before the concept of convergence came into identity, organizations spent a lot of time integrating separate IGA and PAM products, training their users to learn two different solutions, and exhausting an enormous level of resources integrating and onboarding the same target systems to separate IGA and PAM systems. Furthermore, PAM has never really been a standalone product. It always requires integration with an IGA system.

What it meant was that organizations were then spending time and money integrating two IAM tools together — a PAM product and an IGA tool to create their business workflows. That meant that they also had to integrate both identity products into the target systems. In other words, two integrations into salesforce.com, two integrations into the ERP system, two integrations into Azure AD (now Entra ID), Google Drive, and so on. All of this drives up time and implementation costs. Typically, integration effort in implementing an IAM software is around 40 percent. If you are, let’s say, a large manufacturing conglomerate and are running a multi-million dollar identity program, this siloed approach can cut into profitability.

If you think about it, organizations begin reaping benefits of a converged PAM and IGA solution as soon as the project is kicked off. 

Q. It sounds like there are a lot of opportunities to slash implementation efforts. How can organizations improve efficiency when it comes to operating the solution?

Think about your end users. Let’s say one of your developers is requesting access to some content in Slack or Google Drive. There is nothing particularly sensitive in these systems and access is handled through your IGA system. But let’s say this same developer needs to perform some maintenance tasks on a linux workload running on AWS. These activities require an elevated permission level and her access request would trigger a workflow in the PAM tool. 

So now this employee needs to learn the nuances of two access request systems which probably have two different interfaces and separate processes for granting access. Multiply this by all of your users and it’s clear to see that this approach doesn’t scale. The adoption and learning curve becomes quite steep and can lead to users having more permissions than they need.

Our fictional marketing employee may only need to view the confidential sales data once a month, but if it’s too cumbersome to grant this access, employees often end up with more privilege than they need. So even though this is risky, maybe it’s just easier to give this employee full access to view and change the data. End users and IT admins simply don’t have the time and energy to serve as human integration points for siloed technologies. 

Q: How do these challenges impact compliance?

So let’s talk about your application owners. It’s their job to certify that the users have appropriate access. If the organization is publicly traded, they have Sarbanes-Oxley (SOX) compliance mandates which require them to do regular auditing to verify user rights and permissions across the infrastructure. This certification is handled through the IGA platform, which is designed to automatically discover entitlements and surface potential risk areas or policy violations, so that certifiers can make intelligent decisions on access to company resources.  

There are similar identity governance mandates in nearly every major regulation, including HIPAA, GDPR, CCPA, and more. 

This is where the power of convergence really comes in handy. Certification is an IGA

function. Governance was always an afterthought in PAM implementations. Traditional PAM use cases centered on privileged account discovery, vaulting, or checking credentials in and out. But governance needs to be embedded in PAM workflows to ensure that only the right people and systems are provided the right level of access. The only way to do this effectively and consistently is with a converged platform. 

The alternative means that your application owners and business leaders have to deal with multiple different certification experiences in separate systems, and different formats for reviewing standard and privileged access. Or, someone has to manually pull data out of the PAM platform and into the IGA tool. What that led to was organizations missing critical reviewing activities, which can lead to audit failures and data breaches. 

Q: How does Saviynt Enterprise Identity Cloud (EIC) help organizations improve standard and privileged access governance?

All of these dual integrations, disparate user experiences and manual processes go away when you look at a converged identity platform like Saviynt’s. Because the moment you are integrating that CRM system, marketing app, or Google drive with Saviynt, that data is automatically flowing into your certification module. That data is also flowing into your request module. Governance becomes implied. You don’t have to think about implementing governance. It exists for you from Day 1.