IT Security Perspective… IGA 2.0 Principles
In my prior blog, I discussed the historical perspective and critical role of Identity Governance and Administration (IGA) related to the overall IT Security posture of an organization. Now I’d like to share what inspired Saviynt to envision and embark on its IGA 2.0 journey… First generation products evolved organically and primarily addressed the rapidly evolving Compliance and Security mandates. I highlight “Compliance” first, because it was regulations such as SOX, HIPAA, etc. that were forcing organizations to act; it wasn’t typically coming from the wider awareness of IT Security, its implications, or the role of Identity in the grand scheme of securing an organization’s IT assets. Hence, existing products in the market evolved to meet specific, incremental needs and point solutions evolved.
As practitioners, who have implemented a variety of IGA products over the past decade, we realized there were key gaps and critical needs, necessitating a revisit of the solution space. The key gaps we encountered and other important observations were:
- Solutions require heavy customization to meet basic needs. This is not a sustainable approach in a continuously evolving domain that is driven ~60-70% by policy and processes.
- Policy and process enforcement requires brute force approach, e.g., User Certification and associated challenges for managers with no intelligence built in.
- Governance of critical IT assets at coarse grain level only. IT crown jewels require fine-grained protection and tighter, closed-loop governance.
- Major undertaking for most organizations to host and maintain IGA solution. Adds zero value to an organization.
- Significantly long product enhancements and upgrade cycles. Security dollars that are spent upgrading on-premise deployments are resulting in no business value.
- Solutions are not nimble enough to adapt to rapid innovation, new delivery options, or the adoption of Cloud (both Cloud applications and infrastructure). Missing infrastructure governance is a huge gap with significant and critical exposure.
- Significant time and effort invested in onboarding assets that needs to be governed. No automation or factory-model enablement exists for routine IGA operations.
The above reasons, to a big extent, were responsible for the slow adoption of IGA products, and the limited benefit it offered to organizations that invested in technologies to meet their basic security and compliance needs. Advances and innovation required to keep pace with continuously evolving regulatory and security needs were meagre and piecemeal. The need for change and leadership in the industry was crystal clear.
Time for Change
Having gone through these challenges and seeing client’s pain points firsthand, it was obvious that this domain needed a fresh infusion of ideas and innovation. IGA 2.0 was coined and the vision established – a next-generation product that addresses the gaps listed above, and offers a SaaS delivery model.
The guiding principles that allowed us to seed and ultimately create Saviynt Security Manager were:
- Intelligence-Driven Processes: Bake in Identity Analytics in all aspects of administration and governance. Empower end users to make intelligent decisions by providing recommendations based on usage, risk, criticality, Segregation of Duty, etc.
- Comprehensive Governance: Govern it all – applications, infrastructure and unstructured data (collaboration platforms).
- 360° View of Critical Asset’s Access: Bring critical assets under centralized governance, irrespective of it being on premise or on Cloud.
- Configure vs. Code: Deliver on security and compliance needs in weeks. IT security and compliance processes are dynamic. Solution should allow flexibility and near-real time re-configuration as needs evolve.
- Automate, Automate, Automate: Drive efficiencies wherever feasible. Whether it is roles and rules lifecycle management, self-service application onboarding, privileged and services account management, drag and drop workflow editor, robotic process automation etc.
- SaaS Solution: Leave IT and management to the product experts. A fully managed platform.
These are game changing principles for the IGA domain and helped us define what we call IGA 2.0. We see significant benefits of our vision already, with innovation and competition from key players heating up, benefitting the IT security domain in general. It definitely feels good to be an agent of change and a catalyst for innovation. I invite readers and practitioners to assess current solutions while comparing against these principles, to ensure that solution will meet an organization’s current and future needs.
I look forward to your feedback, your experiences, an opportunity to compare notes, as well as pointers, if any. You can reach me at firstname.lastname@example.org.
Previous blog link – IT Security Perspective… Why IGA 2.0 Matters?
Thanks for reading and Go Secure!