IT Security Perspective: IGA 2.0 Strategy Must Haves
In my prior blog, I discussed the historical perspective and the critical role of Identity Governance and Administration related to overall IT Security posture, as well as key design principles that define the IGA 2.0 solution space. I strongly encourage readers to review “Why IGA 2.0 Matters” and “IGA 2.0 Principles” for relevant context.
First generation product limitations, as illustrated in my prior blogs, in the past, have constrained an organization’s ability to address both Compliance and Security needs holistically. As a result, most of these strategies initially focused on getting the solution baselined by starting with Certification or User Attestation of critical enterprise IT applications. In doing so, they mostly relegated many of the foundational aspects of any IAG strategies, such as automated birthright provisioning/de-provisioning, self-service access requests to later phases, and/or continued to have them delivered via backend scripts implemented over time to provide basic functionality. The IGA program meant multi-year initiatives with very little to show in near-term business value; when rolling out a feature across the enterprise, it required significant, complex change management, which at times, torpedoed the overall initiative.
To benefit from IGA 2.0 capabilities and advantages, it is important to incorporate next-generation product and design concepts into your overall IGA Strategy. This is essential in order to drive narrower and quicker wins, allowing incremental feature rollout (via focused change management), reducing program delivery risk, and adopting a “pattern-driven” approach to enable factory model implementation. Eventually, such practice will lead to an IGA-as-a-Service model, resulting in the distribution of ownership/consumption with centralized IGA governance. This will significantly reduce overall program complexity and spending, especially for big, global/complex organizations.
To assess overall IGA strategy, you must ask yourself, does my IGA solution strategy:
- Provide IGA coverage for Cloud IT assets or facilitate the future migration of IT assets to Cloud or Hybrid data centers?
- Allow incremental feature/module adds or parallel tracking of initiatives while avoiding point solutions, i.e. after enabling Enterprise IGA, can it bring Cloud Infrastructure or Collaboration platforms under governance?
- Lay a technology foundation that allows the minimizing of point solutions for enterprise IGA, Cloud IGA, or Collaboration platform IGA (Identity driven CASB), etc?
- Lay emphasis on Privileged and Services accounts governance across all asset types, while providing full lifecycle management?
- Allow cross-app and fine-grained governance (Application GRC) of the most critical assets first?
- Leverage advancements in Identity Analytics to drive smart processes, and lay the foundation for further risk data ingestion, upon maturity, from UEBA etc. solutions?
- Facilitate a factory-model approach to onboard IT assets for governance, with quick time-to-value turnaround in order to deliver security and compliance needs in weeks, rather than in months or years?
- Re-purpose implementation dollars away from customizing/coding, connector development, platform upkeep and lift-and-shift upgrades towards significant value-add services (such as optimal solution design, industry preferred practices, jump starting initiatives with domain expertise, etc.)?
In closing, I strongly recommend revisiting and conducting an IGA strategy health-check based on the above principles and guidelines. You will be pleasantly surprised with the outcome.
I invite readers and practitioners to reach out to us for a quick chat and any additional insights. I look forward to your feedback, your experiences, an opportunity to compare notes, as well as any pointers. You can reach me at firstname.lastname@example.org.
Thanks for reading and Go Secure!