“Light” IGA solutions have started to be introduced into the identity security landscape, but what is a light solution, when and where should they be deployed, and can a fully featured IGA solution be deployed “lightly?”
The term “light,” as it applies to identity governance and administration, simply refers to solutions that don’t have all of the capabilities that a full IGA solution would typically have. Often, these types of solutions are packaged with other security capabilities to build wide, but not deep, capabilities to serve as the foundation of a basic identity security program. The idea is to serve organizations that just need basic capabilities to meet security needs.
Light solutions are more likely to be able to only support identities in a single cloud and generally can’t manage on-premises or custom-built applications and the identities associated with them. Additionally, light solutions often lack coverage for applications in multi-cloud and hybrid environments.
While light solutions may have some automation capabilities, they don’t provide full automation, which means administrators and support teams may still have to rely on manual processes for routine tasks, increasing to additional management needs. These tasks could include, but are not limited to, access requests, certification campaigns, provisioning, etc. Like most IGA solutions, there will be reporting and auditing capabilities, but the usability of this information may be limited and not actionable related to validating continuous compliance.
The lack of features and functionality, if not researched properly, could mean the purchase and integration of additional point products to meet outlying needs, contributing to increased management, training, professional services, and more, leaving organizations right where they started: with an IT and security stack built with point solutions that costs more, is difficult to manage, and doesn’t shrink the threat landscape.
The limited features of a light solution may make sense for smaller organizations that:
Smaller organizations generally don’t have many needs in terms of customization or configuration. They have straightforward workflow requirements and the identity lifecycle doesn’t vary from a standard path. As such, basic configurations with integration into a few standard applications will meet their needs.
Organizations in highly regulated industries, that have complex identity workflows, or rely on significant third-party relationships, are not ideal fits for light IGA. Organizations in highly regulated environments have complex auditing and reporting needs to meet compliance requirements. These standards, such as CMMC or the ISO series, have multiple controls that must be adhered to and audited for compliance. One of the key components in being able to maintain compliance is to be able to identify and manage separation of duty (SoD) violations, a capability not often included in light deployments.
In the past, applications were on-premises and labor-intensive to manage. With the ongoing adoption of the Cloud though, most new applications are being built for Cloud and SaaS-based deployments and designed for user-friendly management and use.
This is certainly the case for IGA. You can still find on-premises based solutions, or solutions requiring agents be placed everywhere within an environment, however, leading solutions prioritize configurability over customization and streamlined end-user engagement. With a more configurable design, full-featured SaaS-based solutions allow organizations the ability to deploy only the features they need (aka – lightly), without getting bogged down in ones they don’t.
The added bonus of implementing an enterprise IGA system lightly, is the ability to future-proof an identity program and avoid the need to add the point products mentioned earlier. It allows organizations to save money in reduced licensing fees, training, professional services, and more. Such systems, if a part of a converged platform, are also more likely to deeply integrate with their other components to magnify overall platform capabilities and future-proof identity security programs.