There are now more identities than ever, thanks to shifts to the cloud and other emerging technologies and trends. For one thing, with more people now working remotely or in a hybrid model, there’s been a major shift to the cloud to support that transition. And cloud migration shows no signs of slowing; in fact, Gartner anticipates worldwide cloud spending will reach $592 billion this year.
Organizations need visibility over all of this in a centralized way, which is where identity governance and administration (IGA) plays an essential role. But to succeed, it’s important to understand that you can’t just throw more tools at the issue. IGA is a program, an ongoing process that must be developed, nurtured and updated. An undertaking of this magnitude requires time and commitment. It must be managed in such a way that you see ROI at each step.
Starting off on the right foot
It’s important to understand that IGA isn’t a project; it’s a program. The deployment of identity and access governance is not something accomplished in one year; it’s clearly a multiyear effort. Each deployment is unique. So then, having the right expertise and the right support when starting this program is critical.
Every organization will approach this from a different level of maturity. However, there is a minimum amount of knowledge you must have to get started. Stop focusing just on products; they are only part of what you need. You also need a clear and educated vision of your organization’s priorities with respect to IGA.
Understanding the scope and roadmap
Having the full understanding of your organization’s priorities and needs is key. For instance, what are the risks within your organization? What are the regulations you must comply with? These are the things that need to be defined initially.
Start with what is most important to your organization, with the most critical business applications that you have to manage. This will create your foundation, and you can then build on top of it – including eventually adding artificial intelligence and/or machine learning. Don’t try to implement IGA all once.
With respect to AI, it’s important to think about using this capability for access requests and authentication. AI/ML can help to properly define roles in your organization. This is significant because it can eliminate the need for some of the recertification process. AI can truly add value, but you can’t use it out of the box. It’s a necessary but later step in the journey.
An evolutionary process
One way to think of the evolving process of IGA is like transitioning from a baby to an adult. When you’re in the baby phase, you’re making a lot of progress – gaining more knowledge and capabilities – but your program is still in its infancy, and that progress is incremental.
To illustrate this point, let’s look at a theoretical company, Acme. This company needed to identify ways to strengthen their security posture and their ability to comply with regulations, as well as minimize complexity for their business users that was affecting productivity. The need for transformation was evident, as numerous isolated solutions increased infrastructure and operational costs.
Working with a partner, Acme developed and released an IGA Minimum Viable Product. The company then completed multiple functional releases and migrated hundreds of assets to the new system, where users can request access and where approvals are managed. For compliance purposes, Acme implemented the necessary “joiner, mover, leaver” controls.
With these important initial steps in place, Acme can move forward to achieve more advanced steps as it continues its IGA journey and new needs arise.
Commit to the journey
Remote and hybrid work models have contributed to a mass proliferation of identities, resulting in a massive growth in the sheer number of tools that organizations think they need to enable and secure their networks. Getting visibility into all these identities, in one centralized fashion, is going to be a key goal for organizations moving forward, as it’s key to so many other initiatives and requirements – including security and compliance. But it’s not just a matter of throwing tools at the problem, nor is it a one-and-done approach. It’s time to change the mindset and understand that IGA is a journey.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.