Designing and Implementing an Effective Enterprise

Designing and Implementing an Effective Enterprise Identity Governance and Administration Program

Abstract

Organizations embracing digital transformation are taking a hard look at Identity Governance and Administration (IGA) programs. Enterprises need a consistent framework for operationally managing and governing their rapidly expanding digital ecosystem and IGA is an important piece. At its core, the goal behind IGA is simple: Ensuring appropriate access, when and where it is needed.

IGA combines entitlement discovery, decision-making processes, access review and certification with identity lifecycle and role management. IGA operates in the intersection of business process management and access automation allowing people and systems communicate with each other, fulfilling day-to-day operational needs. It focuses on the process and operational components of Identity and Access Management.

IGA is focused on addressing issues related to the mapping of business objectives to policies as well as creating a platform for the execution and administration of these policies. IGA is a bridge between the business decision makers and those that administer the technology in support of managing all aspects of governing access.

In this report, we will describe a target state for IGA in the enterprise and a path towards getting there. As part of the path forward, we include our IGA vendor short-list to give our clients a starting point in evaluating provider solutions in this space.

Authors:

Nick Nikols Vladislav Shapiro

Managing Director, Research Principal Consulting Analyst

Principal Consulting Analyst

[email protected] [email protected]

mailto:[email protected]

mailto:[email protected]

Identity Governance Administration Nikols, Shapiro

2 © 2017 TechVision Research, all rights reserved www.techvisionresearch.com

Table of Contents

Abstract .................................................................................................................................................................................. 1

Table of Contents ............................................................................................................................................................... 2

Executive Summary .......................................................................................................................................................... 4

Introduction ......................................................................................................................................................................... 5

IGA Program Challenge: .................................................................................................................................................. 8

The Solution: Implementing an Effective IGA Program ................................................................................. 8

IGA Major Components: Identity Lifecycle Management and Access Governance ....................... 9

Identity Lifecycle Management ......................................................................................................................... 9

Access Governance ............................................................................................................................................... 11

IGA Maturity Model: Assessing Current State and Desired Future State ............................................. 14

Technical Maturity: ................................................................................................................................................... 15

Low Maturity: Siloed Applications, Manual Administration ............................................................ 15

Medium Maturity: Introduction of Automation Opens Up Broader Opportunities .............. 16

High Maturity: Leveraging Automation to Better Engage the Business ..................................... 16

Process Maturity: ....................................................................................................................................................... 16

Low Maturity: Siloed Systems Lead to Disjointed Process ............................................................... 17

Medium Maturity: Moving towards roles and automated provisioning .................................... 18

High Maturity: Access Governance In Focus............................................................................................ 18

Organizational Maturity: ........................................................................................................................................ 19

Low Maturity: Resource Administrators as Fiefdoms of Responsibility ................................... 19

Medium Maturity: IAM Teams Taking on Responsibility .................................................................. 20

High Maturity: Engaging the Broader Team ............................................................................................ 20

TechVision Research Vendor Shortlist ................................................................................................................. 21

Vendor Selection Criteria ....................................................................................................................................... 21

Access Governance Criteria ............................................................................................................................. 21

User Provisioning Criteria ................................................................................................................................ 22

Analytics Criteria................................................................................................................................................... 23

Vendor Short-List ...................................................................................................................................................... 24

CA Technologies Identity Suite ...................................................................................................................... 24

IBM Security Identity Governance and Intelligence (former CrossIdeas) ................................ 24

MicroFocus (former NetIQ/Novell) ............................................................................................................. 25

http://www.techvisionresearch.com/



One Identity (Former Dell/Quest One Identity) .................................................................................... 26

Sailpoint..................................................................................................................................................................... 27

Saviynt ........................................................................................................................................................................ 28

Checklist & Next Steps .................................................................................................................................................. 28

Review Organizational Relationships .............................................................................................................. 29

Managing Risk Is Why You Need to Review Access .................................................................................. 29

All Decisions Need to be Captured and Rationale Documented.......................................................... 30

Don't Forget to Revoke Inappropriate Access When It is Discovered ............................................. 30

Summary and Recommendations ........................................................................................................................... 30

Develop a Culture of Compliance ....................................................................................................................... 30

Identify Critical Systems ......................................................................................................................................... 31

Recommended Path If You Have an Existing IGA Program ................................................................... 31

Provide More Context to Improve Accountability ................................................................................ 31

Add Certifications for Unusual or Risky Events ..................................................................................... 31

Add Risk Scoring ................................................................................................................................................... 32

Consider Costs Before Adding the Next System ..................................................................................... 32

Recommended Path If You Don’t Have an Existing IGA Program ...................................................... 32

Consider the Workflow Design Before Digging into Technology .................................................. 32

About TechVision ............................................................................................................................................................ 33

About the Authors .......................................................................................................................................................... 34

Other related TechVision Research works ......................................................................................................... 35




Executive Summary

Identity Governance and Administration (IGA) is becoming increasingly important amongst Identity and IT Security professionals. This is an area that provides operational management, integration, security, customization and overall support for an enterprise IAM program. IGA combines the entitlement discovery, the decision-making process, and the access review and certification of access governance with the identity lifecycle and role management of user provisioning. IGA operates at the intersection of business process management and access automation allowing people and systems to communicate with each other, fulfilling day-to-day operational needs.

Inappropriate and outdated access to enterprise resources is commonplace in many enterprise IAM programs today and it creates substantial risk. A comprehensive IGA program across diverse constituencies can help identify and manage these risks and address compliance requirements. Organizations can implement IGA in phases, making it easier to adopt and will quickly find that in addition to keeping auditors and risk managers happy, it provides a solid foundation for reducing risk and improving security.

IGA is a process as dynamic as enterprise life itself. That is why modern IGA is not simply a product or a solution. It is a program which touches every key decision maker of the organization, no matter if this person is in human resources, a line of business, or IT. That is why building a successful, sustainable IGA program is critical, but it’s not an easy task.

TechVision Research offers our IGA maturity model for enterprises to consider. In determining where an organization fits within our IGA Maturity Model, one must evaluate an organization’s technical architecture, management processes, and overarching organizational maturity. This can help set the course for progress in an organization as it rolls out an effective IGA program.

IGA leverages components such as Identity Lifecycle Management and Access Governance to support compliance with regulations, internal controls, and audit pressure and is a powerful means to improve security and reduce enterprise risk. Enterprises can implement an IGA program using both internally developed processes and commercial off-the-shelf (COTS) products. Numerous vendors are offering products that are sophisticated and well thought out, often as a part of a larger IGA suite.

Organizations looking to get a handle on how access is being granted and managed over time and would like to evolve toward a “least privilege” approach to issuing access, should consider how IGA can help achieve these goals.




Introduction

Implementing an effective Identity Governance and Administration (IGA) program requires a fundamental understanding the current state of entitlements across all of the critical systems throughout the enterprise as well as what operations and data to which they actually grant access. These capabilities include access certification, access request, role management, and the automated fulfillment and enforcement of changes to entitlement settings through identity lifecycle management as well as applying entitlement risk scoring in adaptive access control systems and aligning roles and activities with privileged access management.

Ensuring data quality, managing the entire data lifecycle as well as the identity lifecycle, and providing meaningful insights to the business in order to facilitate better access control decisions are factors that drive the implementation of IGA solutions. Security and compliance generally drive the entitlement management entitlement catalog efforts. Employing access governance and improving role management are deployed to harden identity and security services to mitigate the risk of security breaches and in response to compliance pressures from a variety of regulations. Proper establishment and maintenance of entitlement catalogs are key components of an IGA program and designed to provide this layer of security.

IGA also incorporates the process of collecting and organizing the current entitlement state data and presenting that information to those within the organization that can best determine whether the right entitlements have been issued, as well as capturing the key decisions. This also provides an excellent mechanism for documenting and tracking how enterprise systems work and provide an audit trail for the decision making process.

Collecting descriptive information for entitlements creates a deeper understanding of new and legacy systems, insuring against institutional knowledge loss due to retirement, outsourcing, and organizational churn. The duty of curating an application is often handed down from employee to employee, and thus the current application owner may well be the second, third, or fourth owner of that application. By the time that person becomes the responsible application owner, that person often doesn't understand the application's entitlements as well as the first application owner did, or the application’s entitlements have changed. Entitlement catalogs are a great way to retain entitlement information independent of whoever is serving as the application owner.

A key component of IGA is, ultimately, the automation of the identity lifecycle through an identity provisioning infrastructure. This helps both fulfillment and the enforcement of access decisions. The automation and enforcement helps prevent deviation from these decisions and reduces the amount of effort




required for the next round of access reviews.

IGA is much more than technology, but can be thought of as an ongoing means of governance through a set of controls, processes, and actions related to the determination and enforcement of appropriate access throughout the organization’s environment. This is a continuous process of grooming, review, decision making, documentation, and enforcement for how access privileges are issued – and with each iteration through this process, it makes it that much easier for the next.

Typically, organizations have leaned toward placing too much emphasis on technology to solve their access management problems – often focusing only on parts of the problem, implementing point solutions that solve only part of the problem rather than looking at the issues more holistically. As a result, the organization may end up with many IGA-related tools that require significant customization to come close to addressing the organization’s requirements and depend on specialized, technically-focused personnel to maintain. This leads to very brittle, inflexible deployments that have difficulty adapting to changing business needs.

IGA, if executed properly, is about facilitating how people make effective decisions. This is the ultimate goal. It is important to include all key stakeholders and ensure that policy decisions are not made in a vacuum. This generally can’t be successfully accomplished by one group alone. It takes a broad, carefully constructed cross functional team. All parts of the business should have some representation and appropriate participation.

The lack of cross-functional representation is one reason why nearly 80% of IGA projects either fail or are in constant churn. As companies rush to utilize increasingly more applications and services in the quest for digital transformation, they don’t put a process in place to govern these environments, so administrators try to fill the void. But administrators aren’t the right people to be making final decisions.

The answer starts with making it easier for the right decision makers to be involved from the beginning. This requires that the solutions are easy to use for non-technical personnel and provides data to support making appropriate decisions. The supporting technical infrastructure needs to be complete enough to automate and enforce the decisions that are made to provide a sustainable solution. Only then can we break the cycle of churn - ripping and replacing brittle, hard-coded implementations with other solutions that only address the immediate requirements and wind up being just as brittle and inflexible as the solution that they replaced.

TechVision believes focusing on people and processes first will drive the right technology underpinnings and framework for making decisions. Access Governance can help businesses to better engage the right decision makers with the right data to make informed




decisions regarding appropriate access to critical resources. Provisioning is the way by which these decisions can be automatically enforced throughout the identity lifecycle. We also recommend treating IGA not as a set of products or solutions, but rather a program containing short and long-term goals, being dynamic and agile. IGA is not a one-time project; it is an ongoing, fluid process, always changing and always requiring proper monitoring, adjustments and tuning.




IGA Program Challenge:

Integrating resource administrator’s technical expertise with business stakeholder’s corporate knowledge

In the early days of enterprise computing, resource administrators were usually the only people responsible for creating user accounts and setting up access controls. They did this as a part time duty and performed these activities as the need arose. For the most part, the concern was more about getting people access quickly so they could all get on with their duties, rather than considering how these access settings should be cleaned up or whether the organization should be following principles like least privilege. They were also responsible for informing other stakeholders about the status of the provisioning/de-provisioning these access settings. Often, the revocation of access didn’t happen as a matter of course when that access was no longer needed, but only in the event of a high profile occurrence, like the termination of an employee.

Resource administrators, for the most part, don’t often have the full visibility or context to make more subtle access decisions. All the while, business stakeholders often have a better perspective to help determine what makes for appropriate access as part of running the business, yet generally don’t often have the full visibility into the details of the permissions, access controls, and entitlements to know how to implement these policies. This leads to an impedance mismatch where neither side has all of the knowledge or insight to be able to come to terms with implementing an effective least privilege model and ensuring that everyone had the necessary and appropriate access to run the business. Technology alone can’t bridge this gap, but it can facilitate the engagement of both sides and provide better communication and understanding from the lowest to the highest level.

Recently, the necessity of establishing working identity governance has become the subject of discussions not only in CISO and CIO offices, but also company boardrooms. Very quickly organizations are realizing that just buying or building IGA products is not enough. Increasingly, it is becoming apparent that successful and effective Identity Governance requires more than just technical tools, but rather a whole program, including short and long-term planning, strategic vision and a choice of technologies that can evolve over time.

The Solution: Implementing an Effective IGA Program

Implementing an effective IGA program, can be a multi-faceted, inter-departmentally complex, and multi-phased endeavor. However, before going into details on how to build such a program, let us first review the basic definitions, components and actors within IGA.




IGA Major Components: Identity Lifecycle Management and Access Governance

IGA consists of multiple elements, each solving a specific piece to the puzzle and often originating from its own product category. IGA programs can look to each of these elements separately, and bring a set of point products from multiple vendors together to address the broader IGA problems, or they can look to vendors that have fleshed out their offerings to include these elements as part of their IGA offering. These elements can be described as follows:

• Identity Lifecycle Management/User Provisioning – Automation of the identity lifecycle process through the creation, updating, and cleanup of user accounts and their corresponding information across multiple target systems.

• Access Governance – Consists of two essential elements: o Entitlement Management / Role Management – Collection and organization of

current entitlement state across multiple target systems. o Access Review and Certification – Presentation of current entitlement state,

facilitation of review process, capturing access decisions made, and facilitation of attestation that the new access state is appropriate.

Identity Lifecycle Management

Today’s organization is more connected than ever before. As the number of applications, systems, and resources have increased, so have the number of identities and user accounts. Creating, maintaining, and securing identities is a complex and costly endeavor. The complexity is often due to the sheer volume of identities. But, the complexity of managing identities is also compounded by the dynamic nature of an identity.

As a subject’s relationship with the organization changes the attributes and privileges associated with the identity must be updated. These dynamic changes are commonly referred to as the identity lifecycle.

All identities go through a similar lifecycle which can be described is three basic steps: Join, Move, and Leave. Here is the diagram illustrating the Identity Lifecycle:

Figure 1: Pattern for Identity Lifecycle Management




The key stages of the identity lifecycle can be described by the following: • Join

o This phase involves the creation/registration of identities. o In the enterprise IAM scenario, this is usually triggered from a new hire process

within the Human Resources (HR) department. o In the contractor and customer IAM scenarios, this may be initiated through a self-

service identity registration process. • Move

o This phase handles the changing of identity information/attributes and elements that define the relationship such as group memberships, roles, entitlements, and permissions as the identity’s relationship changes over time (transfer to another department, upgraded to gold status, etc.)

• Leave o This phase involves the termination of the relationship with the identity o Provisioned access is revoked and state is cleaned up – de-provisioning o May involve archiving of some information and deletion of other information

As an individual passes through the identity lifecycle, their access requirements change. Keeping up with lifecycle changes can be a struggle. A system or process must be in place to detect identity lifecycle changes as they occur within the business. Historically these processes have been manual (form-based), slow, and error prone. User provisioning technologies provide various mechanisms to capture identity lifecycle events including:

• An end-user interface that allows users and delegated administrators to request access, change access, or update a profile.

• Connectors that listen for changes on connected resources, feed these changes into the provisioning engine that can process the changes, and propagate them back out to other resources as required.

• Workflow and policy that direct how the changes are processed

Another point of focus with identity lifecycle management is the goal of gaining administrative leverage. Keeping the data consistent across systems is the only way to manage all the connected systems as a common whole, rather than a collection of silos. The data may be represented and persisted differently from system to system, but the job of the provisioning infrastructure is to deal with these differences, transform the data accordingly, and ensure that the relationships between the systems is preserved.

User provisioning technologies help organizations manage and enforce access policies. Access policies bind identities to entitlements. An access policy is often a technical manifestation of a corporate security policy or regulatory control. It determines what systems, resources, and information a user can access. For example, an access policy might determine:

• What applications a user needs access to. • What groups, entitlements, and privileges should be assigned to the user. • Who needs to approve the user’s access. • What attributes are required in order to create a user account (e.g. name, location,

phone, etc.).




User provisioning technologies employ a variety of techniques to assign and enforce access policies including:

• Rules: Rule-driven policies determine access rights and entitlements according to a given set of attributes on a subject’s identity record. Attributes such as job title, department, location, group membership, etc. are often used to determine a user’s entitlements. For example, a rule-driven policy might state that all subjects whose job title equals “Accountant” are assigned to the Finance group in Active Directory.

• Roles: Role driven access policy management is similar to rule-driven in that it is an automated process. Users are assigned to roles based on a given set of attributes on their identity record. Each role has a set of associated permissions and entitlements. The provisioning system provisions the user account according to the role permissions.

• Workflow: Workflow driven access policy management is used when rule or role-driven policies are not available or when a human needs to make a policy decision. In this case the provisioning system invokes a workflow process that routes an access request to a designee for approval.

Fulfillment is the last phase of the provisioning process. Once the lifecycle event has been processed and access policies have been applied, the provisioning system knows which connected systems to provision the user to, what attributes to synchronize, and what entitlements to assign. Through the use of connectors, the provisioning system creates, updates, or removes user accounts in target applications.

Access Governance

Access governance provides the needed “glue” between compliance, the access management policies, and the critical business systems that need them. It enables broader control and produces intelligence so that key decision makers can have a better understanding of the state of access and how it is being utilized in order to provide greater insight for making better decisions.

Entitlement Management

Access decisions are all about the entitlements. Entitlements are the “what” in the question of “who has access to what.” Entitlements are a fundamental aspect to all IdM disciplines, a critical element for defining security policy, and are relevant in both administrative and runtime situations. Entitlements represent capabilities in business systems that in turn help the business achieve its varied missions. To use entitlements, enterprises first have to know they are out there—in every business system, application, and platform. But simple awareness is not enough.

Just as seeing rows of boxes in a warehouse is not enough to know what products are available to be sold, seeing a list of entitlements does not impart knowledge needed to drive identity-related processes. Entitlements must be understood before they yield their benefits to identity-related endeavours such as access certification, role management, and user provisioning. Understanding is reached by marrying descriptions, meaning, and other




metadata to the entitlements themselves. The entitlement catalogue is a repository that can be used by multiple enterprise constituents to serve multiple purposes.

Access governance also provides a way to hold end users accountable for the access they use, it holds managers accountable for the access they approve and administrators accountable for the access they manage.

Access Review and Certification

Typically, the access review phase of access governance gains the most attention and is the most time and labor intensive. In this phase, decision makers outside of the IT department are called upon to examine people and their access and evaluate the risk of allowing that access to remain. This process involves more than just asking for a signature, and more than just sending an e-mail saying, “This looks good to me.” It requires careful inspection and thought.

Everyone who has access to important systems and resources, such as those containing data that have regulatory implications, must be certified at reasonable intervals. This includes employees and nonemployees alike, regardless of location and business role. The egalitarian nature of access certification presents a challenge and an opportunity regarding the relationship of people to the enterprise.

Often, as a part of an access certification process, an organizational manager or project sponsor will validate the relationship of the people being reviewed to the enterprise. For employees, this means that a manager will verify that the person in question not only works for the enterprise, but also works in the organization over which the manager has control. In situations where this kind of relationship information is stale, the certification process can be used to update the information.

Organizations stand a greater chance of a fresh, authoritative source of relationship information for employees than they do for nonemployees. The relationship information for contractors, temporary workers, guest researchers, affiliates, and partners is far more difficult to gather, let alone keep up to date and fresh. Access certification provides a crucial opportunity to review and update this information; this feedback loop can avoid the dangers of stale relationship information.

This review of relationships may be seen simply as good housekeeping—but it is far more than that. It is an opportunity to mitigate risk. By weeding out contractors whose contracts have expired, guest researchers who are no longer collaborating on a project, and other such anomalies, an enterprise reduces the chance that accounts and access associated with those nonemployees (who no longer have an active relationship with the organization) will be used to cause harm. Access that is retained because of out-of-date, stale relationship information is a pocket of risk that can easily be, and that ought to be, addressed in a timely fashion. Access certification processes are the most natural way to do so.

There are also other creative ways to use access certification beyond traditional types of systems. Understanding who has access to what is valuable for a variety of types of data and systems. For example, one enterprise has used their vendor-provided access certification solution to check for conflicts of interest in the financial sector. Employees




whose spouses maintain a financial interest in the enterprise’s clients must complete a certification every six months certifying that they cannot access that client data.

Physical access systems are another type of system that some enterprises are certifying. Given the move toward physical and logical access convergence, certification of physical access becomes one of the certifying entitlements in an access control system. Enterprises that are performing some form of physical access certification are typically doing so with a separate set of processes and systems. Bringing these separate processes together creates operational and risk mitigation advantages. Furthermore, when dealing with nonemployees, the physical access control system(s) may represent the best approximation of an authoritative source of person information for those nonemployees.

The following diagram illustrates the Access Governance Process:

Figure 2: Pattern for Access Governance Process

The process cycle begins with the gathering of identity and entitlement data from the necessary resources. Identity and entitlement data resides in various resources throughout the enterprise, including in applications, systems, directories and databases. Connectors or manual reporting processes extract this data from these resources into spreadsheets, databases or an access governance tool. However, as stated earlier, automation through the proper tooling helps make this process much more sustainable and effective.

The next step is where identity and entitlement data is refined further for presentation to business users. The raw identity and entitlement data extracted from enterprise resources must be refined and converted to a business-friendly format for stakeholders to review. This should be done by someone who understands both the technical and business perspectives. During the refinement process, user accounts should be correlated with individual users to thoroughly detail which users are accessing what resources. If an entitlement catalog does not exist as a resource for this data, one should be created. This is




the repository where entitlement name, entitlement owner, technical description, plain language description and other entitlement metadata will be persisted and maintained.

The entitlement state can now be reviewed for appropriateness. Using an IGA tool, or a more manual approach using a spreadsheet, the appropriate stakeholders/decision makers can review the current state of access rights of users, taking the time to evaluate the information they have been presented and understand the context of the access. Once reviewed, these stakeholders/decision makers can approve and attest to the appropriateness of users' access rights via an electronic signature in the IGA tool or other means. Once access has been certified, an attestation report can be generated.

This also opens up an opportunity to review how data is classified within the organization. Proper data classification can help tremendously with determining and applying privacy policy. Not knowing that private data exists, or not knowing where private data is, makes opportunity for incidents of exposure more likely. Just like with an entitlement catalog, an inventory of data types and their privacy classification is an invaluable set of information for stakeholders/decision makers to prioritize their resources and efforts, provide risk assessments, evaluate existing policies, and formulate new policies. Leveraging the access review process to also engage key decision makers to review and make decisions about the data classification state provides a great opportunity to kill two process birds with one stone.

Access that has been flagged as requiring modification or inappropriate must be remediated. This is traditionally handled automatically via a user provisioning tool; or by generating a help desk ticket; or manually by remediating the access directly in the resource. The results of the process are also recorded in the audit repository. The audit repository stores system, access certification and administrative data. The data in the audit repository reflects all activities within the access governance process, including system configuration activities and review information, which provide evidence of existing technical controls. This data serves as an overarching control for the entire access governance process.

Another motivation toward leveraging automation and leveraging both access governance and identity lifecycle management in concert is that when these processes are being followed only through manual means, unfortunately, by the time when recommendations are finished, the real access control state could deviate and be very different from when the data was collected and reviewed. As a result, decisions that were made earlier may not actually be enforced over time, mistakes in the administration of these policies may be introduced, and the frequency for conducting costly and labor-intensive reviews may have to increase to ensure that the current state doesn’t deviate too far from the desired state.

IGA Maturity Model: Assessing Current State and Desired Future State

Identity Governance and Administration is a unique combination of technology and processes with impact at the organizational level. Now that we’ve defined the elements of an IGA program, this model provides a perspective on where an enterprise is and a




foundation for where you should be going. A successful IGA program benefits from progressive maturity improvements in multiple dimensions as articulated in this section.

There are three primary dimensions that need to be considered when assessing the maturity of an organization’s IGA program: These dimensions are technical maturity, process maturity, and organizational maturity. Bringing these three dimensions together in important in optimizing an IGA program. We’ll now look at each area. We’ll also provide a guide as to what low, medium and high maturity means in each category.

Technical Maturity:

Manual -> Automation Technical Maturity corresponds to the level of automation and technical support that an organization has implemented in support of their governance and provisioning efforts. For example, organization that has implemented automated entitlement discovery and identity provisioning will score higher in than an organization that is only providing ad-hoc manual creation and set up of user accounts.

Figure 3: TechVision IGA Technical Maturity Curve

Low Maturity: Siloed Applications, Manual Administration

As any independent application or system is being developed, it usually has a requirement to be able to operate in isolation, without any dependencies. This also means that this application will provide its own method of authentication and authorization, its own identity repository, and its own administrative policies. This essentially sets up each independent environment as its own silo of identity information as well as the access policies that govern its administration and authorization.




Generally, these types of applications are designed to be administered directly (manually) through their provided administrative accounts, because the initial supposition is that they are isolated and don’t have any common administrative infrastructure to rely on. Investment by application developers in support for integration tends to be limited.

This means an organization that requires more than one application will have other silos to deal with and significant integration hurdles to overcome. This has been the “chicken and egg” problem that has plagued organizations for a long time.

Medium Maturity: Introduction of Automation Opens Up Broader Opportunities

IAM products such as identity provisioning offerings can help alleviate the overhead of manually administering each application separately. This also starts to provide opportunities to manage multiple environments from a more central perspective, freeing up administrative resources and providing the opportunity to drive more consistent application of policy across these systems.

In addition, this presents the opportunity to correlate accounts together from each of the disparate systems under a common representation of identity. This in turn opens up the opportunity to start considering the relationships between these identities and the resources that they interact with – enabling a more mature lifecycle management where the state of the identity can drive when entitlements are automatically granted and revoked.

High Maturity: Leveraging Automation to Better Engage the Business

Another aspect by which automation can help is by improving engagement with the business. By automating the collection of the current entitlement state across all of the critical systems and assembling a clear, unified picture of “who has access to what”, it makes it far easier to communicate this information to the proper decision makers within the business, enabling them to better determine whether this state is appropriate and what needs to be changed if it isn’t. It also makes it much easier to document and enforce these decisions, providing better security and taking the sting out of demonstrating compliance.

Process Maturity:

Ad Hoc Permissions -> Assignment of Roles -> Access Governance Process Maturity is the level of standardization, structure, automation and implementation of access governance processes. For example, an organization with a clearly defined access review and certification processes will score higher than an organization with no formal process for reviewing or attesting to the current state of entitlements.




Figure 4: TechVision IGA Process Maturity Curve

Low Maturity: Siloed Systems Lead to Disjointed Process

An organization with a low level of technical maturity often struggles with disjointed or poorly defined processes - mirroring the siloed isolation of the administration of each system. This may be observed by each administrator individually addressing process challenges with a lack of communication and coordination between administrators.

The inconsistency that arises from segmented approaches also opens up the enterprise to security vulnerabilities given inconsistencies in processes and potential gaps in understanding processes.

Some organizations may adopt manual processes, using forms to manage the workflow and track the progress through its lifecycle. Access request forms, in this scenario would be filled by the requesters, approved by assigned approvers, and passed on to administrators to fulfill the request. While this manual, forms-based approach is a step toward some process standardization, it still tends to be inflexible and slow to adapt when changes are necessary. Often when all the forms are filled out and the processes are followed, there can be discrepancies between the actual state of entitlements and what the paper trail indicates that it should be. This creates transient inconsistencies that can cause administration and security challenges.




Medium Maturity: Moving towards roles and automated provisioning

Roles and early automated provisioning efforts indicate progression towards medium maturity. Early role definitions focused on grouping and organizing users and permissions for a given system rather than a taking a broad enterprise or even cross-system perspective. This is can result in silos of information that don’t interoperate, eventually become dated, ineffective, and possibly redundant.

The introduction of automated provisioning as well as the increasing need for information protection and regulatory compliance have driven a rationalization of identity information associated with access privileges, and a desire to develop reusable and general-purpose roles to simplify administration and improve accountability.

This more holistic perspective motivates organizations to look at roles in a broader context; they would like to gain greater administrative leverage and control by extending role definitions that across the organization and map to more specific permissions and entitlements within a given environment or application. But this cannot be done successfully in a vacuum. To fully leverage role management to its greatest extent throughout the organization, the involvement and active participation from both IT and business stakeholders.

High Maturity: Access Governance In Focus

Access governance takes things even further by aligning the process with the heartbeat of the business – enabling business leaders and decision makers to have a better understanding as to which users have access to what systems, how often that access is being used, as well as gaining invaluable insight into data management.

More mature enterprise access governance processes involve consistently reviewing and certifying access. Access review is really where the rubber meets the road in that it engages the people who are best equipped to understand and determine what appropriate access looks like. It is through active participation that the access governance process becomes a living, breathing, and sustainable approach. But this requires the right technology to present entitlement information in an accessible and easily understandable fashion while encouraging engagement.

Access governance is often motivated by compliance requirements, but the ultimate end result is risk reduction. Access governance is also critical for compliance and audit teams with the data they need to determine how, where, and why




sensitive data is handled throughout the enterprise. This visibility as to how data is handled empowers data owners to eliminate inappropriate access, further reducing risk.

Organizational Maturity:

Moving from Siloed Administration to Greater Engagement and Coordination Across Teams

Organizational Maturity corresponds to how well the people within the organization are aligned with their responsibilities and the ability to execute those responsibilities. For example, enabling a LOB owner to both finalize an access control decision within his domain and to provide attestation as to the current access state will score higher than the organization that has access control policies solely being managed by resource administrators.

Figure 5: TechVision IGA Organizational Maturity Curve

Low Maturity: Resource Administrators as Fiefdoms of Responsibility

Low maturity occurs when resources are isolated in independent silos and the resource administrators are independently making decisions about the resources they are tasked to manage. As the result, several problems tend to arise:

• Orphan Accounts – Resource administrators execute manual provisioning requests first (setting up an account, granting access, etc.), and only get to de-provisioning




access when it is urgent - and sometimes the de-provisioning and clean-up never gets done.

• Access Accrual – Lack of clean up as the state of people within the organization change over time – moving from one project to another, from one department to another – the pressure on the resource administrator is grant access as it is requested, but not to clean up access once it is no longer needed.

• Lack of Coordination Between Silos – When the enterprise applications/systems are isolated from each other, there isn’t any way for sharing changes that may be important to the other systems. As a result, change in one system, like the HR system for example, does not necessary propagate to any of the other applications, so if an individual was terminated, the other systems are not automatically informed about this change.

Medium Maturity: IAM Teams Taking on Responsibility

As automation begins to be employed and as integration between systems becomes a priority, the IAM teams begin to take on more responsibility for working across the different resource domains and implementing policy across them. This brings the benefit of improving some coordination and common role definition, but like with the resource administrators before them, many of these policy decisions may not be made at the right level and may not be visible to the line of business stakeholders.

This can be mitigated by advanced provisioning supporting the execution of approval workflows. This allows the IAM teams to begin to engage with the lines of business to approve the progression of or more automated workflows.

High Maturity: Engaging the Broader Team

Effective IGA requires a collaborative, cross-functional effort and the organizational maturity should reflect engagement of different areas of responsibility.

For example, resource owners working with the identity teams should be responsible for gathering entitlement information from each resource and organizing this information into meaningful, documented sets. These documents should be self-explanatory to support a meaningful review by decision makers from the lines of business. This data then gets stored and maintained within the entitlement catalog – which provides a point of coordination in this process between the IT teams and the lines of business.

Decision makers within LOBs are accountable for reviewing both the organization of the entitlement catalog’s contents and for utilizing the entitlement catalog in the review of how these entitlements are doled out to individuals, groups, or roles.

The ultimate goal is to increase the organization’s maturity on all of the fronts. There are major business benefits in doing so. This is not, of course a trivial task. We’ll now look at how an enterprise can move forward in implementing an effective IGA program.




TechVision Research Vendor Shortlist

Our vendor short list represents a starting point for considering available IGA products based on our hands-on consulting, our analysis, industry experience and knowledge of a broad base of vendors. We believe every organization should go through a rigorous review and assessment process, but this might serve as a starting point in your vendor evaluation.

Vendor Selection Criteria

The IGA market grew up from two directions: user provisioning and access governance. Today’s offerings could be considered as a hybrid of these capabilities and depending on the background from where the solution originally came, some of them are skewed more towards one capability over the other – some more with a provisioning background and some more with an access governance background.

This makes choice of vendor selection criteria especially difficult since we believe that an effective IGA solution requires both capabilities, but at the same time we recognize that an organization’s specific requirements may prioritize some functionality over others. These vendors also vary on technical characteristics like performance, number of out-of-the-box features (connectors, workflows, reports, compliance templates, etc.), usability, completeness of the solution, etc. However, in our opinion given the impact that IGA can have in helping the business, we will consider the business criteria first, and then technical ones.

Below is the TechVision Research recommended checklist based on our observations in the marketplace from both vendors and user organizations. As this is a specific area of focus within IGA market, it doesn’t necessarily mean that the vendors selected on our shortlist are the best overall IGA providers in every case, but it does mean that these are the vendors that we believe have strong offerings specific to IGA business goals described earlier.

TechVision Research decided using the following approach for choosing vendors for short list: how their solution addresses best practice process elements in access governance, user provisioning and analytics.

Access Governance Criteria

• Entitlement Collection o How easy is it to discover current entitlement state? o Do you have to search for when entitlements settings change? o Will you be notified when a new review is required because current state no longer

matches attested state? • Entitlement Organization -

o How are the entitlement settings presented to allow for better organization? o Does make categorization recommendations?

• Entitlement Catalog Management o How well can the entitlements be organized, grouped, documented? o How clear the mapping is between the defined categories/roles and the

entitlements/permissions on each of the systems and if the categories/roles can be defined to span multiple systems?




• Access Review Process o How well is the decision around the appropriateness of the assignment of the

category/role/entitlement is framed? o How easy it is for a line of business user to be able to make a clear decision without

having to interpret or go outside the system for more information? o How easy attestation process is and if it is clear and not overwhelming the decision

maker with too much data? • Attestation Reports

o Do the reports meet the auditor's requirements? o Is there is a clear way to see where the process is stalling? (i.e. who hasn't finished

their review/attestation? how long has it not progressed?) • Role Management

o How easy it is to map entitlement categories to role definitions and share these with provisioning environments?

• Remediation o How automated is the process for updating entitlements based on the decisions

from the access review? o How well can the system integrate with a provisioning system to provide the

automated remediation?

User Provisioning Criteria

• Data Flow Management o Does the offering handle bi-directional change events? (both to and from target

systems) o Does the offering support attribute level authority? o Does the offering support event transformation? (one event, triggering one or more

other events) • Workflow Management

o Does the offering support approval workflow? o Does the offering support delegation of approvals? o How easy it is to set up, review and change workflow?

• Identity Lifecycle Management (Join, Move, Leave) o How well does the offering support state transitions of the identities? (automated

granting and revocation of roles/entitlements based on state of the identity) o How easy is to configure and execute all types of identity update processes: manual,

scheduled and triggered?(event-driven) • Role-based Policy

o How easy it is to leverage role definitions from the Access Governance environment?

o Can new role definitions or changes to existing role definition automatically be detected and acted upon?

• Connector Handling, o Are the connectors are just providing integration with the target systems, or are

policy behaviors also embedded within the connectors? (embedded behavior is a bad thing - in our opinion all policy should be handled by the service engine, not the connectors)

o Do the connectors support bi-directional interaction with the target systems?




o Can the offering handle more than one target system of the same type at a time, local to service, or remove and if there is a secure communications channel between the connector and the service engine?

Analytics Criteria

• Contextual Information Collection o How easy is it to collect contextual information of access governance actions? o What kind of contextual data can be collected? o How does the solution store the collected data?

• Data Mining o What kind of dynamic models are packaged with the solution? o How easy is it to configure the model engine? o How is it integrated with the rest of IGA modules?

• Risk Engine o How is it tuned? o How easy is it to manage? o How is it integrated with the rest of IGA modules?

• Machine Learning o What are the capabilities of vendor machine learning module? o What kind of dynamic learning model does the offering use? o What are the learning limitations? o How it is integrated with the rest of IGA modules?

Before describing vendors on the short list, we would like to address two well-known offerings that may seem to be surprisingly absent from our short list. They are Oracle IGA products and the IBM Tivoli offerings. Oracle has one of the largest shares in IAM space with hundreds of deployments across the globe. If you are an Oracle shop with many Oracle solutions already in place, with established support infrastructure around them, then we will recommend considering IGA-related set of products, like Identity Manager, Access Manager, Identity Governance, etc. If you are not, then we would like to make you aware that Oracle’s solution will generally require a high level of customization, technical support along and on-going budget allocation associated with this.

A similar (to Oracle) case can be made concerning the IBM Tivoli solution: if you are already IBM shop with established internal expertise, then consider using it. Otherwise, the implementation and operational support can become an expensive and a labor-intensive effort. At the same time, we have included IBM CrossIdeas in the short list.

Note: the list of vendors was assembled in alphabetic order and does not represent ranking of the solutions.




Vendor Short-List

CA Technologies Identity Suite

Background

New York-based CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. CA Technologies offers both a full-fledged Identity Suite with identity management and governance capabilities and the Secure Cloud IDaaS solution, which features web SSO and authentication and provisioning for cloud and on premise

systems. For more information check company web site: www.ca.com

Shortlist rationale

The CA Identity Suite is designed to uniformly govern access to applications and services across cloud and on-premises IT environments. This starts with the automation of IAM functions such as user provisioning and entitlement certification with a goal of reducing security management costs and improving employee productivity. The solution includes an identity portal, which provides a relatively intuitive, business-oriented user experience designed to simplify the process of managing user identities, access requests and approvals. CA Identity Suite deployment leverages a virtual application installation and a collection of preconfigured identity use cases that eliminate some of the typical custom coding often required.

The latest version of Identity Suite has strong Access Governance capabilities, especially entitlement catalogue management and access review, decent user provisioning and basic analytics. At the same time, vendor product requires managing many servers and high level of customization in case of complex provisioning fulfilment.

IBM Security Identity Governance and Intelligence (former CrossIdeas)

Background

CrossIdeas was founded in 2011, product originates in 2005. CrossIdeas was acquired by IBM in 2014 and its product was re-branded as IBM Security Identity Governance and Intelligence. The development center for this product is still located in Rome, Italy.

For more information, go the Web site: http://www-03.ibm.com/software/products/en/ibm-security-identity-governance-and-intelligence.

Shortlist Rationale

Identity Governance and Intelligence provides functionality focused on enterprise user lifecycle management, including access risk assessment and mitigation using business-


http://www.ca.com/

http://www-03.ibm.com/software/products/en/ibm-security-identity-governance-and-intelligence

http://www-03.ibm.com/software/products/en/ibm-security-identity-governance-and-intelligence



driven identity governance and end-to-end user lifecycle management. Governance and Intelligence is designed to mitigate enterprise access risks and access policy violations by using intelligence driven, business-driven identity governance integrated with end-to-end user lifecycle management.

IBM Security Identity Governance and Intelligence offers:

• An identity governance platform focused on enabling IT managers, auditors and business owners to govern access and ensure regulatory compliance.

• A business-activity-based approach to facilitate communication between auditors and IT staff and to help determine segregation of duties violations across enterprise applications, including SAP.

• Better visibility and user access control through consolidating access entitlements from target applications and employing sophisticated algorithms for role mining, modeling and optimization.

• User lifecycle management including provisioning and workflow capabilities, along with integration with IBM Security Identity Manager and third-party tools.

The strength of this product is in advanced analytics, attestation and re-certification and very good access governance capabilities. At the same time, vendor product uses Tivoli for user provisioning, and requires high level of customization and expertise in Tivoli solutions.

MicroFocus (former NetIQ/Novell)

Background

U.K.-based Micro Focus provides a core IAM suite with several optional add-ons, such as Access Review, a governance add-on and the NetIQ Access Governance Suite (AGS). The solution resulted from the Micro Focus acquisition of

Attachmate/NetIQ in 2014 which is based on an offering initial developed by Novell. For more information go to https://www.microfocus.com/

Shortlist Rationale

Micro Focus solution is a combination of two modules: NetIQ Identity Manager and the Access Governance suite.

Identity Manager is focused on providing control over management, provisioning and de-provisioning of identities in physical, virtual and cloud environments. It provides tools to help ensure that enterprise security policies are consistent across business domains. Identity Manager also provides activity-level reporting on who has access to what and offers high-level user interfaces. There is also support for adapting to existing customer environments (e.g., SAP NetWeaver) to retain existing policies while adding intelligence for alerts when proposed changes conflict with current policy infrastructure.


https://www.microfocus.com/



Access Governance suite includes three major components:

• Access Certification. This component includes the Compliance Certification Manager (CCM) and provides a complete, enterprise-wide view of user access data so that organizations know exactly who has access to what. Data is collected across manually provisioned, help desk–provisioned and automatically provisioned systems. CCM ensures that user access to resources is appropriate and compliant with policies. CCM also streamlines review, certification and reporting via automated processes, which reduces the risk associated with manual changes and reviews. It manages the entitlements associated with users throughout the user lifecycle.

• Role Lifecycle Management. This software allows the review of access rights across environments that are automatically provisioned, those that are help desk–provisioned as well as manually provisioned systems. Roles Lifecycle Manager simplifies how user access is managed by giving visibility to patterns and logical groupings. This can simplify access change management and compliance.

• Access Request and Change Management. This component provides a self-service portal for the business and simplified mechanisms for granting access requests. The Access Request and Change Manager provides a single interface with embedded governance (approvals, policy checks, escalations) allowing both IT and/or line-of-business (LOB) managers to request and approve access rights.

The strength of this solution is its scalable user provisioning and fast initial deployment. This product is event-driven in terms of access governance and good at analytics. At the same time, expect substantial customization and manual steps during the integration between different elements of the solution.

One Identity (Former Dell/Quest One Identity)

Background

In 2012, Dell Inc. bought Quest Software for $2.4 billion as part of its plan for fleshing out a software division for the hardware giant. However, this strategy changed following the bold move of acquiring EMC for $67 billion. Dell sold the Quest and Sonicwall divisions to equity firms Francisco Partners

and Elliot Management in 2016. In late 2016, the newly reformed Quest formed One Identity as a wholly owned subsidiary of Quest.

The One Identity family of identity and access management (IAM) solutions are a general purpose suite of IAM services including identity governance, access management and privileged management. Learn more at https://www.oneidentity.com/

Shortlist Rationale

One Identity has a solid overall IAM offering, plays well with Microsoft’s Active Directory and strong business-centered access governance and privileged account governance


https://www.oneidentity.com/



capabilities. One Identity offerings include access management, privileged account management and identity governance through a single foundation.

Among the identity governance capabilities available through One Identity, some of the most prominent include:

• Enterprise provisioning • Access request and certification • Governance of unstructured data • Role engineering • Privileged account governance • The ability to rapidly and completely embrace cloud assets in a provisioning and

governance implementation

The strength of this solution is business-oriented design with strong role and policy management that includes dynamic and hierarchical roles, 360-degree views of IGA objects, strong identity correlation capabilities and event-driven fulfillment, and notably strong SAP integration. The limitations include, modest analytic capabilities and average auditing and reporting.

Sailpoint

Background

SailPoint was founded in 2000 and is headquartered in Austin, TX. SailPoint’s open identity platform gives enterprises the power to enter new markets, scale their workforces,

embrace new technologies, innovate faster and compete on a global basis – securely and confidently. The company was one of the first notable pioneers in the identity governance market and has an integrated set of cloud-based services that include compliance controls, provisioning, password management, single sign-on and data access governance. SailPoint focuses its offerings on the premise that identity is a business enabler. SailPoint, as an early leader in this space have well-established customers. These clients include (per SailPoint) eight of the top banks, four of the top five healthcare providers, six of the top seven property and casualty insurance providers and five of the top pharmaceutical companies. Learn more at https://www.sailpoint.com/

Shortlist Rationale

The SailPoint IdentityIQ offering allows customers to:

• Enable business users to manage access from multiple devices. • Provided centralize governance controls to reduce risk. • Boost productivity while reducing costs; the difference is clear. • IdentityIQ has a business user-oriented design with a simplified user experience. • IdentityIQ supports a wide variety of complex hybrid IT environments with unified

identity management processes across cloud, mobile and on-premise environments.


https://www.sailpoint.com/



SailPoint has a mature IGA offering with the following notable features and innovations:

• Risk-based foundation: 360° visibility into identity and access data and applies a risk model that identifies specific business risks relatively early.

• Unified architecture: SailPoint has built their identity governance and provisioning solution from the ground up.

• Flexible last-mile provisioning: Provisioning that integrates with tools and processes to support flexible, customer-centric provisioning.

• High performance and scalability: SailPoint IdentityIQ is designed to scale horizontally, vertically and functional. Given the maturity of the SailPoint offerings in the IGA space they have production use cases managing very large user bases with thousands of applications and millions of entitlements.

• Centralized governance across datacenter and cloud environments: IdentityIQ is designed to handle access to all data, applications and other resources throughout the organization.

The strength of this solution very strong attestation capabilities and flexible and comprehensive reporting, ease of use (including non-technical users) for access governance and average analytics. User provisioning is still work in progress, even though company made some serious strides to improve it. At the same time, customizations for complex provisioning fulfillment processes requires high level of IdentityIQ expertise and since it is not event-driven solution, additional coding needed to act on discovered information.

Saviynt

There one more vendor which is worth to mention that makes our short-list with some qualifications. If a key business requirement is in the area of analytics; specifically advanced usage, role/data mining and user

behavior analysis then Saviynt is worth considering. It is a cloud offering but it does often require a high degree of customization. Saviynt’s Cloud Access Governance and Intelligence platform, delivered either from the cloud or on premise, focuses on providing intelligent IGA processes with usage and risk analytics. Learn more at https://www.saviynt.com/

Checklist & Next Steps

At its core, the goal behind IGA is simple: Ensuring appropriate access, when and where it is needed. As we have discussed, technology can go a long way in helping achieve this goal, but success is ultimately determined by the active engagement of the people involved in the process and by facilitating the decision-making process. In deploying an IGA solution, the following provides key areas of focus and progressive steps to take in planning, architecting and executing on your Identity Governance and Administration program:


https://www.saviynt.com/



Review Organizational Relationships

Some, but not all, access governance processes include a review of the organizational relationships as a discrete step. This can be very useful in updating suspect relationship data. This is a creative way of managing employee and nonemployee relationship information. For example, this type of organizational relationship review can assess if:

• A person still works for me. • A person no longer works for/with the enterprise. • A person works for the enterprise but doesn't work for me.

As an interesting side note, enterprises that utilize a chargeback model for centralized IT services typically include this as a discrete step to review the relationship of each person in the organization. In this environment, managers have a financial incentive to make sure they are not billed for people who no longer work for them, to avoid incurring the cost for IT services not being consumed.

Managing Risk Is Why You Need to Review Access

As part of access review and certification, participants in the process examine the access a person has and makes a decision regarding its appropriateness. The reviewer has two basic choices:

• The access is appropriate for the person and should thus remain in place. • The access is inappropriate for the person and should be revoked.

Although the participants in the process may not realize or know this, the determination of appropriateness of access is fundamentally a risk management decision. A reviewer weighs the tradeoff between allowing access to meet the mission of the business or to remove access to prevent malicious or negligent use of that access. The alternative is that this decision would not be made by a member of the enterprise and would in turn be handed to a regulator or auditor to make. This is not a situation that an enterprise wants to find itself in.

The review of access, the evaluation of risk, is not an inconsequential action. To this end, the enterprise must do its best to help the reviewer make an informed decision. The enterprise can do this by providing the complete context of the access, which comprises the:

• Plain-language meaning of the access. • Relationship between the person and the organization. • Details of the access.

Besides providing reviewers with the complete context of access, the enterprise must also help make the reviewers aware of the risk management aspects of access governance. This should be part of building an overall culture of compliance within the enterprise. To accomplish this, education and communications are needed so that the notions of risk mitigation and management become part of the backdrop on which employees act. Further, some enterprises have gone so far as to present a risk transfer statement to reviewers,




informing reviewers that they will be held responsible if the access they deem appropriate is later used inappropriately.

All Decisions Need to be Captured and Rationale Documented

After participants determine whether the access is appropriate or not, that decision must be recorded for audit purposes. This audit information validates that the access governance process is being used and serves to meet auditor and regulator needs.

Don't Forget to Revoke Inappropriate Access When It is Discovered

Inappropriate access must be revoked. The downstream action differs depending on at what level the access was reviewed. Inappropriate access at the account level means that during the remediation phase of the access governance process, the entire account should be suspended or deleted, depending on policy. Inappropriate access at the entitlement level means that the account will remain intact, but the entitlement, typically a group or role assignment, will be removed during the remediation phase.

Summary and Recommendations

Identity, Governance and Administration (IGA) is being elevated in discussions around digital security. It is related to the fact that IGA is a necessary balance between business and technology. There is no “silver bullet” solution which can resolve all the issues related to IGA, but by increasing IGA maturity, organization decreases changes of being breached and improve operational efficiency.

Increasingly, organizations are realizing that IGA is not about the sophistication of the technological solution, but rather how well-organized, managed and governed business processes within the enterprise are. IGA should be considered not as a point solution, but as an ongoing program that involves both IT and key decision makers within the lines of business. This allows companies to resolve the common pitfall where people who make decisions on business policies, rules and processes has no means to implement them, and people who runs the implementations have no say in discussing them. Modern IGA is business-oriented, people-centric program with high-level management sponsorship and team of contributors across every division of the organization.

The following are key actionable steps enterprise can take to improve their IGA programs. We start with culture and an assessment of critical systems and describe different paths based on the maturity of existing IGA programs.

Develop a Culture of Compliance

A culture of compliance is far more than just occasional training. It requires systemic internal marketing and more viral forms of education. A culture of compliance makes risk management and mitigation real for staff members. It can turn the drudgery of reviewing lists of accounts into an opportunity to strengthen the enterprise. Like any system that regularly requires some administrative effort, an IGA program will be met with user




pushback unless its deployment is preceded by education and communication. A culture of compliance can decrease user pushback and increase the value of the process.

Identify Critical Systems

It may go without saying, but it also bears repeating; an enterprise must be clear as to which systems are critical and thus need to be part of the IGA program, and which systems are not critical to the IGA program. It is unrealistic to target all applications in the enterprise for management under IGA. This is especially true for those enterprises with little to no automated capabilities. By working with audit and risk management teams, the enterprise must whittle down the list of applications to those that are vital from a regulatory and/or risk perspective.

Recommended Path If You Have an Existing IGA Program

Enterprises with an existing IGA program should consider the following recommendations to strengthen and derive more risk management value from their investment.

Provide More Context to Improve Accountability

As participants in IGA workflows are asked to accept more of the risk for people's access, they will begin to ask for a more complete picture of the context of that access. These demands cannot, and more importantly, should not be ignored. To enable better, more informed decisions that will directly lead to stronger risk management, the enterprise must aid these users as much as possible. To that end, provide context of access data in exchange for an increase in participants' accountability.

Add Certifications for Unusual or Risky Events

Once the enterprise is reasonably comfortable with periodic access review, it should look to add a review and certification step to handle unusual or highly risky events. Two examples of such events include:

• An individual gaining sensitive, highly privileged access. • An individual transferring within the enterprise.

Some entitlements are of such an extraordinary nature, such as a group assignment that bestows root-like privileges on a UNIX system, that before they are granted they require more thorough scrutiny. Not only does such an assignment require a more rigorous approval process, it also should merit a complete review of the person and that person's access as a whole. Receiving root-like rights on a development server may not be overly risky, but because the person already has root-like access on the production server, that assignment may become an exception requiring revocation.

In some cases, transferred employees can pose a greater risk than terminated employees because they retain access to systems. The enterprise must examine the transfer process from an access perspective. Using the existing access governance process is an excellent way to address this risk.




Add Risk Scoring

Risk scoring provides an additional level of insight. Assigning risk to users, or access rights, can be done by establishing entitlement-level risk. In some cases, entitlements are flagged as “highly privileged” or “superuser” as means of denoting elevated risk. Alternatively, a simple “high,” “medium,” and “low” notation can be used to record entitlement risk.

As the certifiers are working through the review phase, the risk scores will be highlighted to help them evaluate whether access should be certified, or revoked. The risk scores can be based on a variety of elements such as number of entitlements granted, toxic combinations, or length of time between system or application access. Some IGA vendors are beginning to offer this capability out of the box.

Consider Costs Before Adding the Next System

For enterprises with homegrown access governance and identity lifecycle management systems, before adding that next application whose access needs to be reviewed and certified, consider the marginal cost. One more application may represent a negligible increase in the overall cost of the access certification program—and if this is the case, then by all means add that application. On the other hand, if the application is not so “negligible” its addition may increase overall costs beyond what the enterprise is willing to stomach. COTS IGA products can be a way to reduce overall program costs while extending the reach and efficiency of the access governance process.

Recommended Path If You Don’t Have an Existing IGA Program

Considering the following recommendation will help enterprises without existing IGA capabilities avoid unnecessary costs and project pitfalls. The cost of supporting an IGA program can be high. This recommendation applies whether the enterprise opts to deploy a homegrown solution, or an IGA vendor-provided solution.

Consider the Workflow Design Before Digging into Technology

People, not plumbing, are the most challenging aspects of IGA. Before designing and deploying any sort of IGA program, consider the workflow processes that will be required to properly evaluate access-related risk. Questions to ponder include:

• Who are the right staff members to evaluate access risk? Do the external auditors have an opinion on this question?

• Is the evaluation of risk being done today in an informal or decentralized manner? Can these efforts be reused and brought into a centralized certification process?

• Is there potential overlap with existing provisioning workflow approval processes that can be mirrored or reused?

Considering these kinds of questions will help design access governance workflows. But it will also point to what kinds of data need to be gathered and which aspects of the context of access are more important to the enterprise.




About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skills set across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.




About the Authors

Nick Nikols has more than 25 years of experience in the software industry, architecting solutions and developing innovative products for identity, security and compliance management, as well as directory services and directory/application integration.

Before working with TechVision Research, Nick was Senior Vice President of Product Management and CTO of Cybersecurity at CA Technologies, where he was responsible for CA’s Cybersecurity Product Strategy and Roadmap. At CA, he was particularly focused on modernizing CA’s Identity-centric Security portfolio and successfully promoted CA’s Identity Manager and Access Governance solution into a leadership position within Gartner’s Magic Quadrant for Identity Governance and Administration. Nick was also a Senior IAM Analyst at Burton Group and a Research Director at Gartner.

Vlad Shapiro has more than 20 years of experience in Information Technology, Identity Governance and Administration, Identity and Access Management, Bioinformatics. Data Governance and Data Analysis and Mining. His expertise ranges from mathematical modeling of identity management

data, analysis of current Identity and Access Management practices to mastery of IGA program, maturity evaluation and advisory.

Vlad has held senior advisory positions in Identity Governance a several consulting firms. Prior to that he was a Business Development Manager of IGA with Dell/Quest/Voelcker Informatics, he drove integration of the Voelcker technology into Quest portfolio. Vlad is an author of Costidity concept, human factor in IT Security and IGA. He published the “Costidity: The Cost of Human Factor” in 2016.




Other related TechVision Research works

Identity is the New Perimeter

Authors: Doug Simmons – Managing Director, Consulting / Principal Consulting Analyst, Nick Nikols – Managing Director, Research / Principal Consulting Analyst, Gary Rowe – CEO/ Principal Consulting Analyst, Gary Zimmerman – CMO / Principal Consulting Analyst

Cloud-based Identity Management

Authors: Nick Nikols – Managing Director, Research / Principal Consulting Analyst, Gary Rowe – CEO/ Principal Consulting Analyst

Banking on Identity

Authors: David Goodman, D. Phil, Principal Consulting Analyst Rhomaios Ram, Principal Consulting Analyst

Getting to Know Your Customers: The Emergence of CIAM

Authors: David Goodman, D. Phil, Principal Consulting Analyst

Blockchain-based Identity Management

Authors: Doug Simmons – Managing Director, Consulting / Principal Consulting Analyst

Context-based Identity Management

Authors: David Goodman, D. Phil, Principal Consulting Analyst

The Future of Identity Management

Authors: Doug Simmons – Managing Director, Consulting / Principal Consulting Analyst, David Goodman, D. Phil, Principal Consulting Analyst, Gary Rowe – CEO/ Principal Consulting Analyst, Bill Bonney – Principal Consulting Analyst


https://techvisionresearch.com/project/identity-new-perimeter/

https://techvisionresearch.com/project/identity-new-perimeter/

https://techvisionresearch.com/project/cloud-based-identity-management/

https://techvisionresearch.com/project/cloud-based-identity-management/

https://techvisionresearch.com/project/banking-identity/

https://techvisionresearch.com/project/banking-identity/

https://techvisionresearch.com/project/emergence-of-ciam/

https://techvisionresearch.com/project/emergence-of-ciam/

https://techvisionresearch.com/project/blockchain-identity/

https://techvisionresearch.com/project/blockchain-identity/

https://techvisionresearch.com/project/context-based-identity-management/

https://techvisionresearch.com/project/context-based-identity-management/

https://techvisionresearch.com/project/the-future-of-identity-management/

https://techvisionresearch.com/project/the-future-of-identity-management/

Documents

Designing and Implementing an Effective Enterprise