Identity Governance: Balancing cost reduction with effective risk management

Identity Governance: Balancing cost reduction with effective risk management

David Morimanno, Director of Identity and Access Management Technologies, Xalient, on the implications of Identity Governance and Administration (IGA).

Cost reduction is a top priority for many organisations, leading to the adoption of various technologies to automate tasks and improve efficiencies for cost savings.  However, minimizing risk should also be a key objective for every business.

To achieve this, companies are looking into Identity Governance and Administration (IGA), which is a policy framework and security solution for automating the creation, management, and certification of user accounts, roles and access rights.  This ensures consistency, efficiency and improved awareness, all of which are essential for reducing security risks.  However, implementing IGA can often be seen as a laborious task that gets abandoned before the business experiences the benefits it has to offer.

The Perception Versus Reality of Automation

Often those in leadership positions believe that automated solutions such as IGA will help address a skills shortage and allow them to continue business as usual with a reduced staff count. However, the reality is quite different.  Instead of operating with fewer employees, automated solutions often require reallocating skills to other areas.  IGA automates various functions and eliminates the need for human intervention in many manual tasks. This is especially true in the ‘joiner, mover, leaver’ space, where IGA has proven to be beneficial in setting up, removing or restricting access to files, applications, and data for new hires, employees changing roles or those leaving the organisation.

One drawback of IGA is its limited awareness of the environment it has been given access to.  If not properly configured and given visibility across all relevant environments, it may not prevent access to files and data it is unaware of. Thus, it requires expertise to evaluate the landscape and determine where authentications and authorizations are happening on-premise. Additionally, it relies on an ecosystem that includes Cloud Infrastructure Entitlement Management (CIEM) to explore the cloud and network, as well as Hardware Asset Management (HAM) and Software Asset Management (SAM) to provide greater insight into access management through application inventory. This ecosystem helps uncover unknown elements and provides essential awareness of the environment, as protecting what is unknown is often challenging.

However, implementing IGA requires an upfront investment in time and money, but it does not reduce the staff count.  This might lead to the incorrect perception that it is costly and not worthwhile.

Access Certification and Risk Management

It is important to understand the business’s goals for governance and accessibility and evaluate its efforts to achieve these objectives. Typically, organisations manage the ‘joiner, mover, leaver’ process manually which is not only time-consuming but also a flawed process. Often, the team responsible for managing access control during employee transitions is so occupied with manually assigning access certifications that they are unable to focus on other security issues within the business. This poses a greater risk to the organisation than issues of accessibility and governance.

To overcome this, companies need to adopt a systematic and strategic approach to implementing IGA. This includes evaluating the current situation, documenting processes and responsibilities, and understanding the actions and reasons behind them. With this insight, companies can determine how to adjust processes, realign personnel and skills, and improve efficiency with the help of IGA. This approach reduces potential risks, provides visibility into granted access and facilitates better management of the process, leading to improved efficiencies and reduced security risks.

This has a knock-on effect in onboarding staff in a faster and more consistent manner. For staff who move roles, a more complex process due to associated variables, access is automatically reassigned based on their new role requirements. Unlike before, where they would retain their legacy access, movers will have access specific to their new job.  In the case of employees leaving the company, all access will be terminated automatically and with confidence. Unfortunately, this hasn’t always been the case as companies have often neglected to revoke access immediately when employees leave, posing a significant security risk to the organisation.

Getting Governance Right

With IGA, companies are better positioned to meet compliance and governance requirements. It uses AI to simplify the process by automating access certifications and adding a layer of intelligence that gives insight into entitlements. This creates a translation layer that explains who has access and to what. Typically, the access certification process is highly complex and rarely linear, resembling more of a spider’s web than a simple step. Managers need to assess everyone in the organisation against their access and approve it regularly, but due to other priorities, this activity may not get the attention required for a full audit and review. As a result, it often gets the rubber stamp of approval without thorough scrutiny.

For IGA implementation to be more effective, it should be aligned with Privileged Access Management (PAM) as part of the broader Identity Security framework. It’s important to note that there is no predefined order in which these solutions should be implemented, as each company has specific requirements and use cases that will determine which solution to implement first.  Engaging with experts to assess the requirements, gain an understanding of the business objectives, and build out a road map will help companies decide on the approach to take when starting the Identity Security journey. 

Whether starting with PAM or IGA, organisations must not try to finish implementing one solution before moving on to the next, as these solutions should form part of an overarching programme and ecosystem, working together as part of the broader Identity Security landscape.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive