Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time.
History clearly shows that the iPod and a few of its competitors were very successful in driving revenue and taking market share away from the legacy Personal Music Players. History also shows that the reign of these devices was short-lived. Just a decade after the release of MP3 players, they were almost entirely replaced by personal music player technology on a smart phone. Why did this happen?
The world slowly realized that the way MP3 players solved the problem of my music anywhere, carried a cost that significantly reduced the value of the solution. You had to carry a phone and an iPod, keep them both charged, and, in many cases, both synced with your PC.
Today, stand-alone PMPs are purely niche devices for specific use cases while everyone else plays music through their phones. The smartphone is the perfect platform to consolidate the “music anywhere” capability with the messaging, mapping and gaming anywhere that those platforms provide. This allows you to carry, charge and sync only one device and manage one set of configuration settings.
Having spent the last decade in the identity governance market, I believe a similar sea of change is about to happen. Identity governance solutions require the following set of capabilities:
1. Lifecycle management
Organizations need to provide some set of automation that follows a knowledge worker (employee, contractor, partner, etc.) from the time they start their association with the company until they end their relationship. This automation should be responsible for giving each knowledge worker access to the core set of applications they need to do their jobs, from their first role throughout many possible promotions and role changes over the years.
This capability is critical as it provides the organization the speed and agility they need to ensure everyone can spend their time working, as opposed to dealing with the IT team. Additionally, at every step in the lifecycle, permissions that were relevant for the last job role that no longer are needed should be removed to maintain a least-privilege security stance. This process typically concludes at the end of a long employment journey, which conceivably included many role changes, where it is critical to ensure that the departing team member no longer has access to ANY company resource.
2. Self-service access request
Automated lifecycle management is critical but even the most organized enterprises can’t predict all of the applications and data a particular colleague will need. Projects come and go, oftentimes staffed with matrixed teams, making it hard to completely define every application an employee will need for all their duties. This is where self-service access request comes in. This capability enables all knowledge workers to simply request access to an application when the need arises through an online portal.
These requests are then evaluated against compliance and security policies, then routed directly to the application owner or employee manager for approval. If approved, these new application permissions are automatically fulfilled without the IT group needing to be involved outside of defining the key policies and workflows. This approach allows the business to manage day-to-day decisions over business data access, which is critical to ensuring speed and competitiveness.
3. Automated access certification
The Sarbanes-Oxley of 2002 act made a huge impact on organizations of all types. It was followed by a continuously growing set of additionally regulations, such as HIPAA and GDPR, which all focused on the need for documented and provable controls on all manner of systems and data. Access to applications and the data inside them was a key control metric in all of these regulations.
Access certification is the process meant to arm internal teams with the data they need to prove compliance to these external regulations, or in some cases just internal policies. Access certification requires that on a regular basis (usually every quarter) application owners review the users and permissions that have been assigned within the applications they are responsible for.
During this process, each combination of user, application and permission must be certified, or attested. In cases where a user is believed to have more permissions than they need to do their jobs, these entitlements are flagged for removal. Organizations used to perform these functions with spreadsheets and email (some still do sadly), but today this functionality typically automated through Identity Governance and Administration (IGA) solutions.
4. Auditing and analytics
The average number of applications for an enterprise organization with more than 5000 employees is now more than 400. Assuming each application has only two types of permissions (which is not reality) this gives organizations more than 4 million possible entitlements that are changing all the time and need to be kept track of.
The main value proposition IGA solutions can provide is to consolidate and present this ever-changing data in a way that makes sense to mere mortals. At its core, this provides the value of visibility, but the value explodes during preparation for an audit. What used to take months of manual work, now takes days of preparing for that team of auditors. Modern IGA systems now also frame this information with signals from other silos (GRC, Incident Response, SEIM) to make the data even more usable to audit and risk teams.
These four capabilities sound simple on the page but in practice can be very difficult to implement. This is one of the reasons people have been making stand-alone IGA solutions for more than 15 years now. This is a complicated problem that the market has met with complicated solutions.
And after 15 years, we still see that most IGA programs are categorized as “at risk,” meaning there is a gap between the value expected at program start vs. current reality. I firmly believe we are about to see a revolt against big, heavy solutions to this problem. This revolt will not be just because people are tired of projects that are 3 years behind and 200 percent over budget. People are also starting to see similarities in this problem set to the other IT challenges their organizations have been solving.
In the case of IGA, a high-level view of the solutions show that the main needs of an effective solution include:
- Connectivity to key IT systems
- Consolidation and presentation of data from multiple systems
- Strong workflow-based automation
- Interfaces that all stakeholders can use
Coincidentally, these same building blocks are also key to many of the IaaS and PaaS solutions that have become so popular over the past decade. The very reasons organizations invest in platforms such as AWS, Azure, ServiceNow and others is to provide a foundation for all IT workloads to take advantage of. These platforms are the smartphones of enterprise IT, allowing for applications to be created that take advantage of these key design blocks, and are easier to integrate with the rest of the critical IT systems.
Frustrated IGA program owners are ready to ditch the stand-alone solutions (MP3 players) and take advantage of what these platforms can offer by using IGA solutions that are built directly into these key platforms. We have already proven that the current path of making bigger and more powerful siloed solutions results only in vendor growth and doesn’t solve the problem. As these new solutions gain adoption, we will see benefits beyond just reduced complexity and friction.
Just like when we started listening to music on our phones, we immediately saw the obvious benefits. But over time, the market found new benefits that they had not even dreamed about when this phase began. Without the move from PMPs to phones we would not be able to “share” music via social media and messaging, nor do I believe streaming music would have taken off without the phones built in connectivity.
Building IAG solutions on top of key IT platforms will open the door for many similar valuable integrations. As more people leverage Human Resources, Incident Response and GRC on these platforms there will be many integrations that can ONLY be done by IGA solutions that live natively on that same platform.