For many organizations, working with the current identity access management (IAM) and identity governance and administration (IGA) solutions is like driving a 20-year-old car: it gets you from A to B and may look fine from the outside, but when you consider its safety standards, its high fuel consumption, the costly breakdowns you’ve had recently and the increasing challenge of finding a mechanic who still knows how to fix it, you realize it’s time for a new set of wheels. The same is true for your legacy identity management system.
The shortcomings of legacy solutions
Gartner noted recently that “many organizations waste time on legacy security technologies that have lost efficacy.” If it’s accounting software or the team’s messaging app, perhaps companies can get away with the inconveniences of legacy technology – but not when it comes to security.
Legacy solutions have painted themselves into the corner of maintaining a large amount of custom code. This makes upgrades costly, so they don’t happen. That means customers suffer by not being able to adopt new features, bug fixes and new capabilities to support their new business and compliance requirements.
The primary reason why legacy software projects don’t get fully completed and go over budget is known as the 80/20 rule. Organizations can solve 80% of the problems or challenges they have with the software as it is, but everybody wants to solve that last 20%. And that 20% isn’t a quick fix – it takes 10 times the amount of time that first 80% took. Understandably, organizations want to try to tackle the more challenging problems, which always require high customization.
It’s very difficult for organizations to maintain a highly customized code in their environments that the first generation of IGA products required. All those changes to the code will then need to be maintained. But modern IGA has learned from all the coding requirements of the past and now provides a much simpler way to give users different levels of access.
The cloud and modern IGA solutions
The identity governance and administration market started with highly regulated businesses. However, all industries are now impacted. While IGA aids many organizations with achieving compliance, it’s not just about compliance – it’s also about security and efficiency. More specifically, IGA is all about security automation, as it enables organizations to achieve the needed efficiency, speed, accuracy and a consistent output, and do it at scale.
Software-as-a-Service (SaaS) makes it possible to deliver value in a shorter timeframe, which drives down the cost for organizations. This also makes these products more accessible to smaller organizations.
Best practices for IGA
There are five best practices to keep in mind as you embark on the journey to upgrade your legacy IGA system to a full-featured, cloud-architected IGA solution:
Bring key stakeholders to the table – IGA projects are less about technology and more about a business project. Thus, multiple stakeholders across the business and IT need to be aligned. Engage people early to get buy-in. You have to sell people on the benefits as well as identify and address any issues to define what success looks like.
Automated feeds – If you really want to operate at the speed of business, it is important that the system can react to changes. This requires a core understanding of the relationship of identities to entitlements, to business roles processes and the organizational structure, and relies to a large extent on automated processes.
Start small – Most projects fail because they try to adopt too much, too fast. Get early wins and learn from mistakes quickly so you can evolve and expand your project.
Fit-gap approach – Map business priorities to identity best practices. Best practices describe how you should do identity and justify why you deviate. Then document and move forward.
Phased approach – Similar to starting small, a phased approach lets you go live and demonstrate value to the business in three months. Remember, this is about a model of organization, policy and business logic. The three phases should be:
- Gain control and get an overview of the situation on your most critical systems and remediate findings
- Perform recertification
- Expand automation, add more processes like identity lifecycle, automated policy assignment and access requests.
It’s time to trade in the car, but you don’t want to go from one clunker to another. You want to find out what’s on the market now and which options will add value to your life quickly and don’t require a ton of maintenance.
When it comes to managing digital identity and access rights across multiple systems, full-featured, modern, cloud-architected IGA does away with complex customization and time-consuming maintenance, while providing full governance needed to maintain compliance. This creates a more secure and efficient approach. Use the best practices listed above to adopt a streamlined process that facilitates the management of digital identities.