As the Identity Governance and Administration (IGA) market matures, enterprises are confronted with choosing between a best-of-breed solution for IGA or an Identity and Access Management platform that offers IGA as a feature. To help you make an informed choice, Omada Vice President of Product Strategy Rod Simmons and senior solution architect Craig Ramsey facilitated a webinar, Decoding the State of IGA 2024. Simmons and Ramsey based their remarks on the findings of a late 2023 study that Omada published as The State of Identity Governance 2024. This report in part delivers insights from more than 550 IT security and business leaders on what features they value most when looking for new IGA solutions.
According to The State of Identity Governance 2024 report, nearly 84 percent of modern IGA users agreed that their organizations tend to choose best-of-breed identity governance and administration solutions rather than IGA from a single product platform play offering multiple solutions. In the webinar Decoding the State of IGA 2024, attendees were also asked their opinions about this in an informal live poll. They responded similarly, with three in four participants agreeing their organization would choose a best-of-breed IGA solution over a platform play.
In this post, you’ll learn the real-world implications uncovered in the webinar of choosing – or not choosing – specific characteristics and features in your identity governance solution and how to get it right the first time.
A ‘good enough’ IGA solution is neither good nor enough
These findings speak to the relevancy of IGA as an issue and the importance organizations place on solving the problem. When IGA solution providers speak with IT and business leaders about choosing best-of-breed IGA over a platform play, they frequently ask: “Do you want the best product, or do you want a ‘good enough’ product?” Choosing a best-of-breed product ensures you put your best foot forward for securing the enterprise and must be a cornerstone of your overall strategy. There are places where good enough is sometimes good enough, IGA is not one of those places.
Organizations must look beyond analysts’ rankings of a solution as “best” and determine if it’s the best for their enterprise. Too many times, an organization will say they are looking at a particular vendor from which they are already buying other solutions and claim they can get that vendor’s IGA offering for free. The vendor gives them a checklist of features, but these features oftentimes do not address the organization’s specific business needs. To get the right solution the first time, you must take the time to map your use cases to the features of the solutions you consider. In any case, the most sensible solution must be highly adaptable to how your enterprise runs and highly configurable to your business processes.
Another consideration is finding a solution that is adaptable and configurable right out of the box. You do not need a product that requires your team to write thousands of lines of code to work. You need a solution that easily molds your existing workflows. It’s not simply a checkbox on a features list. The devil is in the details. It is not sufficient that a vendor offering can ‘do’ something. That is a flawed concept. The right question is, “What is it going to take on your end to make it work in your business process?”
In addition to adapting to how your enterprise runs now, you must also consider future business processes. Will your IGA solution map to your business as it evolves? Will you be able to mold the product to map new processes or will there be trade-offs? With platform plays, many people find the trade-offs unacceptable because they cannot get the IGA product to work within their business processes.
Look at choosing an identity management solution similar to a jet engine. The engine is an amazing feat of engineering, with many different vendors each supplying very specific elements. To ensure the engine is of the highest possible quality, you must ensure each element is the best. Nobody would fly on a plane that is powered by an engine with some inferior quality components, even if it were less costly. This analogy suggests the importance of the convergence of solutions into a joined view of identity risk. This is what many industry analysts are calling an identity fabric, and it doesn’t necessarily have to be a platform. Your identity vendor must offer an enriched security ecosystem that provides the required level of detail and shares relevant data context such as risk-related data for identities under management.
The most important features required in an IGA solution in 2024
The State of Identity Governance 2024 reports that more than 50 percent of respondents believe adaptability to their organization’s specific requirements, a connectivity framework that supports any application and infrastructure, and generative AI are among the most important when evaluating a new IGA solution.
Modern IGA must adapt to your requirements today and in the future
Organizations must ensure their best-of-breed IGA solution aligns with business requirements and provides connectivity and strong automation capacity to support complex identity workflows, plus well-documented best practices and processes. As business processes get more complex, the solution must be able to quickly ingest and process data. This provides a solid foundation on which organizations can build more sophisticated functionality (e.g., generative AI) that increases compliance, overcomes the shortcomings of perimeter security, and boosts efficiency and productivity.
Flexible connectivity is a must-have
In real-world scenarios, everyone understands that no vendor supports all applications. Historically this reality is a principal reason many enterprises chose to build their own IGA or adopt solutions that offered high levels of customizability. As business processes have evolved, this approach has become unsustainable. Your modern IGA solution must provide the flexibility needed to integrate with any application; not just known applications but future applications as well. This includes APIs that provide the creation of accounts and management of users for all applications per the identity lifecycle policies that a business requires.
Generative AI is a driver of IGA improvements
The key to leveraging generative AI for better IGA is identifying the right use cases and having the right data, which is easier said than done. Before generative AI or any form of AI or ML can help, users must establish the readiness of the data to be used for analysis so that it can help solve a business issue using AI/ML in the first place. The adage, garbage in, garbage out applies here. If there is no proper context or a robust definition of identity within your data model in the first place, no automation, AI, or otherwise is going to help to clean up your data. Adoption of AI and ML therefore could come in phases as the identity data is cleaned up, properly modelled, etc.
Once the identity data is sound, the first step in creating automation is getting users to the point at which they are willing to relinquish manual control in favor of automation to make IGA easier for them. This requires users to recognize business problems and work toward using data and analysis to solve them. Trusting the recommendations of machine learning or generative AI is an earned activity, meaning that it is not something people will generally trust out of the gate.
Consider the access request process as a potential use case for generative AI, as it could help organizations inform the process by automating the understanding of what a user is looking for and how the solution has handled this request for the user’s peers. In the end, generative AI must operationalize ML analysis for roles as an example, to make the user experience better than it is now by offering meaningful suggestions or recommendations.
Create a modern IGA that grows with your organization
The real value of a best-in-breed IGA solution is how it enriches an organization’s overall security system, how it contributes to the development and maintenance of a mature zero-trust security model, and how it helps organizations make smarter strategic decisions.
Read The State of Identity Governance 2024, and learn how IT and business professionals are modernizing IGA to meet ever more sophisticated security challenges. Watch Decoding the State of IGA webinar on-demand where Omada Vice President of Product Strategy Rod Simmons and senior solution architect Craig Ramsey break down the findings from the report and explain how these important trends are shaping identity and access management strategy.
This is the last blog of a four-part series covering the highlights of Omada’s webinar, Decoding the State of IGA 2024. Read the previous blog in the series, How Your Organization Can Manage Unnecessary User Access and Accounts with Excessive Permissions here.
