The Business Case for Moving on From Your Legacy IGA System

Keeping your legacy Identity Governance and Administration in place may seem easier, but not migrating your legacy system costs more in the long run.

Organizations find themselves in one of two camps regarding their legacy Identity Governance and Administration (IGA) system: those struggling with challenges that limit their ability to manage identities effectively and those that will soon. Information security leadership worldwide is responding to this challenge. CISOs in a 2022 survey reported that 46% of cybersecurity budget increases in 2023 were planned to bolster identity and access management (IAM), encompassing identity governance and administration (IGA), privileged access management (PAM), authentication, and machine identity management. Many organizations have a great deal of work to do in this area. In 2021, Gartner reported an estimated 50% of identity governance and administration (IGA) deployments are in distress, meaning they have failed to achieve functional, budgetary, or timing commitments. Organizations dealing with a distressed deployment or anticipating future distress must recognize that continuing to operate and maintain a legacy system with outdated technology that no longer supports your business operations and cannot meet future compliance requirements will be a more costly decision over time. As your day-to-day operations become more sophisticated, the cost of maintaining legacy systems will continue to rise. Replacing legacy systems with newer technology requires getting key stakeholders (e.g., IT security staff, compliance professionals, business application owners, team leads, auditors, etc.) onboard early in the project. The most straightforward way to do this is to understand what they get (and don’t) from the legacy system and provide quantifiable reasons to move on from the outdated technology. Show the hidden costs of maintaining legacy systems and explain how migration saves time and money. Whatever legacy system migration strategy you choose should reflect stakeholders’ input and show bottom-line benefits on business processes.

In this post, we’ll explain why organizations are still using legacy IGA systems, articulate legacy system migration challenges and risks, and show why it’s time to move past outdated systems and implement legacy system migration.

What is a legacy IGA system?

A legacy or in-house (home-grown) IGA system is a solution purpose-built to enable a specific set of users in a specific place to access specific data and application assets. IGA using a legacy system most often requires an administrator to perform a manual process whenever a user’s status or level of privileged access changes. Legacy systems frequently require custom coding to integrate with an environment. Additional coding is often necessary whenever an organization’s infrastructure is patched or updated. Legacy system examples usually feature software developed using now obsolete, unsupported technologies.

Why are legacy systems still used?

Upkeep of all legacy systems is time-consuming, expensive, and resource-intensive; legacy applications often require multiple full-time resources to manage them. However, many organizations see their legacy system as crucial to business operations and believe the legacy system migration risks are too high to discard.

The main risks of foregoing an IGA migration

Aside from needing to deal with obsolete and unsupported operating systems, there are many other security and performance risks associated with not engaging in the migration of a legacy system. Here are some of the major ones:

1. Restricted scalability. As your business becomes more complex, it is unlikely that your legacy system will be able to provide the functionality to address it.
2. Limitations of complex customization. Legacy systems often require custom code for integration into applications and data stores. This custom code often contains significant security vulnerabilities. Over time, these environments become harder to maintain because the people who developed them move on to other projects or leave, making maintenance more difficult. These flaws can undermine security measures and dramatically increase the risk of security breaches.
3. Unable to “right-size” access throughout the identity lifecycle. Legacy systems cannot automate access control, compare access rights and accounts in their current state to their desired state, and ensure that identities are correctly provisioned from on-boarding to off-boarding. Performing these functions with legacy systems requires error-prone, resource-intensive manual processes to complete. Modern systems enable administrators to automate tasks like provisioning, risk assessment, and access certifications. By automating these processes, administrators guarantee that employees have access to the resources they need to be productive from day one.
4. Inability to easily integrate with SaaS applications. Legacy and homegrown IGA systems cannot seamlessly integrate IGA processes across their entire organization without costly code customization. Legacy systems cannot help organizations manage environments, set up new ones, edit current ones, or delete outdated ones. When cloud platforms push updates, perform maintenance, or apply patches, legacy systems must make time-consuming, complex, and error-prone efforts to keep up. Legacy systems cannot rapidly onboard their applications and cloud services or provide support for industry-standard protocols like SOAP, SCIM, and REST without a significant customization effort. Further, data and applications hosted in cloud environments may be distributed across multiple servers and locations and cloud service providers frequently change how they manage the assets they host. Legacy systems can’t keep up with identity and access management in these environments. After implementing data migration to the cloud, a modern IGA platform enables administrators to use a configurable connectivity framework to easily integrate applications, eliminating the need for any custom development, additional staff, or outside management.
5. Cannot gain actionable insights. Legacy systems do not offer organizations clear visibility into critical environments. It is difficult to see who has access to what systems, who is requesting access, and which identities may be high-risk. There is no easy-to-understand way to monitor access rights and see which users are high-risk. The absence of real insight makes investigating suspicious behavior a complex and time-consuming process and legacy systems cannot automate the push of certification campaigns when violations are detected. Legacy systems do not provide comprehensive logging that enables administrators to have a full audit trail of user access, including business justifications.

What does moving from a legacy system to a modern IGA do for your organization

1. Eliminates manual processes. If you are still using a legacy IGA, your administrators are likely still doing access certifications and identity governance out of spreadsheets and email exchanges. Automating manual processes with a modern IGA solution frees up valuable employee time and raises productivity.
2. Eliminates audit fines. Legacy system migration removes the risk that former employees still have access, that a user has inappropriate access to assets, or that user access flagged by a certifier for revocation was never removed. A modern IGA, properly configured, guarantees your whole stack is compliant. Centralized, automated management of access governance processes and related regulatory controls ensures the maintenance of proper compliance. This makes boards, executive leaders, and auditors happy.
3. Enables people to do their jobs. Legacy IGA is a huge drain on employees’ time and talent. People who were hired to work on strategic projects get stuck with provisioning requests and waste time waiting for approvals. Coders are in a running battle with unsupported, outdated legacy systems. Modern IGA helps improve productivity and morale while lowering labor costs and turnover.
4. Jumpstarts innovation. When organizations are busy putting out fires, it’s hard to accelerate innovation, boost sales, and increase productivity. A modern IGA frees up resources to redirect toward investments in initiatives to make the organization more efficient and competitive.

Working with key stakeholders early in the project to quantify these benefits will make your migration project go more smoothly. Also, make sure you have a proven framework in place to facilitate your modern IGA deployment. Get the IdentityPROCESS+ framework from Omada.