Omada is a leader in Intelligent Identity Governance and Administration. We help our customers deploy a full-featured IDA as a service solution within 12 weeks with the Omada Accelerator Package.
Identity governance and administration (IGA) is an important tool that helps organizations ensure that the right people have the right access to the right resources for the right reasons at the right time.
When deployed properly, IGA helps ensure that everyone has access to the applications and data they need to perform their jobs, and security and audit teams have all the proof on the back end that access is up-to-date, and no excessive privileges or entitlements are granted.
However, IGA is notoriously challenging for many organizations to deploy as it touches nearly every person in the organization, every application, all the infrastructure, and every dataset across increasingly heterogeneous IT environments. Why deployments stall or fail can be boiled down to three main tenants:
In this guide, we describe the most common pitfalls that can sink an Identity Governance program, and provide useful tips and tricks on how to avoid them.
In the next sections, we discuss the 6 most common pitfalls of IGA deployments and provide practical tips to avoid them to ensure a successful Identity Governance program.
Many IGA programs go wrong because organizations do not go in with their eyes open to the full magnitude and scope of the desired effect of what they are trying to accomplish. With IGA, it is very important to be aware of the fact that IGA is meant to be a program and not a project.
The distinction is very important, as a project is a single, focused effort, whereas a program is an amalgamation of many projects over a continuous timeframe with a unified goal. However, many deployments go off the rails because they do not consider the organization’s broader objectives and key performance indicators.
In Byers’s Guide for Identity Governance and Administration, Gartner states that “Many IGA projects come about because of a production issue, like an audit finding or a data breach, and buying initiatives follow a firefighting pattern, often skipping ideal planning steps. These challenges increase the probability of security and risk management leaders picking a wrong solution that is strategically misaligned with line of business (LOB) and stakeholder requirement.” Because of the ‘pants on fire’ approach that many businesses take when deciding to undertake IGA, sometimes the approach can be so single-minded that other critical components get overlooked.
Too often, IGA is considered a technology problem that falls exclusively to IT and the security team to administer and deploy. Typically, IGA will require connectivity to multiple authoritative sources, which can include directory services, HR systems, and more. This inherently requires buy-in from members of all departments, as each respective department will likely have expertise on the functional use of applications that IT simply does not.
This is a common pitfall for Identity Governance programs because of the organizational impact that the tool should have when deployed properly. Without organizational buy-in, IGA tools will fall back to IT to manage, measure, and scale, and this will result in stunted growth.
Further, for programs that are technical in nature, it is easy to think that technical people are the only ones who can be trusted to administer the solution. This means enlisting the help of people with Java, Python, or developer skillsets, but it also leads to an inherent shortage of people who can assist in the deployment and scale of the IGA program. Ideally, an IGA solution should be comprehendible for all members of the organization, but minimally invasive in day-to-day operations.
When dealing with identity management and security, often people will have multiple identities, roles, and entitlements that need to be identified, gathered, and consolidated. This data often lives in multiple identity providers (IdP), HR systems, ERP software, and more. Each application has their own way of registering data and can also introduce multiple entries, for instance, a title could be entered in one system as “Systems Administrator” another has the same person’s title as “System Administrator” and yet another that has “Systems Administrator II” which can wreak havoc if not fuzzy matched. Many systems also contain duplicate records of people, job titles, projects, and more that can further muddy the water of what is real and what is not.
Bad data has a direct impact on businesses bottom lines and productivity. This can rear its ugly head with Identity Governance programs and have a snowball effect where bad data is imported into the IGA system from various authoritative sources, which then serves as the foundation for further bad data, leading to misassigned access and entitlements. And so on, and so on. It can also lead to business partner accounts that do not have proper ownership, exacerbate a problem with orphan accounts, over-permissioning, under-permissioning, and general lack of oversight into who has access to what, why, and when.
Sources: 1) Journey to AI Blog – The IBM Data and AI Blog. 2) The Real Cost of Bad Data. 3) How to Stop Data Quality Undermining Your Business
A key feature of an IGA solution is the ability to assign access rights to groups of people based on their job function, title, department, and so on. However, when implementing IGA, far too many teams focus on the exceptions and not the rules.
This comes from overcomplicating the birthright process by getting away from the very thing that makes role-based access control useful. Ideally, birthrights should be applicable across the organization, and will enable an organization to quickly provision access to a baseline of applications that people need to be productive, and can include email, communication channels, benefits software, and more. However, what it should not include, is anything that is not broadly applicable to people throughout a given role or job function.
Too many organizations are so eager to assign fine-grained access rights and entitlements to each individual member of the organization that they overlook the basics and inadvertently overcomplicate things. This can lead to great confusion from department to department as they comb through granular roles to identify who they apply to (or don’t), and massive effort in maintaining roles. Roles, like people, will change as organizational needs change, and can quickly become outdated, particularly if they are over-engineered.
It is tempting to buy software, particularly software as a service, and try to bend it to fit the exact specifications of the business. After all, each business does things a bit differently, with different combinations of products they sell, applications they use, whether they deploy things on-premises or in the cloud, where the workforce is located, and more. However, legacy IGA solutions that rely on customization can take extensively long to deploy and point in time solutions simply do not scale as digital transformations take place, workforce needs evolve, and new compliance mandates are introduced.
Setting up bespoke processes may seem like a good idea. For example, each business likely has a unique way of creating new identities when someone joins the organization. But take for instance a large company hiring someone with a common name. The organization might be tempted to customize a process based on their business requirements to accommodate a name, title, email address, etc., but then how that identity gets created in each target system gets more and more complicated. As people with the same name are hired, this could create a problem down the line.
Many IGA workflows should be able to be configured through API calls or through out of the box configurability, but too often, organizations will customize this process leading IAM teams and security leaders to scramble to keep up.
Many Identity Governance programs do not get off the ground because organizations do not focus on the core tasks at hand and try to jump ahead to advanced use cases. Thinking back to the introduction, with the seven key ‘features’ of an IGA solution, organizations will too often rush to try to automate everything including leveraging AI and advanced algorithms to automate tasks. This includes the initial phase of connecting IGA to a plethora of applications. With the average organization deploying 188 new applications in production, many try to onboard all applications right away which can slow things down considerably.
This can all lead to a lack of focus on the core tasks at hand, and stall releases and project milestones. Part of it is human nature, everyone is drawn to shiny new objects and wants to handle edge cases like automation and AI. However, many organizations do not get to these advanced use cases because they fail to tackle the basics. Part of this is solved by taking a deliberate and phased approach to IGA.
There are many reasons for any organization to undertake an Identity Governance program, including boosting workforce efficiency and productivity, enhancing security measures, and meeting an evolving set of compliance mandates. However, how an organization approaches IGA can lead to problems that stall deployments and stunt future growth.
Some things to keep in mind when planning for, and selecting an IGA solution:
Get your free copy of The 6 most common pitfalls of Identity Governance and how to avoid them below.
featured resources
Omada is a leader in Intelligent Identity Governance and Administration. We help our customers deploy a full-featured IDA as a service solution within 12 weeks with the Omada Accelerator Package.
Hear Richard Stiennon, Chief Research Analyst from IT-Harvest, and Rod Simmons, VP of Product Strategy at Omada, discuss the pitfalls of IGA deployments.
The framework lays out how to standardize the key functionality of an IGA program and informs how to successfully deploy and maintain and IGA solution.
Let us show you how Omada can enable your business.