Today, most big companies have an IGA (Identity Governance & Administration) solution in place. While this certainly is a positive evolution, it turns out there is still much left to be desired. Let’s take a closer look at what is going on and see if we can provide some of the answers…
Traditional 1.0 IGA solutions, being implemented in organizations since about 15 years now, are strongly focused towards provisioning (access request, access approval, etc.). While there is no doubt that provisioning is an important matter, it takes a lot of time – several years, in most cases – and quite some budget to get it up and running properly. And it’s only when the provisioning side of things is nearly completed, that traditional IGA solutions will finally start paying some attention to governance. And that’s quite an issue, as in recent years governance has become much more important than before.
Ever more companies realize they need to prioritize the governance part of IGA. There are several reasons for this, but they all have to do with the increased risk of data breaches and the consequences thereof.
First of all, it’s an undeniable fact that the risk for data breaches has been growing significantly. According to an IBM Security report, the odds of experiencing a data breach reaches up to 29.6% in 2020.
Governments on both sides of the Atlantic take protective actions against this threat, and thereby impose a growing number of regulation frameworks – such as NIS and parts of SOX – on organizations. As the provisions in those frameworks are enforceable, the lack of compliance can lead to considerable fines. Pakistan’s Habbib Bank for instance, paid a $ 225 million fine for compliance issues in 2017. In the same year, Deutsche Bank was even fined for $10 billion.
GDPR, ISO & CSR
GDPR – a regulatory framework designed to protect citizens’ privacy and personal data – is yet another reason that explains the priority shift towards governance. Organizations that fail complying to GDPR regulations risk to get fined by the authorities. British Airways for instance, had to pay a € 204 million fine as the personal data of 106 million individuals was stolen because of a data breach.
And there’s ISO 27001, of course. Organizations wanting to get certified need to make sure their data is well secured. In fact, an entire chapter (‘objective A.9’) of the ISO standard is dedicated to access governance. Last but not least, protecting customers’ data (especially PII, Personal Identifiable Information) is considered a moral value today, and should be an integral part of an organization’s Corporate Social Responsibility (CSR).
So, what is the connection between the ‘governance first’ approach and all of the risks mentioned above? Simply put, governance first solutions – such as Elimity’s ‘Insights’ – give you a clear overview of the potential data related hazards within your organization straight away, allowing you to take control and perform the necessary actions without further delay. And that is exactly what IGA 2.0 is all about: governance/risk mitigation first, provisioning later.
Moving from IGA 1.0 to 2.0
Organizations often feel that the traditional 1.0 IGA solutions they have been using fall short in several areas, such as:
- Audit reports – even though they are a crucial part of any governance program – are restricted to basic Excel exports. They also miss the necessary context and lack visualization. In addition, as it often takes complicated merging operations from different source files to get the desired output, a lot of computer power is needed. Therefore, these reports are only made a few times a year and are quickly outdated.
- Access reviews are often limited to recertification campaigns in which team leaders or application owners have to check whether everything (roles, team members, application entitlements, …) is still correct. These campaigns are considered to be cumbersome and hardly effective.
- Provisioning is complicated and demands for highly skilled, specialized staff, as well as a multi-million budget and a time span of several years. Still, those projects often go significantly over budget and time. This is partly because of unexpected obstacles that often pop up unexpectedly along the road and the requirement of a clean administration.
In fact, the situation is so dire that Gartner estimates that more than 50% of IGA projects is in distress.
The virtues of IGA 2.0 & Insights
As explained, IGA 2.0 projects make sure the governance part of IGA is taken care of first and foremost. When(ever) needed, this can be supplemented with provisioning. In this regard, it’s important to note that governance brings you valuable insights about your organization, allowing you to make better and more targeted decisions when you start with provisioning at a later stage.
However, just like IGA 1.0 solutions aren’t created equal, so are IGA 2.0 solutions. Elimity Insights is a complete SaaS identity governance 2.0 program – built upon a powerful identity analytics engine – which can be used to complement your existing IGA suite.