The Next Frontier for Identity Governance: Intelligent IGA
When we think about the future, we think of autonomous vehicles, artificial intelligence (AI) and an interconnected metaverse. AI often invokes the dystopian worlds of movies like The Terminator or The Matrix, where machines are displacing humans at every turn. But we see the future as slightly more harmonious than in those movies, with less fluff and more substance than in the buzzwords dominating headlines. While it may not be as exciting as cyborgs, one such area that’s being dramatically changed by new technologies in a very important way is identity governance and administration (IGA). IGA provides visibility across all applications and IT systems to govern entitlements and access across the increasingly complex landscape and, ideally, creates repeatable, at-scale automation of business processes that touch all applications and systems. And it’s at the precipice of some serious change.
As organizations modernize, it’s likely that the business will have different resources—living on-premises or in the cloud—that all need to be uniquely provisioned to a growing subset of digital identities that require access from all around the globe. To meet this growing complexity, automation is sometimes needed to take the reins of repetitive, manual tasks. In other cases, advanced intelligence can—and should—augment human decision-making processes. This is the foundational balance of intelligent IGA that is scalable, simplified and agile. We see four pillars as being critical for this next frontier of IGA: Identity governance everywhere, an enriched security ecosystem, universal connectivity and smart decision-making.
Establish IGA Everywhere
As affiliated identities (employees, third-party contractors and interns, etc.) continue to proliferate due to work-from-anywhere trends, both in terms of who and where they are, identity governance must become more accessible to everyone that needs access, wherever they need it. Accessible can mean many things, but within the context of intelligent IGA, it means making workflows, access requests and administrative tasks more efficient and effective for business users and administrators. The way to do this is to first modernize the user interface and make it intuitive to use and interact with.
It also means extending IGA capabilities into as many different places as possible for business users. Wherever and however they are working, IGA should not interfere and should blend into the user’s preferred interfaces. This means extending IGA into IT service management (ITSM) and communication and collaboration tools, as well as providing as many mobile- or tablet-adaptive applications as possible. These types of integrations can be done through APIs that help create seamless communication between applications with minimal lag time and buttoned-up security.
Create an Enriched Security Ecosystem
2021 saw a record $21.8 billion in venture capital invested in cybersecurity companies, with many new tools bringing cutting-edge technology to the space. While it’s great to evaluate new tools that promise new solutions to old problems, all this can create clutter for security, identity and access management (IAM) and IT teams. And rather than having one solution that is a mile wide and an inch deep—and which can quickly result in massive security risks—intelligent IGA can serve as the glue for an enriched security ecosystem by building on the strengths of other best-of-breed solutions.
By integrating IGA with leading privileged access management (PAM), access management, security information and event management (SIEM), data access governance (DAG) and cloud infrastructure entitlements management (CIEM) solutions, this creates an identity-centric cybersecurity approach that improves visibility of risk and compliance by unifying information from the security landscape through bi-directional information exchanges. This allows organizations to benefit from best-in-class products for true mission-critical initiatives without being burdened with stitching the solutions together in a way that could result in clunky workflows.
Build Universal Connectivity
Recent research from ESG shows that organizations added, on average, 65 new business-critical applications to their stacks within the past 24 months, with nearly 70% of those being deployed as-a-service. As new applications are introduced to the organization, largely in the name of increased productivity, there will always be a need from customers to quickly integrate connectivity to these applications for provisioning and de-provisioning access.
IGA solutions have long required custom code to connect to applications, and we’ve seen the mistakes of a code-heavy approach, including lengthy deployments and costly coding errors that are hard to maintain. We see this evolving to a standards-based approach, like REST and SOAP, that allows organizations to configure connectivity without the need for custom code. Further, the ability to democratize connectivity by letting organizations in similar industries connect with each other (no pun intended) and share tips on how to deploy connectivity packages will only make this process easier and better.
Inform Smart Decision-Making
At the crux of intelligent IGA is the ability to leverage automation and intelligence to support human decision-making—and to automate core IGA tasks like managing the identity life cycle, access reviews and certification campaigns where possible. However, decision augmentation and automation aren’t possible without trust. Humans must trust the technology that is feeding them information, which comes from confidence in the underlying data quality so that they can, in turn, pass it along to auditors to show how they arrived at a certain decision or why an algorithm was fed the way it was.
Intelligent IGA works best when it’s used to enable automatic approvals for low-risk requests with an action-enabled audit trail, like automating certifications and access approvals for certain identity types. From there, you can leverage the various identity data and analytics to help support IAM teams at decision points with recommendations; for instance, continuously suggesting changes that can be made to new and existing roles and policies. After this, looking at ways to automate these types of more complex decisions, and assigning instant, just-in-time assignment of access in target systems after approvals, and real-time adjustments of policy-assigned access rights when conditions or context change.
The Future of Intelligent IGA
The four pillars described above comprise intelligent IGA and how they help to support the current and future needs of enterprises in their never-ending quest to manage and empower all their digital identities. Intelligent IGA also should deliver fast time-to-value so that there’s no sitting around waiting for a lengthy deployment that soaks up people-hours, time and money. Intelligent IGA should be a security control that does not get in the way and even accentuates productivity for business users and builds intelligence in at every turn to enable smarter decisions to enhance security, meet compliance and unlock efficiency.
