The IGA Freeze
Michael Ribaudo
Chief Technology Officer at CyberIAM Holdings Limited
After nearly 20 years in the Identity and Access Management and Governance industry, it still surprises me how the same challenges and decision patterns are being repeated. Too many Identity Access Governance and Management programs are been frozen in time without completion.
In the late 90’s and early 2000’s many enterprise organizations embarked on some form of system automation program, to speed up delivery of access to applications to their businesses. Most of these projects took large amounts of budget with varying degrees of success but many were deemed not to get out of the starting blocks.
Then came the Sarbanes–Oxley Act of 2002 which changed the world of Identity Access to a more governance focused industry. Now auditors were driving the industry at a company board level with specific focus on risk mitigation. This gave birth to a wave of new focus and funding which left automation in the back seat.
At the turn of the last decade, application access was removed to ensure a company’s user has only what they required. The Risk world revived the need for automation and provisioning of access but this time with a focus of becoming more secure. And of course, a by-product of that was an improvement in efficiency.
Unfortunately, about 6 years ago the audit world shifted gears again and the Risk programs became consumed by the Privileged Access problem. And rightly so but the net result was that Identity Access was put back on the shelf and became a box ticking exercise.
Too many Identity Access projects got to phase 2, lost funding and became frozen in time. This has resulted in expensive IGA technology solutions only utilizing 20% of the capacity and most of the Identity risk remaining open. Some Vendors and System Integrators consider this basic deployment a success because the bar was never set very high, but we need to be doing more.
I believe that in the 2020’s we need to unfreeze our Identity Access programs, bring Identity Access and Privileged Access under one umbrella and finish what we started with these projects. We need to implement the outstanding governance and automation processes and on-board the remaining applications and systems to the IGA solutions, which would result in a cost reduction, improvement on efficiency and risk mitigation across the organisation.
This will ensure we don’t just tick the boxes for local regulation-based audits (e.g. SOX, HIPAA, GDPR, GLBA) but we start automating efficiency and protecting our organizations applications and systems both on-premise and in the cloud.