‘You Can’t Boil the Ocean’: How a Phased Approach Can Help Your IGA Program Succeed

Implementing an Identity Governance and Administration (IGA) solution can be a daunting task. Organizations of all sizes recognize the complexity of mitigating identity-related access risks across countless devices, applications, and systems, but need a way to see through the competing priorities and to understand that IGA is not an all or nothing proposition. Rather than a destination, Identity Governance and Administration should be viewed as a journey. One that requires building a disciplined, phased approach and starts by focusing on the areas that will have the biggest impact for the organization to deliver quick wins.

During a recent conversation with one of our customers, the Manager of Identity Management in a large healthcare organization was reflecting on the journey she had taken with her organization in building an effective IGA program. She stated, ‘Implementing an IGA program can often seem like boiling an ocean—you can’t do it all at once.’ Recognizing there was not a single approach for implementing identity governance, the manager emphasized a phased strategy that focused on ease of implementation and cost avoidance was the most effective way her organization could approach IGA.

The sentiment shared by this manager is one that serves all companies well. In this blog, we will examine why viewing IGA as a journey is essential for success. We will also explore how a phased approach to building an IGA program can help prevent security teams and IT professionals from trying to accomplish too much too soon, and allow them to prioritize the areas of identity governance that will achieve benefits along the way.

The Best Way to View IGA

While there are some IGA providers that have solutions designed to be implemented in a rigid order, using prescriptive methods for success, the best way to view identity governance is through the metaphor of a journey or pathway. Start where you’ll see the biggest impact in mitigating identity-related access risks for your business. We are often asked to pinpoint where exactly this is in an IGA program. Our answer is always the same: If you attempt to do everything completely at the outset, you won’t succeed. Instead, break the process into phases so you can implement identity governance priority areas that will deliver positive results for your business right away.

What does this look like for organizations? For some, it first may be gaining efficiencies in security around the user provisioning process. For others, it may be implementing access certifications to simplify the review process and to reduce certification fatigue. For the large healthcare system mentioned earlier, the organization began with self-service password management that enabled it to reduce reliance on help desk support, saving nearly $190,000 in the first year alone. The health system then used that cost savings to justify a phased implementation in other IGA areas, including user provisioning and compliance solutions.

IGA should be viewed as an ongoing initiative with focused, achievable goals along the way. Companies that take this approach achieve the greatest advances in improving security and boosting efficiencies by strategically identifying, prioritizing, and addressing their biggest pain points. This enables them to do more with less, enhance organizational security, and prepare for growth and change—no matter what form it takes.

By building an IGA program as a ‘choose-your-own-adventure’ initiative, and by working with a partner like Core Security that has the flexibility to tailor solutions to customers—not the other way around—you can start anywhere and go anywhere to achieve success.

Get Focused, Not Daunted with IGA

Before you decide where to begin your IGA journey, here are three things to get you thinking critically about implementing identity governance:

1) Cleansing and Refining Data

The success of an IGA program can be greatly improved through analytics that increase visibility and insight into your existing environment. According to Gartner, IGA implementations that begin with cleanup analytics demonstrate twice the ROI as those programs that don’t. That’s an incredible return for those organizations willing to put in the hard work of ‘getting their house in order’ by using analytics to inform their identity governance processes.

By leveraging intelligent identity analytics to help identify risk and policy violations, organizations can put a plan in place to effectively begin this critical cleanup. This is applicable not only to the risk that is easy to identify, but also access risk that is hidden from direct view, or inherited in a complex environment. This cleanup sets the stage to address immediate threats, improve ongoing provisioning, and enhance governance across the enterprise.

2) Visualizing What Access Looks Like

IT departments today often manage upwards of 75 application environments, creating an explosion of information, users, entitlements, and access relationships, with millions of combinations. This results in limited visibility into who has access into what systems. While some organizations have tried to manage access by reviewing lists in spreadsheets or electronic portals, these approaches are not reliable or effective long-term solutions. Approval and review processes that use this approach are still overwhelming for users because they lack the context of what access is really needed or around what each entitlement really means.

Instead, leveraging a strategic role-based access policy improves and enhances the way organizations approach identity governance. Think of a role as a collection of access privileges typically defined around a job title or job function. Using roles, organizations have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs. With the ability to design roles in a graphical manner, rather than using traditional role mining techniques, observational studies from Core Security have shown that accuracy is doubled and time spent reviewing is reduced by 50 percent. This is because it’s easy to see what people actually have access to and identify any outliers.

3) Simplifying Complexity

To simplify the complexity of mitigating access risks, it’s also important to think about leveraging an access management solution that makes the process of user access requests and approvals easy to complete and adopt across your business. A single portal for reviewing access requests, providing approvals, and managing user privileges is essential to reducing this complexity. Consider building an IGA program that uses an access management solution with built-in intelligence to model the required access based on user analytics and presents information in a context that makes it less likely errors will be made. This reduces the complexity of managing identities, ensures consistency for account creation that aligns with your processes and protocols, and adheres to the principle of least privilege access.

Start on Your Identity Governance Journey Today

No matter where you start, it’s important to remember that IGA should begin with a single step. Really. If you are willing to dig in, determine your priorities, and find the right partner who can help you implement the right IGA solution for your business, you will do the important work of ensuring your organization is better protected from identity-related access risks.