Identifying and Managing Risk in IGA Deployments

August 13, 2019

Deploying an IGA (Identity Governance and Administration) solution is typically a fundamental part of a company’s Identity and Access Management (IAM) program. For organizations that need to apply controls to role-based access, automate approvals and certifications, streamline processes, and mitigate risk, an IGA system can be an essential tool for ensuring that, (as Gartner says), the “right people get access to the right resources at the right times for the right reasons.”

But too often, IGA deployments fail to deliver the expected outcomes—and in some cases, fail to be correctly implemented at all. That’s why it’s critical to know upfront the risks inherent in deploying an IGA solution, and how these risks can be successfully avoided or managed.

Why IGA Is Challenging 

IGA solutions can be complex to implement because they’re not just IT projects—they’re ongoing programs designed to protect companies, enhance compliance, and make more efficient use of resources. This requires coordination and collaboration, as well as support from leadership and engagement outside of IT. IGA solutions need to be integrated with multiple systems, whose data quality may be an issue. Manual processes that would become automated with an IGA tool often turn out to be inefficient. And workflows once managed by a handful of people need to be vetted by multiple departments, because their enforcement impacts the entire business.

Risks in IGA Deployment

Most organizations are aware of the red flags that can derail an IGA deployment, but they may not have proactively considered how these risks can be avoided. Following are some examples.

Automating already broken processes. Automation is often the primary driver for deploying an IGA system: it offers improved efficiency, the reduction of human error, and proof of compliance for audits and regulations. But if an organization’s existing governance processes are inefficient or error-prone, automating them isn’t going to yield the desired results. Often manual provisioning is performed by a small group of individuals in IT, even though those reviewing and approving access changes work in departments like HR, legal, or sales. Integral Partners recommends that all stakeholders review their entitlement processes prior to implementing an IGA system, and we help clients plan the most efficient and effective ways to do it.

Thinking only about employee access. Since most IGA tools connect to an organization’s HR database as the main data source for identity data, it’s easy to overlook other important groups of people who will need entitlements: contractors, partners, vendors, perhaps even job candidates or customers. Some companies currently using manual processes for provisioning employees may not even have codified processes for handling non-employees, much less standardized workflows that could be automated in an IGA system. Or companies may feel confident about the quality of their HR database but haven’t validated their contractor data in ages. To ensure that any IGA system manages and protects company data in a satisfactory and compliant way, it’s imperative that organizations consider all their data sources before implementation and that all relevant stakeholder departments have vetted their processes for entitling access to their constituents.

Lack of adoption. As with all major software implementations, deploying an IGA system is an act of business change management. Companies that fail to manage the change may find themselves dealing with staff who don’t use the software properly, fail to follow the new processes consistently, or end up feeling hindered or resentful. Asking people to switch to an IGA system can eliminate the risk associated with manual governance, but can introduce the risk that users won’t sufficiently adopt the new system. Good communication, inclusion of all stakeholders in the planning and testing process, and end-user training should all be part of managing the change to an IGA system.

Lack of sponsorship. For an IGA system to yield its full automation and efficiency advantages, it needs to be supported by executives with budgetary and persuasive authority and fully integrated with applications across the organization. This requires the participation of stakeholders across the organization, including those outside of IT, and frequently requires that executives be educated on the impact and value of IAM for the business. Integral Partners assesses each client’s environment and recommends the inclusion of a broad range of stakeholders to ensure sustained buy-in for the deployment. Advisors are experienced in presenting IGA benefits, roadmaps, and business cases that foster executive support.

Failing to build in early wins. Though IGA systems can be complex to implement and adopt, and the benefits often are longer-term efficiencies that aren’t immediately visible, many IGA vendors are updating their products with out-of-the-box features designed to reduce time to value: workflow templates, configuration and application onboarding guides, and improved user interfaces. Prioritizing the implementation of low-risk, out-of-the-box features (while planning for longer-term customizations, configurations, and upgrades) helps companies gain early wins, so they can sustain adoption and support for their IAM programs. Integral Partners advisors are experts at this planning and prioritization process and can assist companies in balancing business needs with cost, risk management, and timelines.

Having IGA goals that don’t match business expectations. Many organizations see IGA deployments solely as a technology project, and do not take the time upfront to map the deployment to desired business outcomes. Proper configuration of an IGA tool requires that departments impacted by the deployment have collaborated to agree on requirements and vet the processes that will be automated. Without these inputs upfront, the tool may not deliver the business value that was anticipated. Having a roadmap and strategy in place before embarking on the deployment can help the organization meet its stated objectives, and including stakeholders in the requirements-gathering, planning, and rollout process ensures that the implementation meets with everyone’s expectations.

Not planning for ongoing care and maintenance. Organizations with an IAM roadmap and strategy understand that implementing an IGA system is just one phase of a more holistic approach to risk and access management. Because IGA systems are designed to connect with and protect a company’s most sensitive data, they require maintenance and maturity to ensure they operate according to expectations. Planning for upgrades, ongoing training, further configuration, and customization will provide better returns and flexibility to adapt as business needs change.  Integral Partners helps companies plan not just for successful deployments but for “what happens next,” with education, onboarding, and prioritization of next steps.

IGA deployments are most successful with careful planning (a thoughtful strategy, roadmap, and architecture) and careful consideration (regarding priorities, costs, and timelines.) With support from executive leaders and engagement across departments, IGA deployments can introduce new efficiencies, eliminate risks, and deliver business value across the organization.