Fundamentals Before You Start
Identity Governance and Administration (IGA) helps organizations connect critical business systems to controls and processes that will protect them. A successful IGA project facilitates and automates good decision making about identity and access to sensitive data.
Many organizations use software to help them manage identity lifecycles, access governance, certifications, and compliance. IGA technology solutions offer many benefits, but ultimately the people operating an IGA system are not those whose authority guides decisions about roles and access. That’s why the success of an IGA deployment rests on the strength of an organization’s existing processes, relationships, and engagement levels.
Before deploying an IGA solution, it’s essential to have a thorough understanding of the organization’s business goals, architecture and applications, workflows, data sources, and stakeholders. Developing this understanding takes time and effort on the front-end of an IGA deployment, but it saves time and resources on the back-end. It also ensures that the solution delivers the returns on investment the organization expects.
Integral Partners does extensive research and requirements-gathering prior to implementing new or replacement IGA solutions. Even before arriving at the client site, advisors have reviewed background information requested from the client in advance and have developed a deployment strategy based on these prerequisites. Once on-site, advisors involve a broad range of stakeholders whose input will influence the effectiveness of the IGA implementation, and whose work will be impacted by its operation.
Organizations that are prepared to engage with advisors and communicate information relevant to the implementation will speed the process and make things more efficient. Following are examples of some of the questions and information advisors ask for, as prerequisites to any IGA deployment.
- What’s your goal for this IGA solution? (automation, reducing risk, certification and audits, etc.) What are the organization’s expected outcomes of deploying this software?
- What are you connecting to? What is the identity source system (for example, an HR database) that will drive the IGA tool, providing unique identifiers for individuals and connecting to other applications?
- What other data sources, if any, do you need to include? Besides an HR database, this might include contractors, vendors, or even customers.
- How many users do you have? What’s the number of users in the identity source system, and what other secondary sources need to be included? What redundancies may exist?
- What are the lifecycle steps of each role? What access is entitled when a person is hired, and what is revoked when a person is fired? How many different roles have you defined? What permissions and access do each of the roles have?
- Who are the stakeholders? Who currently manages provisioning? Who authorizes access change requests? From whose budget is the project being funded? Who is impacted by the existing workflows? Who is responsible for compliance and audits? Who will administer the IGA system? Who needs to assess or manage risk, but might not be included in current processes?
- How do existing processes work? What documentation exists that explains your current processes? Are your workflows codified? Are processes currently manual, automated, or a combination?
- How would you like your processes to work? Using our many years of experience, our advisors help organizations design efficient future state processes that minimize product customizations and shorten the time to value.
- What’s the infrastructure of your IT systems? Will your IGA solution be cloud-based or on-premises? What else from your application inventory should it connect to? Which of your apps are highest priority to configure and integrate with the IGA tool?
- What past audit results can you share? What are your existing controls and frameworks for audits and compliance? Have you had failed audits in the past?
- How engaged are your executive sponsors? What is their level of knowledge about identity and access governance, and the benefits and costs of IGA systems? What returns on investment do they expect? How can they help remove obstacles during the deployment? How might we help educate them on the project’s importance?
- What’s your plan for communicating the IGA rollout to users? What training and onboarding are planned? How will users be kept informed throughout the deployment process?
- How will you facilitate the advisors’ work during the implementation? How will they connect to network, in what space or room should they set up, and what kinds of logins and access will you need to provide them so they can perform their jobs?
IGA projects can be challenging, but they represent an important milestone on the journey to developing organizational maturity. Having the answers to these questions before launching an IGA deployment helps organizations keep their projects on budget and in scope. These prerequisites help align reality (the project’s logistics and constraints) with expectations, and keeps stakeholders in the know so that everyone will be happy with the outcome. Organizations that kick off a deployment having already collaborated on prerequisites-gathering are better-positioned for a successful deployment.