You know a technology is evolving rapidly when a set of solutions that debuted a decade ago are already referred to as “traditional.” Yet, that is exactly what’s going on with Identity Governance and Administration (IGA). IGA comprises a collection of processes and tools that enable an organization to provision and govern identities for all users, across their employment lifecycle—to all data and software applications.
IGA initially caught on with large enterprises and regulated businesses like financial institutions. Strict identity governance is critical to compliance with laws such as Sarbanes-Oxley (SOX). The IGA solutions that predominate with these customers have advanced features, with the ability for extensive customization. These are the “traditional” or “heavyweight” IGA solutions.
As the value of IGA became apparent to organizations with fewer or no compliance requirements, a new breed of IGA solution appeared on the market. As Gartner explained in their 2020 Market Guide for Identity Governance and Administration, “New vendors are entering the market to cater for organizations that cannot afford or do not require a full IGA suite. Focused either on specific needs or offering a ‘light’ IGA capability, they are well suited to organizations that do not have an existing IGA implementation and are looking for modest capabilities or seeking to address specific targeted needs.”
As you may know, Okta currently offers some lightweight IGA functionality. They also announced at their April 2021 Oktane conference that they’ll be officially launching Identity Governance and Privileged Access solutions in Q1 of 2022. So what’s behind this push and what does it mean to your organization’s Identity program?
Market Forces Driving the Lightweight IGA Okta Offers
As Gartner notes, organizations that don’t want a heavyweight IGA solution may still want to engage in IGA. Reasons vary, but oftentimes the motivation to adopt IGA comes from dissatisfaction with their IGA status quo. Indeed, without a coherent IGA solution, they may not even be doing IGA at all. The IT department could simply be using the helpdesk to set up user accounts.
Helpdesk-driven identity management is a deficient practice. It relies on email, support tickets and person-to-person task handoffs. Not surprisingly, this risky process is slow, costly and prone to errors. For instance, the Human Resources (HR) department might send the helpdesk a list of new employees by email. The helpdesk staff then either manually sets up user accounts in Microsoft Active Directory (AD) or creates tickets in a program like ServiceNow so someone will take care of identity and access provisioning.
In addition to being cumbersome, this mode of identity management does not work well with the user lifecycle. As employees leave the company, their access credentials may not get switched off quickly enough—or at all. And, as privileges change, the manual system may not keep up. A user who is given administrative (privileged) access to a system, may transfer to a different role, but still retain the admin rights. This creates the risks of unauthorized access and potentially damaging follow-on actions, like data breaches.
The costs and risks associated with the helpdesk approach lead organizations to seek a centralized, easy-to-manage clearinghouse of access rights and user identities. Security frameworks like ISO 27001 also require tight identity and access controls, as does compliance with the payment card industry’s PCI-DSS rules for companies that want to process credit card transactions.
The need for IGA may be clear. The barriers to adopting IGA, however, relate to cost and complexity. Not every organization has the people or need for a heavyweight IGA solution. These solutions’ very advantages, such as extensive customization capabilities and the ability to write code that integrates the solution with multiple applications, make them overkill for such organizations. For these reasons, a lighter weight, less feature rich IGA solution may be a better fit.
Influence of the Cloud
Cloud computing is contributing to the lightweight IGA trend, too. As Gartner noted in their Market Guide, “By 2023, a new category of SaaS-delivered, converged IAM platforms will be the preferred method for IGA, access management (AM) and privileged access management (PAM) in more than 45% of new IAM deployments.” Hosting an IGA solution in the cloud helps make it lighter than its on-premises counterparts. There is no hardware to manage, no patches to apply and so forth. Scaling the solution up as the number of users grows is also not a challenge in the cloud.
However, it’s not just that the IGA tools such as Okta are in the cloud: application targets for provisioning are also increasingly cloud based. As these cloud applications adopt open standards such as SCIM for managing identities, the need for proprietary connectors that come with a traditional IGA tool decreases.
What’s in a lightweight IGA solution?
A lightweight IGA solution generally provides comparable basic functionality to the heavyweight version, but with fewer options. It can automatically import new users from the HR system, and then adjust access privileges on an automated basis. The solution can also import group- and role-based access privilege policies from HR and other systems—automatically provisioning and modifying user rights in the process. Or, it can automatically import from HR into ServiceNow. They emulate IAM business processes in the tool. Lightweight IGAs also typically enable auditing of identity and entitlement management as well as data visualization, analysis and reporting.
What lightweight IGA solutions do not usually offer are a variety of functions available in the more traditional IGA platforms. These include customized input forms, customized process workflows and orchestration. Nor does the lightweight IGA solution typically come with certifications, lifecycle management workflows and an entitlement catalog and access requests. It can’t handle Segregation of Duties (SOD), which is needed for certain kinds of compliance. The lightweight platform generally lacks an accessible code base and deeply sophisticated Software Development Kit (SDK) that expert developers can use to craft specialized or company specific IGA functionality. Rather, they publish APIs and provide a basic SDK.
Okta and Lightweight IGA at Work
Integral Partners has worked with many clients on the implementation of lightweight IGA solutions. For example, we recently helped a supermarket chain deploy the Okta solution. Their original goal was to enable Single-Sign-On (SSO) and Multi Factor Authentication (MFA) for their systems. The company needed to become compliant with PCI-DSS so it could handle credit card transactions without relying on a third party.
The supermarket chain wanted to understand if Okta could also fill gaps they had in their current manual IGA processes. Since they were already using Okta for SSO and felt comfortable with supporting it, they looked to us for advice of if it would fit their use cases.
When helping the client through this decision, we had to take several factors into account:
- They did not have the in-house expertise to maintain a customized solution themselves.
- They were already using ServiceNow to drive ITSM and did not need a separate tool for the business modeling of access requests
- They were willing to be flexible in their approach and change certain HR and IT processes to avoid the need for customizations, such as deprecating shared Active Directory accounts and introducing a modern HR information system.
- Their target applications for provisioning were mostly in the cloud, and the few that weren’t could be accommodated by a custom connector. This would be the only customization required if Okta was chosen, and supported their cloud-first strategy.
As a result of our advisory, the client felt confident to proceed with Okta as the IGA tool for their full employee lifecycle and began to undertake the prerequisite projects needed to move ahead.
Which Solution is Right for You?
Unfortunately, understanding whether lightweight IGA or a more full-featured IGA platform is right for your needs is not always easy to answer for an organization. As a Director in our IGA practice recently told me, “The most common issue I hear from customers is ‘they don’t know what they don’t know’ when it comes to their environment, needs, and the tools that offer a solution.”
At Integral Partners, we offer a few options to help you address this issue and ultimately answer the lightweight IGA question:
- Free IAM & IGA Essentials Workshop: These workshops are designed to give your team a solid understanding of the terms and features of an effective IGA (and IAM) program. They can compare and contrast a lightweight IGA tool like Okta vs full IGA solutions from SailPoint and Saiviynt.
- IGA Advisory Project: A big part of what we do is helping organizations understand their needs, and then giving vendor-agnostic feedback on which solutions would be the best fit.
When it comes to IGA, we have experience implementing solutions in every vertical. IAM is our sole focus. We’re partners with every top IAM vendor and each space within it (PAM, CIAM, AEM…). We’re the trusted advisor you need to help you navigate your way to the right solution.
To know whether a lightweight IGA solution will work for your organization, you need to gain an understanding of the landscape and where you fall within it, and we can help.
Have questions you’d like help answering? Click here to schedule a quick conversation with one of our IGA experts to get started!