One of our core areas of expertise is this mystical unicorn called identity and access governance (IAG). We’ve been working on projects involving it since the dawn of our company.
A dedicated team now works on it and we’ve delivered tons of projects from which you could learn. And yet, for some reason, we haven’t covered it here. Time to remedy that!
This post has originally been published on Sep 28, 2018. It has since been updated for better readability, and some new information has been added.
In my work with customers around the world, when I ask them what is currently on their minds, very often identity and access management (IAM) is on top of the list. However, when asked what they mean by it, I rarely get the same answer twice.
Let’s give some things a name and make some sense out of them. It will help us in further understanding of the subject.
First of all – identity and access governance is a process. It is not about a single technical solution.
We wouldn’t say it is not a tool (although a tool might support it) which will solve all of your IAM problems for you.
But what is key, is that this process is supported by various services. Its goal is to manage the lifecycle of your people’s access to applications, data and other resources your organization is using to deliver value to users.
There are multiple areas we cover by this single term and here is where the most confusion comes from. The simple acronym – IAG – might cover many areas.
Typically, they are combined into a single request to providers for a single solution. It then leads to gargantuan proposals and budgets but not always a gargantuan project outcome.
Here is a short list of aspects that IAG covers, which you may want to address when thinking about it. I kept it short and focused only on the crucial aspects, so as not to start the discussion about what is and what’s not part of it.
This is something that is most obvious for most people. It covers all the processes like onboarding, changes, and off-boarding of people and other entities (think service accounts or assets) within your organization.
How to onboard or register an employee? Following this, how to push their information to critical systems, to enable a work environment?
Then, how to make sure that the status of this person gets reflected in IT systems when changed in HR? And finally, how to close an account on time when needed? This is where identity lifecycle management kicks in and delivers order and automation.
If we have an account created, what does it have access to? This is a question where the answer is delivered by access management.
The process here might be simple (many companies stick to the old concept of groups, and it is perfect for them) or difficult (think complex role and entitlement hierarchies). The goal is to answer one question: what can this identity access!
When it is resolved, the process might also be automated to provide efficiency, but not necessarily.
If access is granted, can you get reports on it? Is it compliant with your policies? This is where the governance part kicks in.
Managing access is one area. However, getting access rights into a compliant state, where we know that what was granted to users is (a) right for their job, (b) compliant with our policies and (c) provably granted within a process, and where we can audit it, is another thing.
Companies might do access management but not governance. It depends on their maturity level.
These are three pillars of this process. There are many other aspects of IAM like single sign-on, authentication and authorization policies, as well as risk assessment and management. But these three items is what I want to base this article around.
I’ve been working in this field for almost 20 years, and I saw this part of IT changing and evolving.
From simple lifecycle projects to complex, compliance-driven implementations which span dozens of applications and handle hundreds of thousands of entitlements (rights granted for people, to keep it simple).
What separates successful deployments from the failed ones? There is one word to describe the difference: focus!
The easiest way to not succeed on a project in this area is to try and tackle everything at once.
Defining everything in a single project, with all possible features, target systems and apps included, won’t have a great chance of doing well.
If you want to succeed, the first rule is to focus. What you need to do is:
You will change your priorities and ideas on what to do next with every iteration. This is what business looks like right now. It is also why projects planned for 12-24 months are most likely to fail.
In 12-24 months since you’ve started there might be no one who remembers why you are doing it in the first place!
Typically, there are two drivers for projects in this area.
The IT department focuses mostly on operations’ efficiency and automation. Some aspects of compliance and impact on security are also present, but the goal is mostly to automate processes which we have to execute manually at the moment.
Typically started in audit or security departments, with greater focus on providing compliance processes and access. This includes management and governance workflows, reporting and similar aspects.
The identity lifecycle is there, but somewhere in the background – we still have to execute it, but it is not the main focus.
IAG brings ownership of systems to the business, permissions assigned to users, context-based authorization and other similar aspects.
It is not just a tool for the IT department, but a great enforcement and control method for auditing, security, and compliance-focused part of the company.
Nice, Tomasz! You’ve put all this theory in front of us, but are there solutions out there? How to choose the best one?
Sure, there is the entire industry at your disposal, which also shows that there is a problem to tackle. Here are not one, but two Gartner reports for you to consider.
We’ve been working in this area for almost ten years, with dozens of projects delivered for customers ranging from few hundreds to well over 100,000 identities. Simple cases, not standard cases, complex cases – we’ve had it all!
Our background is in Microsoft technologies, but in this area we have also adopted a tool from another vendor, by partnering with Omada.
The choice is simple when you answer the questions I asked earlier in this article. Let’s take a look at product features at a glance:
Knowing the answers to what drives your project and what your priorities are, it is simple to evaluate each tool and choose one. Both deliver. And both have a similar set of features in some areas.
Where we focus mostly on identity lifecycle, we go primarily with Microsoft Identity Manager, and customers are happy with it.
It delivers and doesn’t require extensive resources. MIM also provides common end-user scenarios. It does a password reset, which is often still a pain.
What’s important for many companies, it is also the cost-effective option, since Microsoft made the server license free and CAL is included in Azure AD license.
With simple cases of access management, MIM will also deliver with our extensions for it. You have a choice of using one of those solutions (or others in similar class).
The difference starts when your process is driven by the need to provide rich, compliance-based processes concerning access management, auditing, reporting, and other related functions in a regulation-driven environment.
Here, Omada Identity Suite has a clear advantage and is the way to go, even if it comes with a price tag.
With clarity about goals, drivers and the desired outcome, the choice of solution is much easier, and often does not require an extensive process. You can do it much, much more easily.
Indeed, I haven’t! So, what about the cloud?
The truth is that the cloud does not affect this picture much. It is just another part of your environment you need to manage. You have to provide the same processes for it as for on-premises resources and the solution of your choice will have to address it.
This is why Omada, among a few other solutions, is tightly integrated with Azure AD for access management and compliance process.
Additionally, the recent addition to MIM is the Azure AD Graph connector. It adds the process of managing guest users for on-premises application access.
And there we have it, the basics of identity and access governance. It poses some questions which auditors might also raise.
If you want to know how to answer them, please get in touch with us to discuss your requirements!
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...
We talk a lot about perimeter security, zero trust, etc. And there’s a good reason for it. Malware attacks don’t jus...