Top Five Challenges of Building an Identity Governance Strategy

Identity governance is an area of frustration for most organizations. Organizations implement a wide range of systems to meet ever-changing business needs, with little thought about how each system works together. In the interest of convenience and efficiency, IT teams often focus on one-off integrations and workarounds.

This has clear implications on governance and compliance efforts. It’s nearly impossible to see at a glance who has access to what, whether those privileges should be revoked, and the extent to which access poses risks to users and the organization as a whole. 

There are five primary challenges that organizations must confront as they develop a governance strategy in an era of digital transformation.

Challenge #1: Cost and Complexity

Identity governance solutions have been primarily big, complex, on-premises applications that take an army of specialized people to deploy and manage, making it very difficult to clearly show value from IGA programs. According to Gartner’s 2020 Security & IAM Solution Adoption Trends Survey, 76% of enterprises are looking to replace their IGA solutions. This shows that turnover in the IGA market is on the horizon, and enterprises are looking for less expensive and less complex solutions. 

Challenge #2: The Existence of Silos

Most enterprises use dozens of business applications. Not all assets require the same level of security, and certain end users require escalated responses. Managing these details in a typical Help Desk environment is nearly impossible when business solutions – including the IGA tool – are disconnected. Without visibility to identity and access data across key tools, governance teams don’t get the real-time insight to effectively manage identity, certification and privilege. 

Challenge #3: Too Many Manual Processes

As business systems continue to evolve in both sophistication and specialization, they generate increasingly valuable sets of data that can help make intelligent business decisions or meet compliance reporting mandates. But because systems are rarely integrated, structures aren’t in place for retrieving data and using it effectively.

This has numerous troubling effects. Many data pulls are done manually. As a result, analysis and reporting not only take more time than necessary but are prone to human error. In addition, auditing becomes difficult, accountability suffers, and leadership has little insight into who’s managing the governance process. Manual processes and poorly integrated business systems increasingly threaten a company’s ability to respond.

Challenge #4: Poorly Executed Provisioning and De-provisioning

Automation has made provisioning easier – but that doesn’t necessarily make it better. If existing users have too many privileges, and if access for new users is based on that of existing users, then new users will also have too many privileges, as well. This leads to situations where managers are asked to approve access with no concept of the overriding governance controls that should be in place, leaving the average user with much more access than needed.

De-provisioning presents its own set of challenges. Without up-to-date details about an individual account, it’s easier for administrators to leave accounts active even if an employee has left or if a contract with an external consultant has ended. This opens the door to fraudulent use of accounts with excess privilege, since accessing a non-privileged account is the key entry for any hacker to access highly privileged accounts.

Challenge #5: No Culture of Compliance

All of these challenges taken together mean that identity governance and compliance become an afterthought for far too many organizations. These key areas should be embedded into everyday best practices and overall culture, with endorsements from executive leadership down to management and end users.

A big reason for this disconnect is because organizations treat governance as an IT issue, not an organizational one. If governance is viewed as a siloed IT solution, then organizations will struggle to prioritize this initiative and measure its ROI.

Tackling These Challenges with ITSM and Native IGA

Tackling these challenges may seem insurmountable, but there are proven approaches delivering real-world benefits. One promising approach involves putting the identity governance workload on an existing IT Service Management (ITSM) platform, such as ServiceNow. 

Integrating an identity governance and administration (IGA) solution with the incumbent ITSM platform offers several distinct advantages for addressing today’s governance challenges. Running an IGA solution built natively for an ITSM platform contributes to maximizing the investment in that platform, costing less than creating an IGA solution siloed as its own stack. No new skillsets are required, either. Companies thus avoid costly recruit/train/retain struggles that can arise.

Ultimately, the integration of IGA with ITSM is extremely favorable because it places IGA functions in the hands of users, with tools they already know. When governance becomes a seamless process for end users, and not a complex and laborious drain on productivity, the entire enterprise reaps the benefits.

What’s Hot on Infosecurity Magazine?