Key Considerations for Implementing Identity Governance (IGA)

Disclaimer: This article expresses my own opinions based on experiences from the field and with multiple customers of different sizes and from different countries and industries.

During the last couple of years, I've noticed an increasing demand from many customers around various scenarios and needs highly related to Identity Governance (let's call it IGA from now on). This is great! I love to see more and more companies taking this seriously.

I won't be mentioning specific vendors of solutions because, no matter who or what is finally chosen, IGA should be a must for every organization, and there should not be any excuses. Your case will not be different in a way that justifies an exemption from adopting IGA. Of course, there are different factors that make the implementation more or less complex, but that's a different story.

Some of the first positive effects that you will notice after adopting an IGA solution are going to be a better ROI, less administrative overhead, and more security and ownership in general. I won't be talking about numbers. There are plenty of documents and analyses out there about this.

The implementation of an IGA solution implies many things, such as:

• Adhering to specific industry regulations or certifications (i.e., PCI DSS). There are many regulations and certifications that have more or fewer requirements related to IGA, while others are more focused on IAM, PAM, or CIEM requirements, for example.
• Inventory of assets, owners, identities (employees, guests/external), applications, groups, etc.
• Classification of the above-mentioned, plus data: HBI, MBI, LBI.
• Integration with HR solutions and existing workflows for joiners, movers, and leavers.
• Access reviews. Who should review/approve, multiple reviewers/approvers.
• Separation of Duties (SoD).
• Affiliation.
• More specific or custom workflows.
• Replacement of specific custom or manual tasks with capabilities provided by the chosen solution.
• Integration with cloud and on-premises.
• Supported provisioning protocols like SCIM or REST-based APIs.
• Logging and auditing.
• Integration with other solutions from your ecosystem. For example: IAM, PAM, PIM, SIEM, CIEM, Identity Protection, etc. No siloed solutions in this space is crucial.
• Contribute to a better user experience. This is crucial. If you make it difficult for the end-user, then it's highly probable that the implementation is going to fail. Provide self-service portals and auto-approval capabilities if apply. Make the onboarding process as easier and transparent as possible.
• And based on the previous one, invest time in the creation of the onboarding and offboarding flows. If you need to deprovision/offboard an identity and its accesses, make sure that your workflows cover everything (groups, licenses, assignments in general, communication, etc.) Do you have more complex flows? Then it's important that the solution also offers you the possibility to create them or even add additional steps through logic apps, for instance.
• Are you collaborating with other companies (B2B)? Then it's important to designate owners/sponsors from the invited organization. You don't want to suddenly own hundreds or thousands of new identities.
• When planning the deployment of the solution, think at scale. Think big. Plan for future growth.

The above list could be a never-ending story! I think that you got the idea for the moment.

I hope you find this article interesting and useful. I have enjoyed writing it. Feel free to share your feedback, and reach out to me if you have any questions.

Thanks for reading!