Do You Need Identity Governance and Administration? 4 Questions to Ask Yourself

identity governance administration (IGA) questions

Identity Management appears simple on the surface: make sure users are who they say they are, that they only have access to the data they need for their job, and remove permissions that employees (or ex-employees, as the case may be) shouldn’t have. Yet this simplicity vanishes as more people join your enterprise and your reporting and compliance obligations increase. Small businesses may have to worry about no more than ten employees’ identities; your enterprise may have to manage hundreds or thousands. Your IT department will swiftly be overwhelmed. So how do you manage all these accounts accurately? And how do you stay in compliance with the tighter regulatory mandates while staying competitive?

This is where Identity Governance and Administration (IGA solutions) come in. These are specially designed to help IT departments automate their workflows, manage permissions effectively, and stay in compliance with thorough reporting.  These solutions are designed to scale with your enterprise so that you never feel constrained by their operations.

Are you ready to deploy an IGA solution? Is it even the right solution for your enterprise? Here are 4 questions you need to ask yourself before selecting an Identity Governance and Administration solution:

Am I the right size for an IGA solution?

Small to medium-sized businesses can generally rely on their human IT departments to analyze and manage the identities of their customers, employees, and supervisors; logically they shouldn’t have as many accounts to deal with and they will not be under as much regulatory scrutiny.  

However, as enterprises scale so to do the demands on IT departments, as the demands of data, access requests, and permissions pile up. IGA’s automated workflows can help relieve the burden on InfoSec professionals and improve their efficiency. Before selecting an IGA solution, see if you really need one or if your problems can be solved with an addition to your IT department’s staff or budget.

Am I looking to solve a short-term problem or a much wider one with IGA?

Whenever we prompt enterprises to self-reflection, we ask them to consider the business trends of not only the present but 5 years from now. What problems do you foresee as your business grows? What kinds of InfoSec capabilities will you need down the line as you expand your customer base or business focus?

Failing to consider these questions leads some companies to deploy a patchwork of disparate solutions to handle their problems as they occur rather than selecting solutions according to a complete cybersecurity strategy. Before deciding on an IGA solution, consider how you will integrate it with your current solutions and what problems you are looking to solve. Also make sure the solutions providers you already utilize don’t offer an IGA component. You can save your enterprise time, money, and many headaches dealing with user interfaces.

What are the processes I want to automate with an IGA solutions?

This ties into having a well-defined and strongly enforced identity management policy as an enterprise. As part of your Identity Management policy you should have your employees assigned to defined roles with clear access permissions for those roles. Furthermore, your Identity Management policies should be enforcing those roles. If you do not have concrete roles and access policies in place, then IGA will only serve as an ineffectual bandage; inconsistencies in policy assignment and enforcement will often result in byzantine customization and will not alleviate the need for manual intervention. It will be just one more worry on your IT department. Don’t put the cart in front of the horse; make sure your IT department has policies to automate before demanding automation.

Will IGA help with our reporting/compliance needs? Are we keeping up to date with our compliance needs now?

Almost every enterprise in every industry has some sort of reporting and compliance mandate they must follow to concretely show that their access management is working at keeping unauthorized users out. Auditors and compliance managers will often need to manually use comparison counts to monitor all the provisioning and recertification tools to create their reports and seek out discrepancies.  This process is lengthy and often an over-complicated mess of tracking entitlements, flagging inappropriate accesses and removing erroneous permissions.

IGA can automatically track entitlements, identify and remove false authorization, and generate the reports on its actions for compliance. You will need to ask yourself if your enterprise needs this automation or if your IT department can handle the problem directly.

You can find more about IGA Solutions in our Identity Access Management Buyer’s Guide here.

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner