This year, it’s been fun to get out of the office and meet in-person with customers, prospects and partners. Since many recent conversations have been about how identity is taking center stage in IT and security circles, I wanted to share my thoughts on the changes driving Identity Governance and Administration (IGA).
Identity security is now business-critical
From an IT perspective , the word “governance” implies a notion of processes that are effective and efficient in enabling organizations to achieve their IT goals. The IGA market originated in a pre-cloud era – more on this in my earlier LinkedIn post, “Why enterprises struggle with legacy Identity Governance & Administration”). As the founder of Aveksa, the first company in the IGA space, I remember well the business drivers that led to its birth. Back then, we needed efficient processes for two key IT goals: identity compliance, and identity administration. Those same needs remain today, but identity has become substantially more business critical.
Today, rapid cloud adoption and digital transformation are reshaping perspectives on identity. Identity is now recognized as both the new security perimeter and a critical security vector in the software development lifecycle. Yet, not only do the legacy IGA suites remain hard to deploy, let alone scale with the cloud, they fail to address the challenge of identity security. The old IGA suites were designed for identity compliance and identity administration, not for security. Their notion of “governance” doesn’t include processes that deal with the new identity security reality. Rather than adapting their products to this reality, the only thing that IGA vendors have changed is their marketing taglines.
Siloed solutions don’t solve a holistic problem
Unfortunately, identity security can’t be simply bolted on to your legacy IGA solution. Since identity is a holistic issue that spans on-prem, SaaS, and cloud infrastructure, it must be dealt with through a single control point. Identity-centric feature sets like CIEM and SSPM are red herrings! (More on this in my blog, “SSPM and CIEM are valuable feature sets, but do you really want a patchwork of identity security?”) Siloed solutions don’t solve a holistic problem. The customers I’ve spoken with over the past two years are looking for a comprehensive solution that takes the IGA paradigm to the next level and embraces identity security.
Identity security is not merely about helping security teams see who has access to what – it’s much more than a visibility issue. Organizations today don’t have the manpower to identify risks by watching dashboards, running daily reports, or, as some vendors would have you believe, to trudge through graph database visualizations of thousands of user entitlement chains. Comprehensive visibility into access is, no doubt, very useful. But security teams lack the manpower to get by on visibility alone. Identity and access gaps need to be detected and plugged proactively through automation, not manually by security staffers through graph visualizations or once a quarter during an access review process.
You need a single solution that is:
- woven into your DevSecOps practices
- automatically removes a terminated employee’s permissions across the enterprise
- catches a threat actor’s privilege escalation
- alerts you when a third-party gets privileged access to your sensitive Snowflake data
- enforces business justifications for risky SaaS-to-SaaS API integrations
and so much more!
Cloud scale and complexity demand policy-based automation. They demand effective processes that use policies to continuously monitor the attack surface for identity risks, and enable remediation workflows. What organizations need is a security practice based on these processes.
We, at Zilla Security, see IGA through a new lens, a lens with a focal point that delivers efficient and effective processes for identity security AND identity compliance and administration.
To learn more and see how Zilla’s policy-based automation and 500+ integrations make identity security easy, contact us.