Identity Governance and Administration projects (IGA) are crucial to properly secure an environment, complete audits, and boost operational efficiency through the audit process. However, legacy Identity Governance projects have a reputation for failure. Gartner identifies that over 50% of IGA deployments are distressed and fail to achieve functional, budgetary, or timing commitments. That statistic is alarming given that the majority of today’s data breaches are rooted in identity. To help teams better understand why legacy IGA projects are distressed we have compiled data across conversations with identity security practitioners and consulting partners.
These are the top 3 most common reasons Identity Governance projects fail:
1. Starting with Provisioning:
The provisioning phase of an IGA project is the most complex phase to begin with. You have to contend with the immediate integration with all applications, the cataloging of all permissions, roles, groups, and approvers, as well as all the business logic for birthright permissions, what can be requestable, and what the approval workflows look like. It can be months to years before users can see the value of this phase and executive leadership is frustrated with the slow progress.
2. Integration Challenges:
Identity governance projects often involve integrating with many existing systems, such as HR systems, directories, business applications, and databases. Failure to integrate these systems can result in gaps in audit reporting, data oversight, over-permissioned users, and difficulties in managing identities and access rights effectively. For legacy IGA solutions integrations, for all but the most popular applications, typically require custom development to integrate. These development cycles could stretch months to years and add significant professional services costs and frustration to the project. Inevitably every project ends up with an island of applications deemed too complex to integrate and cast aside. Even after all the investment into a platform, professional services, and internal teams’ time, people are stuck working manually on some applications.
3. Reviewer Resistance:
To complete a user access review campaign properly, an organization needs to gain participation and analysis from application owners and supervisors in the company. This can be a large population of people and include a non-technical subset. If the access review process being implemented is cumbersome and not easy to understand, this can cause reviewers to become overwhelmed and not complete the process accurately. In some cases, the reviewers do not perform their review at all. This forces the campaign owners to chase these reviewers, leading to unnecessary labor waste, and frustration for all the people involved.
Understanding these failure points is the first step in moving towards a path that offers greater success.
How to Improve Success Rates and Create Wins:
1. Project Sequencing:
Design the project in phases aligned with delivering value to the most critical functions. Starting the project with compliance functions such as user access reviews focused on critical applications. This will provide a reasonable first phase that has an immediate impact. Teams will focus on the integrations with the HR system, directory, and critical applications to establish a foundation for future phases. While also delivering value to the GRC, Audit, and Security teams who are struggling with a manual or legacy IGA campaign- building process today. It will also have a cascading impact on all the supervisors and application owners who struggle to complete user access reviews in the current system and provide an improved experience for a broad population of the organization. There is also a positive deliverable for the executive team who can be legally liable for SOX violations. By focusing on compliance first, you deliver the most value and remove risk to the organization.
2. Automate:
Leverage a platform like Zilla Security that prioritizes automation capabilities without requiring custom development. If your platform will require development to connect to dozens or hundreds of applications, you are introducing substantial risk to your project timelines and the possibility of not being able to integrate with critical applications. In your research, find a platform that you can test directly integrating your applications to validate that the platform will work with the crucial applications and that the time to value you are expecting will be delivered. Make sure to include in your testing custom applications, critical 3rd party vendors, and any SaaS applications in scope for your compliance efforts.
3. Simplify UAR process:
Provide clarity and flexibility with your user access review process. You can do this in your project by providing clear descriptions of the permissions in plain language, an automated escalation policy for reviews past their deadline, and the ability to reassign permissions to be reviewed. Every organization has reviewers who you have to chase to complete their review on time. Permissions can be cryptic and confusing for a reviewer, especially non-technical reviewers. To avoid rubber stamping, provide a simple description in the user access review for permissions. This allows the reviewer to quickly understand what the permission is and make the appropriate judgment on whether that should be maintained or revoked. Also using a platform that provides for automatic escalation of the review to the person’s supervisor, removes the compliance team from having to persistently remind people and beg them to complete their portion of the review. Reviews can also become delayed when reviewers do not understand a permission. The reviewer may need to discuss the access with a subject matter expert, or the reviewer could become overwhelmed and simply not complete the review. To avoid this, provide your team the ability to reassign permissions as a way to make sure that the most qualified person is reviewing all the permissions in a review. The challenges surrounding identity governance projects are many but selecting the best platform for your organization and putting the right organizational processes in place can ensure that your team will be successful in their project.
