Why enterprises struggle with legacy identity governance & administration

by | Nov 18, 2022

Traditionally, Identity Governance and Administration (IGA) solutions are known to help organizations improve their compliance and audit performance. But for companies looking for a solution that includes cloud platforms and SaaS services with fast time to value, legacy IGA solutions may not be the best approach. In this article, I will discuss why traditional IGA services fall short. And why it’s time to reassess and take a new approach that can save you a lot of time, money, and pain down the road.

Legacy IGA vendors always crow about how highly they are rated by Gartner. What they avoid talking about is that, according to Gartner an estimated 50% of IGA deployments are in distress — that is, they have failed to achieve functional, budgetary, or timing commitments. 

So why are organizations so unhappy with the IGA solutions they have purchased?

The answer lies in the history of IGA, the design center of most solutions, and the lack of innovation from leading vendors in recent years. 

The IGA market started in the mid-2000s, not as Identity Governance and Administration, but as just Identity or Access Governance. It was driven primarily by regulatory compliance. In the wake of the dotcom bust of the early 2000s, regulations grew by leaps and bounds, and enterprises struggled to support SOX, PCI, HIPAA etc. A critical control every regulated enterprise needed, was user access reviews. Every single identity governance deployment started with a focus on automating access reviews and compliance reporting.

Meanwhile, the growth of on-prem business applications made the lifecycle management of user access a headache. With operational efficiency in mind, IT leaders were exploring automated provisioning and access management based on business roles. These features started to merge into governance platforms, complicating them and turning Identity Governance into what is known today as Identity Governance and Administration

More isn’t always better

Unlike access reviews, however, which were a “must-have” — and continue to be a “must have” today — business roles and automated provisioning across the enterprise needed to prove their ROI and often failed to do so. Creating roles is easy but maintaining them using most IGA solutions is a nightmare! And without good business-driven logic that adapts to a constantly changing IT environment, automated provisioning has weak legs. To make matters worse, legacy IGA vendors included ancillary IAM capabilities such as SSO, Password Reset or privileged access management, as part of their platforms, further increasing the complexity of their offerings.

On-prem…or truly SaaS

Leading IGA vendor solutions have historically been on-prem systems that IT has run on application servers and relational databases servers – a painful deployment and maintenance process that many organizations endure to this day. Vendors have tried to “lift-and-shift” their offerings into AWS or Azure clouds, but the cloud-hosted transplanted offerings aren’t native SaaS, and fall well short of their on-prem brethren in terms of functionality,

Never-ending professional services

Extracting entitlement data from hundreds of business applications has always been a challenge. Historically, entitlement data from on-prem apps was collected primarily through file exports. Some apps had custom APIs which required developers to build custom API connectors. Security teams lacked the context to make semantic sense of data exports, and IGA vendors failed to make integration and customization simpler. IGA solutions also failed to help large enterprises deal with the organizational complexity of access review processes. As a result, IGA deployments became professional services oriented. 

Every deployment became a heavy lift. Implementations took years and needed costly professional services consultants to; maintain application and database servers, onboard apps with curated file exports, code API connectors, coordinate data imports with app owners, and implement process changes. Every new app became a thorn in the side of the IT team!

The cloud changed everything

While IGA platforms were taking ever longer to deploy and often stalling after a few apps, rapid cloud adoption was transforming IT. Today, cloud infrastructure, cloud databases, SaaS apps, DevOps pipelines, DevOps security, cloud scale, and agility are all at conflict with the complex, slow, professional services centric approaches that most IGA vendors espouse. 

Here are some of the challenges we hear daily in our conversations with CISOs and CIOs.

  • IGA deployment costs and complexity are out of control and way over budget.
  • Vendors pay lip service to automation. 
  • Most deployments require sizable professional services teams for years. 
  • Connectors are limited to popular SaaS apps. Supporting other SaaS apps or homegrown cloud-native apps that store sensitive data is a costly development exercise. Vendors have no solution for the hundreds of cloud apps that lack both security APIs and file export capabilities.
  • IGA deployments struggle to support cloud platforms like AWS, Azure and GCP, and databases like Snowflake and Databricks. These systems have access models too complex for the core functionality of most IGA solutions.
  • “Convergence” is a pipe dream. Vendors sell the promise of “convergence” with suites that include; access reviews, role mining, identity lifecycle management, and sometimes SSO or privileged access management. But deploying access reviews alone with one of these converged suites takes years! 
  • IGA solutions do little to automate security remediation for identity threats and the cloud has made identity a critical security vector.

So where does that leave organizations that are rapidly moving to the cloud, and yet hoping to sail through their IGA journey or save themselves from identity and access exposures?  They need to re-assess their investments and take a fresh look at the space. 

The cloud and digital transformation demand a new and simplified approach. At Zilla Security, we see IGA evolving into a new Identity Security Platform that embraces cloud and hybrid IT environments. Organizations today need a SaaS platform that’s simple to use, comprehensive in coverage of services and apps, automated, self-learning, and built for cloud scale. Most importantly, companies should be able to easily on-board all of their apps and services. That’s what Zilla delivers.

To learn more, request a Demo. Better yet, Get a Free Trial with Zilla.

Author

  • Identity security leader Deepak Taneja smiles at the camera, in a blue and white checkered button-down shirt.

    Zilla Security Co-Founder, CEO & President Deepak Taneja is an entrepreneur and security expert with extensive experience founding and leading enterprise software companies. Deepak has been at the forefront of innovation in identity management for over 25 years.

    His vision for Zilla is to secure the enterprise by automating the management of permissions to all applications and data. Prior to Zilla Security, he founded and led Aveksa, a pioneer in identity governance, and was CTO at RSA Security after Aveksa was acquired by RSA.

    Previously, as CTO for Netegrity, he led the evolution of SiteMinder into an industry-leading web access management platform. An avid supporter of technology entrepreneurship, Deepak has served as a board member and advisor to several successful startups. Deepak holds a B. Tech in Electrical Engineering from the Indian Institute of Technology, Kanpur, and an M.S. in Electrical Engineering from the University of Florida.

    Connect with Deepak via LinkedIn.

    View all posts

Recent Posts

Modern IGA as a System of Record

A Modern Identity Governance & Administration (IGA) solution does more than govern identities—it can also serve as a comprehensive system of record.

Key Takeaways from a Discussion on Modern Identity Governance

Highlights of Zilla’s discussion on the need to modernize identity governance strategies. IGA experts covered the complex nature of IGA, the importance of automation and AI in a modern IGA strategy, and how to address the challenge of non-human identities.