Modern IGA: Modern Identity Governance and Administration
Discover the history of IGA, why legacy IGA fails in the modern cloud era, and the key components of a successful modern IGA solution.
What is Identity Governance and Administration (IGA)?
Identity Governance and Administration (IGA) is the process of managing and controlling who has access to what information in an organization. It ensures that only the right people have access to the right resources at the right times for the right reasons. This in turn helps organizations comply with standards and regulatory frameworks, and it helps improve cyber security posture.
Software solutions that implement identity governance and administration (IGA) help to streamline and automate the essential components of IGA:
- executing access reviews to demonstrate compliance
- establishing roles or other mechanisms to manage which access and permissions are appropriate for the different users across the organization
- granting, modifying, and revoking access to resources
- controlling the workflow essential to each of the above
What is the history of Identity Governance and Administration?
Identity Governance and Administration emerged over 20 years ago as a category of solutions within the broader identity market. Initially, IGA was designed to address compliance needs within IT environments driven by standards, regulations, and laws such as the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry (PCI) compliance. It became required for companies to audit user access to IT infrastructure and applications. IGA tools were essentially compliance tools.
One of the pioneers in developing the first IGA solution was Zilla Security’s CEO, Deepak Taneja. He was a founder of Aveska, an early IGA company that was later acquired by EMC and became part of the RSA Security suite of offerings.
A natural evolution of reviewing and reporting on user access and entitlements was an expansion into provisioning them. However, doing this effectively required deeper knowledge of the appropriate entitlements for each user and application—a complex problem. To deal with this complexity, IGA encompassed the concept of roles as abstractions that bundled permissions together with groups of users.
Over time, two major environmental changes, both aligned with cloud computing, added entirely new aspects of complexity. First, a wave of SaaS solutions collided with the traditional on-premises IT environment. These were often purchased and owned by individual departments, or even small teams, outside of the control of IT. There were more entitlements and accounts to manage, and much more workflow required to include them in governance activities.
Second, a wave of custom or customized cloud applications developed in-house and running on cloud infrastructure added to the same issues. In particular there were the extensive security and entitlements available in environments such as AWS and Azure, and there was a user base that expanded to include developers and DevOps teams.
Deepak Taneja’s integral involvement in and design of the early identity governance architecture models is what allowed him to later pinpoint the fact that, while the enterprise continued to evolve, legacy IGA did not.
To keep pace with these dramatic changes to the IT environment, new kinds of IGA solutions have been required, culminating in Modern IGA.
For more information, see Zilla’s Why Legacy IGA Fails in the Modern Cloud Era.
What essential components are included in identity governance and administration?
Identity governance and administration has several essential components:
- Access Review Compliance and Audit Management: Validates that access policies comply with relevant regulations and standards. It also includes monitoring and reporting to ensure adherence to policies.
- Lifecycle Management or Provisioning: This is the process for granting, modifying, and revoking access to joiners, movers, and leavers.
- Access Control Management: This is the means for determining who is entitled to what specific level(s) of permissive access to which resources, traditionally managed thru the process of defining and maintaining roles to enable a Roles-Based Access Control (RBAC) paradigm.
- Identity Security: This includes components to continuously identify inappropriate permissions that could open a cyber security attack vector.
- Self-Service and Delegated Administration: Allows users and managers to request access or manage access for their teams, reducing the burden on IT.
What problem is identity governance solving, and why now?
Identity Governance and Administration addresses several problems that can arise in any organization.
- Compliance: Ensures organizations adhere to regulations like GDPR, HIPAA, NYDFS, NYSDOH, and SOX as well as technical certifications such as SOC 2 and ISO 27001 by managing access in line with their requirements.
- Efficiency: Automates tedious access and permissions management tasks–such as deciding what permissions are appropriate for every user and application, and gathering management approvals. This frees up IT resources for more strategic activities.
- Unauthorized Access: Prevents unapproved users from accessing sensitive information, reducing security risks.
- Transparency: Provides clear visibility into who has access to what, making it easier to audit and track access rights.
Each of these problems has an element of scale to them, in that the problems are more severe when there are increases in the number of users, applications, and entitlements. In particular, the growth in the number of applications, many of which aren’t owned and administered by IT, has compounded the problems that organizations face.
In fact, organizations in 2024 average the use of 112 SaaS applications, up from only 16 in 2017. And organizations with over 5000 employees average use of 158 SaaS applications. (Source: BetterCloud).
Furthermore, most of these problems are only getting worse over time. For example, in a recent survey by Zilla, 91% said the scope of their compliance activities had increased in the last three years, with 84% saying they expected that trend to continue.
Why is identity governance and administration (IGA) the solution?
Identity Governance and Administration (IGA) is 100% focused on the identity governance problem. Consequently, an identity governance solution consists of just those components that are required for robust automation. Also important is that an identity governance solution avoids extraneous functionality that distracts from the key mission or is better handled as part of an alternative solution.
For example, Single Sign On (SSO) is a centralized, consistent authentication function, not identity governance. It can ensure consistent management of credentials, and it certainly makes authentication more consistent, but it doesn’t address user entitlement for applications and permissions within applications.
What issues exist with legacy identity governance solutions?
It has been twenty years since the first identity governance solutions became available, and while they were clearly helpful in organizations meeting their identity governance challenges, times have changed.
In particular, the IT environment has changed over time. Twenty years ago, essentially all IT applications were selected by the IT department, managed by the IT department, and run on-premises. This made for a governance environment that was well controlled and not too extensive. And even then, managing user roles became almost an end unto itself—very time consuming.
The value of legacy governance has eroded with the explosion of SaaS, cloud applications, DevOps, and distributed IT. There are too many applications with too much distributed knowledge about governance for legacy solutions to work. Legacy IGA encounters these key issues:
- Time consuming, expensive integration with applications, so deployments are slow, and they can’t keep up with changes in the applications that an organization uses. In a recent survey, 89% of respondents said they’d integrated fewer than half their applications with their IGA solution.
- Too much dependency upon IT-managed roles to try and simplify the administration of user entitlements. Defining and maintaining business roles across many cloud and on-prem applications is often too challenging. There is usually no person or team that has the context to own and maintain a business role, especially as users move within the organization and new applications are introduced. The situation is exacerbated by all-too-frequent re-organizations and M&A activity. In a recent survey, only 10% could confidently say that they had defined business roles and were comfortably maintaining them—the other 90% were struggling or had given up.
- Slow, expensive provisioning and user access review activities.
- A lack of functionality around data security, since legacy IGA solutions weren’t built with security posture and proactive detection capabilities at the outset.
For more information, see Zilla’s whitepaper, Why Legacy IGA Fails in the Modern Cloud Era.
What is Modern Identity Governance and Administration?
Modern Identity Governance and Administration (IGA) is purpose-built for the cloud and app era. It also takes learnings from the many years of Legacy IGA deployments to deliver automation in the areas where Legacy IGA solutions have proven to have had gaps. Modern IGA combines complete and automated application integration, AI capabilities, a more comprehensive identity data model, and security capabilities to defend against modern threats.
Here are some core features that differentiate the approach of Modern IGA from legacy IGA:
- Easy to setup continuous, automated application integrations, based upon no-code integration via APIs and robotic automation, for SaaS and custom-built applications whether deployed on-prem or in the cloud.
- AI-driven role management profiles to fully automate the discovery and management of business roles, and to automate key parts of the approval process.
- A comprehensive identity map that includes an organization’s expanded array of identities and applications, providing a single source of truth for permissions.
- Risk detection capabilities to proactively identify and remediate the #1 vector for cyber attacks—identity exposures.
How does Modern IGA resolve the issues with legacy IGA?
Modern Identity Governance and Administration (IGA) is built from scratch with capabilities that address today’s environment—one that includes an explosion of applications, decentralized management, and identity-based security threats. Thus it addresses the issues that users of legacy IGA solutions struggle with every day.
Legacy IGA Issue | Modern IGA Solution |
---|---|
Application integrations are difficult to set up, generally requiring bespoke and costly consulting services, which forces many IGA processes to be handled manually | Extensive built-in integrations plus robotic automation for custom and API-less applications |
Difficulty in centrally defining and maintaining roles, which has become even more challenging as the number of applications has increased and the ownership and expertise of these apps is often widely distributed across the organization | AI profiles for discovery and maintenance of job-appropriate permissions |
Slow provisioning processes that depend on many manual approvals, which delays business users from doing their job | AI-based, automated pre-approvals that accelerate provisioning and dramatically reduce repetitive, annoying approval requests |
Time consuming user access reviews with manual data collection and correlation, which increases effort required to satisfy auditor requirements around completeness and accuracy of reviews | Automatic data collection, AI-recommended pre-approvals that greatly reduce the number of entitlements requiring repetitive review, and an auto-populated evidence repository with a comprehensive audit trail |
How valuable is an effective identity governance solution?
Often, compliance requirements are the reason organizations first consider an IGA solution. These organizations are required to perform access reviews for an audit, and therefore have no choice but to put a process in place for doing reviews. The process requires the collection of a large amount of entitlement data from different applications, correlating it, having a large number of people in the organization that participate in reviewing the data for its appropriateness, and prepping for the audit. The question is whether you implement a software solution to assist with this process or you could comply manually.
Our experience at Zilla is that the choice is clear. The benefits of automation and AI in modern IGA open the doors to achieving a single source of truth for entitlement information throughout the organization and subsequently faster, more accurate provisioning and access reviews. Achieving this manually is almost impossible, and incredibly time-intensive to get even partially there. We regularly see 80% time savings in using an IGA solution vs. manual methods, resulting in our customers saving, on average, over $600,000 per year. This is on top of the benefit of improving identity security, avoiding unfavorable audit findings, and avoiding substantial business risks.
Despite the clear advantage of an automated solution, in a recent survey, Zilla found that less than 6% of companies have fully automated IGA processes with an IGA solution, and of those only 11% have integrated half or more of all their applications. For those who hadn’t implemented automation, integration effort was the main reason. In fact, 61% of organizations that have implemented an IGA solution have only fully integrated 25 or fewer applications.