Modern IGA: Modern Identity Governance and Administration

What is Identity Governance and Administration (IGA)?

Identity Governance and Administration (IGA) is the process of managing and controlling who has access to what information in an organization. It ensures that only the right people have access to the right resources at the right times for the right reasons. This in turn helps organizations comply with standards and regulatory frameworks, and it helps improve cyber security posture.

Software solutions that implement identity governance and administration (IGA) help to streamline and automate the essential components of IGA:

• executing access reviews to demonstrate compliance
• establishing roles or other mechanisms to manage which access and permissions are appropriate for the different users across the organization
• granting, modifying, and revoking access to resources
• controlling the workflow essential to each of the above

What is the history of Identity Governance and Administration?

Identity Governance and Administration emerged over 20 years ago as a category of solutions within the broader identity market. Initially, IGA was designed to address compliance needs within IT environments driven by standards, regulations, and laws such as the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry (PCI) compliance. It became required for companies to audit user access to IT infrastructure and applications. IGA tools were essentially compliance tools.

One of the pioneers in developing the first IGA solution was Zilla Security’s CEO, Deepak Taneja. He was a founder of Aveska, an early IGA company that was later acquired by EMC and became part of the RSA Security suite of offerings.

A natural evolution of reviewing and reporting on user access and entitlements was an expansion into provisioning them. However,  doing this effectively required deeper knowledge of the appropriate entitlements for each user and application—a complex problem. To deal with this complexity, IGA encompassed the concept of roles as abstractions that bundled permissions together with groups of users.

Over time, two major environmental changes, both aligned with cloud computing, added entirely new aspects of complexity. First, a wave of SaaS solutions collided with the traditional on-premises IT environment. These were often purchased and owned by individual departments, or even small teams, outside of the control of IT. There were more entitlements and accounts to manage, and much more workflow required to include them in governance activities.

Second, a wave of custom or customized cloud applications developed in-house and running on cloud infrastructure added to the same issues. In particular there were the extensive security and entitlements available in environments such as AWS and Azure, and there was a user base that expanded to include developers and DevOps teams.

Deepak Taneja’s integral involvement in and design of the early identity governance architecture models is what allowed him to later pinpoint the fact that, while the enterprise continued to evolve, legacy IGA did not.

To keep pace with these dramatic changes to the IT environment, new kinds of IGA solutions have been required, culminating in Modern IGA.

For more information, see Zilla’s Why Legacy IGA Fails in the Modern Cloud Era.

What essential components are included in identity governance and administration?

Identity governance and administration has several essential components:

1. Access Review Compliance and Audit Management: Validates that access policies comply with relevant regulations and standards. It also includes monitoring and reporting to ensure adherence to policies.
2. Lifecycle Management or Provisioning: This is the process for granting, modifying, and revoking access to joiners, movers, and leavers.
3. Access Control Management: This is the means for determining who is entitled to what specific level(s) of permissive access to which resources, traditionally managed thru the process of defining and maintaining roles to enable a Roles-Based Access Control (RBAC) paradigm.
4. Identity Security: This includes components to continuously identify inappropriate permissions that could open a cyber security attack vector.
5. Self-Service and Delegated Administration: Allows users and managers to request access or manage access for their teams, reducing the burden on IT.

What problem is identity governance solving, and why now?

Identity Governance and Administration addresses several problems that can arise in any organization.

1. Compliance: Ensures organizations adhere to regulations like GDPR, HIPAA, NYDFS, NYSDOH, and SOX as well as technical certifications such as SOC 2 and ISO 27001 by managing access in line with their requirements.
2. Efficiency: Automates tedious access and permissions management tasks–such as deciding what permissions are appropriate for every user and application, and gathering management approvals. This frees up IT resources for more strategic activities.
3. Unauthorized Access: Prevents unapproved users from accessing sensitive information, reducing security risks.
4. Transparency: Provides clear visibility into who has access to what, making it easier to audit and track access rights.

Each of these problems has an element of scale to them, in that the problems are more severe when there are increases in the number of users, applications, and entitlements. In particular, the growth in the number of applications, many of which aren’t owned and administered by IT, has compounded the problems that organizations face.

In fact, organizations in 2024 average the use of 112 SaaS applications, up from only 16 in 2017. And organizations with over 5000 employees average use of 158 SaaS applications. (Source: BetterCloud).

Furthermore, most of these problems are only getting worse over time. For example, in a recent survey by Zilla, 91% said the scope of their compliance activities had increased in the last three years, with 84% saying they expected that trend to continue.

Why is identity governance and administration (IGA) the solution?

Identity Governance and Administration (IGA) is 100% focused on the identity governance problem. Consequently, an identity governance solution consists of just those components that are required for robust automation. Also important is that an identity governance solution avoids extraneous functionality that distracts from the key mission or is better handled as part of an alternative solution.

For example, Single Sign On (SSO) is a centralized, consistent authentication function, not identity governance. It can ensure consistent management of credentials, and it certainly makes authentication more consistent, but it doesn’t address user entitlement for applications and permissions within applications.

What issues exist with legacy identity governance solutions?

It has been twenty years since the first identity governance solutions became available, and while they were clearly helpful in organizations meeting their identity governance challenges, times have changed.

In particular, the IT environment has changed over time. Twenty years ago, essentially all IT applications were selected by the IT department, managed by the IT department, and run on-premises. This made for a governance environment that was well controlled and not too extensive. And even then, managing user roles became almost an end unto itself—very time consuming.

The value of legacy governance has eroded with the explosion of SaaS, cloud applications, DevOps, and distributed IT. There are too many applications with too much distributed knowledge about governance for legacy solutions to work. Legacy IGA encounters these key issues:

• Time consuming, expensive integration with applications, so deployments are slow, and they can’t keep up with changes in the applications that an organization uses. In a recent survey, 89% of respondents said they’d integrated fewer than half their applications with their IGA solution.
• Too much dependency upon IT-managed roles to try and simplify the administration of user entitlements. Defining and maintaining business roles across many cloud and on-prem applications is often too challenging. There is usually no person or team that has the context to own and maintain a business role, especially as users move within the organization and new applications are introduced. The situation is exacerbated by all-too-frequent re-organizations and M&A activity.  In a recent survey, only 10% could confidently say that they had defined business roles and were comfortably maintaining them—the other 90% were struggling or had given up.
• Slow, expensive provisioning and user access review activities.
• A lack of functionality around data security, since legacy IGA solutions weren’t built with security posture and proactive detection capabilities at the outset.

For more information, see Zilla’s whitepaper, Why Legacy IGA Fails in the Modern Cloud Era.

What is Modern Identity Governance and Administration?

Modern Identity Governance and Administration (IGA) is purpose-built for the cloud and app era. It also takes learnings from the many years of Legacy IGA deployments to deliver automation in the areas where Legacy IGA solutions have proven to have had gaps.  Modern IGA combines complete and automated application integration, AI capabilities, a more comprehensive identity data model, and security capabilities to defend against modern threats.

Here are some core features that differentiate the approach of Modern IGA from legacy IGA:

• Easy to setup continuous, automated application integrations, based upon no-code integration via APIs and robotic automation, for SaaS and custom-built applications whether deployed on-prem or in the cloud.
• AI-driven role management profiles to fully automate the discovery and management of business roles, and to automate key parts of the approval process.
• A comprehensive identity map that includes an organization’s expanded array of identities and applications, providing a single source of truth for permissions.
• Risk detection capabilities to proactively identify and remediate the #1 vector for cyber attacks—identity exposures.

How does Modern IGA resolve the issues with legacy IGA?

Modern Identity Governance and Administration (IGA) is built from scratch with capabilities that address today’s environment—one that includes an explosion of applications, decentralized management, and identity-based security threats. Thus it addresses the issues that users of legacy IGA solutions struggle with every day.

How valuable is an effective identity governance solution?

Often, compliance requirements are the reason organizations first consider an IGA solution. These organizations are required to perform access reviews for an audit, and therefore have no choice but to put a process in place for doing reviews. The process requires the collection of a large amount of entitlement data from different applications, correlating it, having a large number of people in the organization that participate in reviewing the data for its appropriateness, and prepping for the audit.  The question is whether you implement a software solution to assist with this process or you could comply manually.

Our experience at Zilla is that the choice is clear. The benefits of automation and AI in modern IGA open the doors to achieving a single source of truth for entitlement information throughout the organization and subsequently faster, more accurate provisioning and access reviews. Achieving this manually is almost impossible, and incredibly time-intensive to get even partially there. We regularly see 80% time savings in using an IGA solution vs. manual methods, resulting in our customers saving, on average, over $600,000 per year. This is on top of the benefit of improving identity security, avoiding unfavorable audit findings, and avoiding substantial business risks.

Despite the clear advantage of an automated solution, in a recent survey, Zilla found that less than 6% of companies have fully automated IGA processes with an IGA solution, and of those only 11% have integrated half or more of all their applications. For those who hadn’t implemented automation, integration effort was the main reason. In fact, 61% of organizations that have implemented an IGA solution have only fully integrated 25 or fewer applications.

What kind of organizations use an identity governance solution?

Many types of businesses can benefit from an Identity Governance and Administration (IGA) solution, especially those that handle sensitive data and need to comply with regulatory requirements.

Here are some examples:

1. Financial Institutions: Banks, credit unions, and investment firms need to protect customer financial data and comply with regulations like SOX, GDPR, and NYDFS.
2. Healthcare and Pharmaceutical Organizations: Hospitals, clinics, pharmaceutical, and insurance companies handle sensitive patient information and must comply with HIPAA, NYDOH, and FDA regulations.
3. Government Agencies: Public sector organizations need to ensure secure access to sensitive information and comply with various federal regulations.
4. Educational Institutions: Universities and schools manage student and staff data, requiring compliance with privacy laws like FERPA.
5. Retail and eCommerce Companies: Businesses that handle customer payment information need to protect against data breaches and comply with PCI DSS standards.
6. Technology Companies: Firms that develop and manage software and cloud services need to secure access to their systems and data.
7. Manufacturing Companies: Organizations that handle proprietary information and intellectual property need to ensure secure access and compliance with industry standards.

In essence, any business that needs to manage user access, ensure compliance, and protect sensitive information can benefit from an IGA solution. In a recent survey, 80% of respondents are performing <ahref=”https: zillasecurity.com=”” user-access-reviews=”” “=””>access reviews to satisfy two or more compliance obligations with 91% of respondents reporting an increased scope of access reviews over the last 3 years.</ahref=”https:>

The vast majority of these organizations really need a Modern IGA solution because of their hybrid SaaS and on-prem environments.

How important is application integration to an identity governance solution?

An identity governance solution is only as good as its application coverage. All the use cases—including user access reviews, provisioning, and identity security—are crippled without comprehensive inclusion of all an organization’s business applications. That’s why it’s critical that application integration be comprehensive, continuously up-to-date, efficient, and cost effective.

At Zilla we feature out-of-the-box integration with over 1000 applications, plus the ability to easily add new and custom applications using robotic automation. Existing integrations cover the full range of commercial applications, including:

• Analytics
• Collaboration & Productivity
• CRM & Customer Service
• Development
• Finance & Accounting
• Healthcare & Life Sciences
• Human Resources
• Insurance
• IT & Security
• Sales & Marketing

Can AI be applied to an identity governance solution?

Yes, artificial intelligence (AI), particularly in the form of machine learning (ML), has strong applicability to an identity governance solution.

Machine learning algorithms that are trained with the right parameters on large datasets excel at identifying sophisticated patterns and anomalies. The same general techniques that can identify a human face in a sea of pixels—regardless of the lighting, size, or orientation—can also be used to identify patterns of application permissions associated with individual human and machine users.

In the realm of identity governance solutions, AI can both accelerate the provisioning of users and also reduce the effort of access reviews. Zilla Provisioning for example, automates parts of the provisioning process via pre-approvals based upon Zilla AI Profiles™, resulting in up to 75% fewer permissions that need to be reviewed by a human. It also helps ensure least privilege access when employees move to new roles within the organization.

Critically, Zilla implements machine learning while maintaining complete privacy for each organization—no data from one organization is shared with the learning algorithms of another organization. Training datasets are entirely segregated.

Do I need to manage complex roles with my identity governance solution?

Role-based access control (RBAC) approaches based on roles have often been seen as the best way to manage the mapping of identities and users to job-appropriate access and entitlements. However, in a modern IT environment there are several problems with this approach: entitlements are highly complex; there’s constant change in users, entitlements, and applications; and the knowledge of how to establish them properly is spread throughout the organization. As a result, 90% of organizations struggle to leverage business roles or haven’t defined roles due to the level of effort required.

A new approach to supplement or replace complex roles within your identity governance solution is to leverage AI in the form of machine learning (ML). Zilla AI Profiles™ can effectively replace much of the effort that goes into maintaining complex roles by automatically inferring patterns of permissions and associated users based upon a variety of characteristics, such as their title or job code, group, position in the organization, physical location, and more. Rather than spending time maintaining roles, organizations that leverage Zilla Provisioning effectively manage by exception, with pre-approvals resulting in up to 75% fewer permissions that need to be reviewed by a human.

How is identity governance better than manual methods such as spreadsheets?

Spreadsheets are fine (you might even say they excel) at organizing data where there’s a low level of complexity, not much scale, few users interacting with it, and no need for transactional integrity. If that sounds like your environment of applications, permissions, users, and compliance needs—then consider spreadsheets.

However, we often see an IGA solution pay off for organizations with as few as 250 users. And after 1000 users or more, it’s not uncommon for entitlements to reach the scale of hundreds of thousands or even millions–beyond where spreadsheets are a reasonable solution.

How does Modern IGA compare with “Light” IGA solutions?

Identity providers (IdPs) such as Okta, Microsoft Azure AD, and OneLogin are excellent at supporting use cases around directory, authentication, SSO and session management. Over time, IdPs have grown to offer limited identity lifecycle management to the extent that they can provision and deprovision user accounts and groups to some cloud applications—the basis of so-called “Light IGA”.

The problem is that, in the real world, governing access is about governing permissions (also known as entitlements). It would be nice if directory group membership could easily be correlated with permissions in all the hundreds (or thousands) of an organization’s applications. But they can’t. A Single Sign On (SSO) solution can’t even necessarily control access to applications, given many applications will have user/password access outside of an SSO. And of course controlling access to an application doesn’t mean you control the permissions within it.

So a “Light IGA” fundamentally can’t monitor, review, provision, and deprovision the expansive, intricate set of permissions that exist in an organization. For that purpose, real IGA – Modern IGA – is a requirement.

For more information, check out the Zilla blog post, The problems with featherweight IGA – what Identity Provider vendors don’t tell you!

If I have a Single Sign On (SSO) solution, why do I need identity governance?

While Single Sign On (SSO) and multi-factor authentication (MFA) solutions enable authentication to be managed centrally by IT in a shared and scalable way, they don’t come close to addressing the full range of identity governance issues, for the following reasons:

• Most organizations, especially larger ones, have legacy applications that don’t fully integrate with an SSO solution. But a Modern IGA solution, while not providing single sign on, can report upon user accounts and entitlements as well as provision them correctly.
• SSO solutions don’t have a model of complex entitlement information, which can vary from application to application. Therefore they can’t perform comprehensive compliance or provisioning.
• SSO solutions are managed centrally by IT, while modern environments have distributed application ownership. These need to be tied together using workflow management solutions for user access reviews and provisioning activities—a key function of an IGA solution.
• SSO solutions don’t include the AI-based capabilities that a Modern IGA provides to deal with the complexity of managing the explosion of users, machine accounts, applications, and entitlements.

This topic was prominent at the recent Oktane 2024 Conference, and it’s discussed in the Zilla blog, Modern IGA at Oktane: Identity, Apps, and Access Reviews.

Other insights are available in Zilla’s whitepaper on Access Security & Compliance as well as the Zilla blog post, The problems with featherweight IGA – what Identity Provider vendors don’t tell you!

How do I choose an identity governance solution?

With the variety of options available for an identity governance solution, it may not be easy to make a choice. But here are some criteria to consider when evaluating options:

• Identity integrations with existing applications – an IGA needs to support your existing applications in order to perform its core function. Keep in mind that most organizations have a wide, ever-growing array of legacy, on-premises, and cloud applications. Expensive custom integrations for each one can be a huge roadblock.
• Identity integrations with new/custom applications – Unusual, new, and custom applications still need to be supported. Maybe they will have an API—but often they won’t. Can the solution you’re considering keep up with your changing suite of applications?
• A deployment model that works for you – Just because you have on-premises applications doesn’t mean you need an on-premises identity governance solution. If you want all the advantages of a SaaS solution, work with a SaaS vendor that can give you those advantages while supporting your applications that are both on-premises and in the cloud.
• A quick deployment with fast time-to-value – A solution that “ultimately” seems to work may not be the right fit if the deployment timeline is too long. Fast deployments mean fast time to value, and, usually, faster adjustments to your needs as they change over time.
• Efficient user access reviews – Effective, reliable user access reviews that provide strong evidence for auditors are a core IGA capability. Since users across the organization are involved, the interface should be clear and simple. A key consideration is an interface that helps avoid “rubber stamping” of reviews, which leads to orphaned and excessive permissions.
• Workflow/ITSM integration support – Considering the many potential users of an IGA solution, it’s important to leverage your existing, familiar workflow/ITSM application (such as ServiceNow or Jira Service Desk).
• Ability to create an auditor-friendly review package – Creating accurate and complete audit reports is critical, including summaries, apps in scope, app owners, filters, and timestamps.
• Efficient provisioning support: Establishing and maintaining the right entitlements quickly and reliably are important for business efficiency, employee satisfaction, and organizational security.
• Ease of use for a diverse user population:Given that application owners are present in all parts of a company, an IGA needs to be easy to use without extensive training.
• An experienced, knowledgeable solution partner: Identity governance is a specialized area of compliance and security. Working with an experienced solution partner that understands the details and nuances is invaluable.
• Low ongoing maintenance effort: If your identity solution relies too heavily on maintaining a complex identity model (e.g. a highly intricate set of roles), ongoing maintenance can be an issue. Consider instead how newer pattern-based techniques based upon AI technology can alleviate some of the effort.

Why should I choose Zilla for identity governance?

Zilla Security is the premier provider of Modern IGA, built from the ground up to meet the needs of today’s hybrid enterprise. It features:

• Deployments that are completed up to five times faster than legacy IGAs—with 1000+ built in integrations, plus robotic automation supporting even applications without an API.
• Access review capabilities that take up to 80% less effort—with fully automated campaign prep, full review management, pre-approvals that reduce 65% of the entitlements requiring review, and comprehensive evidence creation.
• Provisioning with 60% fewer tickets—with AI-generated entitlement recommendations and automated pre-approvals.
• Decades of experience solving problems in identity governance combined with the latest technical capabilities–created by Deepak Taneja, a pioneer of IGA–results in the best Modern IGA solution available.

Does identity governance cover both on-premises and cloud environments? How about SaaS applications?

If you have on-premise applications, SaaS applications, or other applications that run in a cloud environment, then naturally you’ll need to include those in your identity governance solution. Compliance reviews will have a domain including all your environments. And you’ll certainly need to provision and deprovision accounts with the right permissions wherever your applications run. Accordingly identity governance is applicable to all your environments.

This diversity in environments, with application sprawl and distributed application ownership, is a key driver for Modern IGA. Legacy IGA tools were developed before SaaS and cloud environments were the norm, and they often struggle to keep up with a rapidly changing array of applications and cloud environments. They may not even integrate with all your applications, or if they do, they’ll require time-consuming, costly professional services on a regular basis. Modern IGA solutions were built from the ground up to run in a SaaS environment, support SaaS and cloud, and keep up with your ever-changing business.

How do I get started with identity governance and administration?

Once you’ve decided to implement an IGA solution—or maybe replace your legacy IGA with a Modern IGA solution—then the process is fairly straightforward. Steps involved vary somewhat but include the following:

1. Initiate project management—success criteria, milestones, personnel, meeting cadence, etc.
2. Identify applications to integrate, primary user directory, and SSO provider information.
3. Integrate the IGA with your directory and SSO applications.
4. Integrate applications, mapping accounts to users in the directory, and defining permissions.
5. Create custom actions, access review configurations, and execute an access review.
6. Continue with user provisioning setup, configuration, and verification.

Who is benefiting from modern identity governance and administration now?

Modern IGA benefits a large range of businesses, ranging from highly regulated financial institutions and healthcare organizations to fast-growing tech companies that need to satisfy SOX regulations in preparation for an IPO.

Additionally, customers with specific use cases greatly benefit from Modern IGA:

• Pre-IPO and Post-IPO companies
• Organizations that have recently undergone M&A
• Time and resource constrained security and compliance teams (because it will save them significant time). For example, one modern IGA customer recently wrote: “Zilla quickly allowed us to automate the process in a few key areas, such as data collection and automating portions of the review itself, significantly reducing the time our stakeholders require to complete reviews. The out-of-the-box integrations are simple and easy to configure, and Zilla offers excellent tools for data collection if API syncs are unavailable for a specific system.”
• Enterprises that have received material audit findings
• Organizations looking to establish a zero-trust stance and harden their identity security posture

For example success stories, check out recent case studies from customers like The Linux Foundation and Sprout Social, who implemented Zilla’s Modern IGA solution.