One of our core areas of expertise is this mystical unicorn called identity and access governance (IAG). We've been working on projects involving it since the dawn of our company.A dedicated team now works on it and we've delivered tons of projects from which you could learn. And yet, for some reason, we haven't covered it here. Time to remedy that!
What is identity and access governance?
In our work with customers around the world, when we ask them what is currently on their minds, very often identity and access management (IAM) is at the top of the list. However, when asked what they mean by it, we rarely get the same answer twice.Let's give some things a name and make some sense out of them. It will help us in further understanding of the subject.First of all – identity and access governance is a process. It is not about a single technical solution.
What does it mean?
We wouldn't say it is not a tool (although a tool might support it) that will solve all of your IAM problems for you.But what is key, is that this process is supported by various services. Its goal is to manage the lifecycle of your people's access to applications, data, and other resources your organisation is using to deliver value to users.
There are multiple areas we cover by this single term and here is where the most confusion comes from. The simple acronym – IAG – might cover many areas.
Typically, they are combined into a single request to providers for a single solution. It then leads to gargantuan proposals and budgets but not always a gargantuan project outcome.
What does this area cover?
Here is a short list of aspects that IAG covers, which you may want to address when thinking about it. We kept it short and focused only on the crucial aspects, so as not to start the discussion about what is and what's not part of it.
This is something that is most obvious to most people. It covers all the processes like onboarding, changes, and off-boarding of people and other entities (think service accounts or assets) within your organisation.How to onboard or register an employee? Following this, how to push their information to critical systems, to enable a work environment?Then, how to make sure that the status of this person gets reflected in IT systems when changed in HR? And finally, how to close an account on time when needed? This is where identity lifecycle management kicks in and delivers order and automation.
If we have an account created, what does it have access to? This is a question where the answer is delivered by access management.The process here might be simple (many companies stick to the old concept of groups, and it is perfect for them) or difficult (think complex role and entitlement hierarchies). The goal is to answer one question: what can this identity access!When it is resolved, the process might also be automated to provide efficiency, but not necessarily.
If access is granted, can you get reports on it? Is it compliant with your policies? This is where the governance part kicks in.Managing access is one area. However, getting access rights into a compliant state, where we know that what was granted to users is (a) right for their job, (b) compliant with our policies, and (c) provably granted within a process, and where we can audit it, is another thing.Companies might do access management but not governance. It depends on their maturity level.These are three pillars of this process. There are many other aspects of IAM like single sign-on, authentication and authorisation policies, as well as risk assessment and management. But these three items are what we want to base this article around.
Focus is key!
We've been working in this field for many years, and we saw this part of IT changing and evolving.From simple lifecycle projects to complex, compliance-driven implementations which span dozens of applications and handle hundreds of thousands of entitlements (rights granted for people, to keep it simple).What separates successful deployments from the failed ones? There is one word to describe the difference: focus!The easiest way to not succeed on a project in this area is to try and tackle everything at once.Defining everything in a single project, with all possible features, target systems, and apps included, won't have a great chance of doing well.
So, how to do it right?
If you want to succeed, the first rule is to focus. What you need to do is:
- Define clear goals for your identity and access management program.
- Assign priority to issues at hand, as you will have many different parts of your company trying to address different things.
- Categorise everything into iterations. A single iteration should last no longer than 3-4 months to deliver functionality to the end-user (in best case scenario, some low-hanging fruit should be delivered sooner).
- Understand that this is an iterative process, which requires getting back to the drawing board every cycle.
You will change your priorities and ideas on what to do next with every iteration. This is what business looks like right now. It is also why projects planned for 12-24 months are most likely to fail.In 12-24 months since you've started, there might be no one who remembers why you are doing it in the first place!
What drives this process?
Typically, there are two drivers for projects in this area.
Projects driven by IT
The IT department focuses mostly on operations' efficiency and automation. Some aspects of compliance and impact on security are also present, but the goal is mostly to automate processes that we have to execute manually at the moment.
Compliance and security
Typically started in audit or security departments, with a greater focus on providing compliance processes and access. This includes management and governance workflows, reporting, and similar aspects.The identity lifecycle is there, but somewhere in the background – we still have to execute it, but it is not the main focus.IAG brings ownership of systems to the business, permissions assigned to users, context-based authorisation, and other similar aspects.It is not just a tool for the IT department, but a great enforcement and control method for auditing, security and compliance-focused part of the company.
What about solutions? Let's get some answers!
Are there any solutions out there? How to choose the best one?Sure, there is the entire industry at your disposal, which also shows that there is a problem to tackle. Here are not one, but two Gartner reports for you to consider.We've been working in this area for many years, with dozens of projects delivered for customers ranging from a few hundred to well over 100,000 identities. Simple cases, not standard cases, complex cases – we've had it all!Our background is in Microsoft technologies such as Azure AD (Microsoft Entra) and MIM, but in this area, we have also adopted a tool from another vendor, by partnering with Omada.
How do we choose what to apply in each case?
Knowing the answers to what drives your project and what your priorities are, it is simple to evaluate each tool and choose one. Both deliver. And both have a similar set of features in some areas.
NOTE: Below information is still correct, however, MIM is now approaching its end of life, with extended support ending in January 2029. Where we focus mostly on identity lifecycle, we go primarily with Microsoft Identity Manager, and customers are happy with it.It delivers and doesn't require extensive resources. MIM also provides common end-user scenarios. It does a password reset, lack of which is often still a pain.What's important for many companies, it is also a cost-effective option, since Microsoft made the server license free and CAL is included in the Azure AD license.With simple cases of access management, MIM will also deliver with our extensions for it. You have a choice of using one of those solutions (or others in a similar class).
The difference starts when your process is driven by the need to provide rich, compliance-based processes concerning access management, auditing, reporting and other related functions in a regulation-driven environment.Here, Omada Identity Suite has a clear advantage and is the way to go, even if it comes with a price tag.With clarity about goals, drivers and the desired outcome, the choice of solution is much easier and often does not require an extensive process. You can do it much, much more easily.
But what about the cloud? You haven't mentioned the cloud yet!
Indeed, we haven't! So, what about the cloud?The truth is that the cloud does not affect this picture much. It is just another part of your environment you need to manage. You have to provide the same processes for it as for on-premises resources and the solution of your choice will have to address it.This is why Omada, among a few other solutions, is tightly integrated with Azure AD for access management and compliance process.Additionally, the recent addition to MIM is the Azure AD Graph connector. It adds to the process of managing guest users for on-premises application access.And there we have it, the basics of identity and access governance. It poses some questions which auditors might also raise.If you want to know how to answer them, please get in touch with us to discuss your requirements!