Identity and Access Management Blog

Explore the latest trends and technologies in Identity and Access Management, and learn how to put new, innovative solutions to work for your organization.

How do you FEEL about Identity Access Management?

Seems like a strange question for a hardened and pragmatic cybersecurity practice, right? But it’s actually quite necessary to the ongoing and rapid evolution of Identity Access Management (IAM). We are at the forefront of an IAM revolution. IAM has always striven for better automation and the possibility of how machines could make more informed decisions due to the necessity, ubiquity, and potentially overwhelming nature of the IAM presence in an organization. This can quickly become a “whack-a-mole” exercise as humans manually review and make decisions that can have rippling effects within their infrastructure. Artificial Intelligence (AI), previously the stuff of science fiction, with a rote implementation that has yet to fulfill the prophecy of Isaac Asimov is now seeing arguably great strides with the fervor over facets like ChatGPT and its growing list of possibilities. But still, automation, machine learning, and even AI must be curated. Nowhere is this more true and intense than in cybersecurity. At some point and typically many points, a human must review, ensure, check, double check, talk to another human(s) to validate, and then perform the whole process over again at various points in the life cycle. We always try to lessen this need, but it never fully goes away. The real challenge though, is perception; the blurry ideals and expectations that inherently exist in human nature and understanding. And it’s not human fault, much like the shortcomings of AI are not its fault. Information output is only as good as information input. You don’t know what you don’t know. For humans, erroneous and/or incomplete information creates extraneous cognitive load, doubt, and ultimately anxiety. That’s a recipe for disaster in an IAM environment. So how do we solve it in the now and not wait upon the robot dreams of some future state?

3 Ways Traditional IGA Falls Short

The complexities of Identity Governance Administration (IGA) and the high cost of failure can lead to neglect of a key requirement: IGA must balance security and risk management against enabling employees to do their jobs.

We highlight three ways that organizations can lose sight of the big picture and, ironically, end up with an IGA that subverts the business operations it was intended to protect.

#1 - Managing exponential growth of access inputs overwhelms IT.

Workforce changes, new threats, and new IT systems drive an increasingly complex IGA environment. Without visibility into how the many pieces fit together, it’s much harder to translate a platform workflow into reasonably straight-forward business processes. IGA leaders need to continually increase coverage as new systems and new people come online. As the enterprise grows organically or through acquisitions, every new asset and application must be incorporated into policies, programs, and technologies.

The dramatic increase in employees needing remote access during the COVID-19 pandemic exacerbated an existing IT coverage gap. The hybrid workforce needs to access systems at any time, from anywhere, and from any device. Offsite employees naturally become attractive targets, leaving organizations with older protections exposed.

Continual growth of application inputs and outputs leaves organizations with no opportunity to strategically arrange them into workflows that are effective for the business. IT departments have difficulty prioritizing and sorting input traffic jams. Customizations increase complexity and make it harder to capture and implement best practices. All this added workload can crush IT administrators. Administrative and procedural friction leads to an inordinate number of requests and approvals for users to get the access they need.

Are you forcing your users to engage with entitlements that are far too granular? Are you stacking too many levels into your approval workflows?

#2 - Focusing solely on audit defenses stifles productivity.

Audits and regulatory compliance requirements lead many organizations to run audit driven IAM programs without consideration of the business context. Fear of audit failures is a common distraction for IGA leaders. Audit and regulatory risks seem to scare some organizations even more than access risks and data breaches. IAM processes should not merely to appease the auditor, but instead balance access risk with business risk.

The stakes of restrictive access management are even higher when personal data is involved. That is why stringent regulations such as in the healthcare and financial services sectors often command the direction of IGA. This focus on security and audits can lead teams to a point where risk is indeed minimized, but at what cost? Achieving compliance is of little value if it stifles productivity and blocks business objectives.

How many of your departments are involved in access certification? It's a valid fear when your deprovisioning process lags after offboarding should be complete, but does your provisioning process delay onboarding or prevent access for employees who need it?

#3 - Forcing an IT-centric user experience creates opaque and onerous workflows.

While IT leaders consider IAM tools as a series of inputs and outputs, that approach can miss the context and connectivity between disparate systems. Transparency and smooth business operations are often casualties of IT-centric process flows.

The bulk of modern IAM process models was built for IT by IT. Onerous reporting, dashboards that are not actionable, and metrics that obscure proper context end up hindering rather than improving business processes. Recent IAM user interfaces are more attractively designed, but that does not counteract the non-intuitive IT-centric user experience. A more holistic view of IAM as a component of the greater business operations is needed to achieve lower IT helpdesk costs, higher productivity, and better business outcomes.

Are you using form-driven access requests? How much of your IT environment do you expect your business users to understand? Is your access environment sufficiently commoditized, offering business-friendly abstractions that map into the IT structures that control user access?

A new approach: Post-modern IGA

Meeting IGA requirements seems like a complex and costly endeavor with a never-ending chase to expand coverage as people and IT systems come and go. It’s not surprising that supporting business goals falls down the list of high priorities.

An innovative post-modern IGA approach to this struggle charts a path to immediate and continuous progress. Finding solutions that add to current strategies and solutions allows you to ratchet up coverage where it counts most without losing ground where you’ve already had success.

A post-modern IGA approach bypasses many of the challenges of legacy systems and of high-cost, high-risk replacements and is architected to grow and flex in today’s dynamic marketplace. This new approach yields the immediate benefits of adding coverage and reducing overhead in as few as five weeks. To learn more, read our whitepaper: How Post-Modern IGA Transforms Problematic Deployments into Breakthrough Outcomes.

• Ask These Questions Before Deploying Remote Access Technology (April 2020): 

Hi, I'm Brian Iverson, Tuebora's new Chief Product Officer. I'm excited to be working with Tuebora and our customers to advance the practice of identity governance and administration (IGA) in the marketplace. This is a passion project for me and there isn't anything I would rather be doing right now.

Although I have evaluated Tuebora's products over the years, first as a Gartner analyst and then as a potential customer, there is so much more for me to learn about Tuebora. Before I can be confident enough to jump in and add or change items on our products' roadmaps, I will be working with my colleagues and talking with customers to gain a deeper understanding of Tuebora's products. I can't wait to meet everyone in and around the world of Tuebora. I'm confident that we will do great things together.

I'm excited about the opportunity to use Tuebora's blog to communicate with the community not only about Tuebora's products, but also to talk about general IAM topics. Over the years I have accumulated a wide-ranging philosophy around IAM, only a small part of which was revealed in my published research and conference presentations while I was at Gartner. Having this blog as an outlet will give me an opportunity to "stretch my legs" and explore a variety of IAM-related topics.

(Register for my first Tuebora Webinar on the topic of Building Intuitive Identity Governance which will occur on September 14th at 11 am CT)

Readers should expect to see me pop up here on the blog at least once a week. Although some of my posts will be overtly marketing-oriented (I am responsible for product management after all), you can expect the majority of my content to be focused on IAM technology and practices that should be applicable to most IAM practitioners, customers and non-customers alike. I’ll also be doing a few webinars about what I’ve seen and experienced during my five years as a Gartner analyst specializing in identity and access management and as former VP of IAM Strategy for Bank of America. The first webinar will be Building Intuitive Identity Governance. Just click the link if you’d like to get more information and register.

Feel free to reach out to me (e-mail link is above) if you would like me to consider a specific topic or question in a future blog post.