The identity management value proposition has changed significantly over the past two decades. The biggest change happened more than a decade ago when new entrants into the market realized that knowing who has access to what and governing that access was more important than automating account provisioning and deprovisioning. The success of those new entrants created two separate product categories in our space.
What those new vendors realized is that while automation is a critical benefit of an identity governance and administration (IGA) program everything in our world needs to be evaluated from a cost benefit perspective. Sure, everyone wants to provision user entitlements across all their applications, but this is very expensive when compared to the value that knowing who has access to what brings and being able to manage user-friendly certification campaigns that periodically review and clean that access.
Governance doesn’t require the level of integration that provisioning and deprovisioning require
User access information can be aggregated through files — and that information can be correlated, reported on, and can serve to enable user access requests. Provisioning and de-provisioning can then be done indirectly through integration with IT Service Management (ITSM) systems. Account creation happens manually, but the whole business process benefits from workflow, is logged, and can be made available to auditors. This approach is so powerful from a cost benefit perspective that Gartner recommended in their 2019 IGA magic quadrant that indirect provisioning should be the “default stance for all applications,” with connector-based automation added over time where feasible. This is not because automation is not something to strive for but because it is expensive and limits an organization’s ability to focus on governing access.
This reality is well known in the large enterprise space where identity professionals are managing thousands of applications. They understand that it’s impossible for them to automate account provisioning with entitlements and permissions across thousands of applications. For the enterprise governance and indirect provisioning are worthy goals. It’s frequently those that are embarking on an IGA journey for the first or second time that insist on automation across dozens of applications in a first phase.
Ways to focus on governance and indirect provisioning
Once we come to the difficult conclusion that automation is expensive to deploy and maintain and begin to focus on governance and indirect provisioning our project success rates will go through the roof. One challenge of this approach is that integration with ITSM is not easy. Indirect provisioning requires the opening and closing of tickets for audit and operational purposes. These integrations can be limited in their ability to provide help desk operators and system administrators the visibility necessary to take the actions required of them. If you don’t have a good ITSM integration the process breaks down and good people will find ways to work around the process.
Another aspect of the ITSM integration challenge is the user experience. Does your ITSM integration deliver the user experience necessary for business users to adopt their new access request and review system? Business user enablement and adoption is frequently one of the most overlooked challenges with an identity program. It’s important that we have a solid ITSM integration so that we are improving the chances that the IGA system will be adopted by the end user community.
As you know, I work for a company that has solved this integration problem by building an IGA solution natively inside ServiceNow and adjacent to ITSM. Our access requests are ITSM tickets. ITSM operators can investigate our IGA system to review the requests and gain important information before acting. What’s even more important is that there are other products running on that platform that also benefit from being next to an IGA solution. IT risk management is at the top of my list, but there are other solutions on the platform that deliver greater value to the organization because they can communicate directly with IGA.
Connections and automation do matter but they should be pursued once we can see who has access to what, we have cleaned up user access, and all the provisioning actions are auditable. Once that is in place automation can be pursued with the confidence that our house is in order and that we have already delivered real value to our organization.