In recent years we have heard a lot about the decline in value of network perimeter-based security and the need to develop Zero Trust or Continuous Adaptive Risk and Trust Assessment (CARTA) security models which depend on having a very deep knowledge of your users and their entitlements. In other words, a well-developed Identity Program has become even more critical as traditional boundaries dissolve. The challenge, even for those with well-developed Identity Programs has been the technical integration and the people/process integration between their Identity Governance and Administration (IGA) platform and the tools that provide dynamic information on behavior and risk. Few organizations have attempted this integration and even less have succeeded.
When Zero Trust came to my attention a few years ago it seemed to me like a tremendous opportunity those of us in the IGA space to become more relevant to CIOs. Our team at Identropy went as far as to engage Chase Cunningham of Forrester to better understand Zero Trust. As a result, we took the leading IGA vendor, the leading UEBA vendor integrated the two and offered some really interesting use cases that called for IGA to remediate what UEBA was detecting and for IGA to contextualize the information that the UEBA system was reporting.
It seemed like a home run. The integration was simple, the use cases were powerful, and we were dealing with the leading products that were generally available. We pushed this solution for at least a year and what we came to realize is that the problem is not technical but organizational. Chase and the Forrester literature had said that the challenge was 70% people and process and 30% technology. It took me a long time to realize what they were telling me. It’s about people and it’s about process and those managing UEBA are not the same people managing IGA. They have different budgets, different priorities and to integrate the two is much harder than building a connector and developing interesting use cases.
A year and a half ago, about the same time I gave up on trying to save the world by placing IGA at the center of the security universe, I bumped into the Clear Skye founders, TJ and Vahan, and learned they had developed a full featured IGA tool on the ServiceNow platform. I now had a new mission, but this time one that was within reach because IGA integration with ServiceNow was not something people dreamed of and moved on. Thousands of companies were already doing the hard work of integrating their ITSM systems into their IGA platforms and in Clear Skye I had found a better way to do that.
As I explored the opportunity with Clear Skye it was evident to me that the Now Platform was clearly a better way to IGA for companies that owned ServiceNow. They could leverage their Service Portal and their Now IT workflow capabilities to manage IGA like they would any other process. They would eliminate the need for companies to deploy another costly platform requiring specialized resources to manage.
That idea and value proposition proved to be so solid that we ended up replacing the leading IGA solution at one of our customers, and I was lucky enough to join Clear Skye full time in order to help them go to market.
What’s amazing though is not that dreams are coming true but that during this journey I came to realize that once again, I was wrong. Clear Skye isn’t going to be about simplifying and enhancing IGA it’s going to be about helping companies establish, as one of our partners called it, an “Enterprise Governance Risk and Compliance Ecosystem”. When interviewing customers and partners about the value they saw in the Clear Skye solution it was clear that the real value was not in regards to what Clear Skye is doing for IGA but what Clear Skye is doing for the other solutions in the Now Platform and what together those solutions were delivering in regards to security, compliance and automation.
All of the time we had been spending integrating solutions into the leading IGA platform was a waste of time when you consider that by placing IGA on the Now Platform there is no need to integrate with ITSM, GRC, SecOps and CMDB. They’re inside the same platform. It’s as if they were one product. One big product with an amazing workflow capability that is used to eliminate friction from business and to significantly improve worker experience (productivity). What this translates to is “value”. The individual products become one big product on the platform and the whole is much greater than the sum of their parts.
The result is that savvy customers are actually executing on placing IGA at the center of the world, but it’s not just IGA they’re placing there. It’s the Now Platform and all of its value that sits at the center. No longer is IGA relegated to connecting up or down or sideways to other systems but other systems that are connecting into the Now Platform. So much of the challenges we faced around integration are eliminated. Where IGA used to be “outward facing” in other words striving to connect, reaching and grasping for the next system, it is now truly at the core of IT and the value is within that core or that platform. Do we still need to connect to provision, sure and that connectivity is made easier by the platforms flexibility in automating tasks but the real value lies in the information we are making available to our sister solutions residing on the Now Platform.
This is happening today. We have customers doing it and partners super excited about the prospects of this game changing reality. If you would like to speak to them, let me know. They’re not shy about telling anyone about this promise. In fact, you don’t have to ask me. Join us for our upcoming webinar and hear what they have to say. The future is Now and it’s not complicated.