10 Considerations Before Starting Your IGA Project

Download the White Paper

The value of your Identity Governance and Administration (IGA) program is directly proportional to the quality and richness of the identity data available to it. Your policies, automation, and workflows are only as good as the data that feeds them. What we believe about the state of our data is often inconsistent with reality. As with any project, if the foundation and plumbing are not solid, sooner or later the house will fall.

Download the White Paper to learn more.

Download White Paper

10 Considerations Before Starting Your IGA Project

According to the recent Gartner Magic Quadrant for IGA analysis:

“Identity governance and administration (IGA) implementations that start with cleanup analytics will show twice the ROI as ones that don’t.”

“In many cases, organizations store identity data in multiple sources, some of which may not be as reliable as others. IAM technical professionals need to assess those sources and select the most accurate and reliable datasets as inputs to the IGA platform. Not doing so will impact all downstream IGA processes.”

Here are 10 key factors to consider before embarking on your IGA project and program:

1. What will drive joiners/movers/leavers?

Most IGA platforms—such as SailPoint, Saviynt, and RSA Via—assume there is a single authoritative source that drives the entire automated provisioning process. Organizations that have multiple HR systems struggle to rationalize the process. Contingent workers people need to be treated like employees from an access perspective but HR often doesn’t want to manage them in PeopleSoft or Workday.

Some organizations have tried using the IGA platform to manage contingent workers but realized very quickly that these products are meant to manage access—not the workers themselves. Many organizations already have a contingent management system such as SAP Fieldglass or a home-grown contractor management system—but connecting the IGA platform to these presents the same challenges as having multiple HR systems. Start by rationalizing your HR and contingent workforce systems and creating a single source of truth for joiners/movers/leavers that your IGA platform can rely on.

2. How do you determine whether it’s the same person—or not—across all the different applications?

Correlating (same person, different IDs) or disambiguating (same ID, different people) identities across all of these and administration (removing all access for someone that has left the organization). Before you begin your project, it’s critical that you can understand the data, identify what attributes might be good candidate keys, and correlate based on different attributes across different systems.

Ultimately, having a GUID (Global Unique Identifier) in each system to identify the same person would be ideal but going back and modifying existing systems to achieve that is not practical. Creating a Virtual GUID for each system is a good way to get around this limitation and still make it possible for the IGA system to easily identify the user in each system.

3. Knowing a person’s manager is critical to driving access reviews.

Most IGA platforms assume that there is an authoritative and accurate source for manager. But the reality in most organizations is that understanding who manages a given person can be complex. In some cases there is a hiring manager in one system and an actual manager in another. Or the project management system drives who the manager is for a particular project, even if the person’s manager is listed in HR as someone else. Identifying managers for the contingent workforce identity is even more complicated. Before you bring this data into the IGA system, it is important to know you have the correct manager. Waiting until you are ready to do attestation or drive policies and workflow is too late.

Additionally, existing user repositories may be structured by location or other identifier. In order to properly identify the management structure, a dynamic view of the restructured identities is required.

4. Data analysis, cleansing, and normalization are key to success.

As the adage says: Garbage In, Garbage Out. Most organizations will admit that one of their greatest challenges is the quality of identity data. The lack of consistency in format and values across systems, incorrect data, and just plain missing data make preparing data for your IGA system a project unto itself—one that’s often not planned for ahead of time.

Critical to your cleanup effort is being able to:

  • Find where data is missing.
  • Identify sources of truth by attribute.
  • Normalize the data format—so Calif., California, Ca, CA, and Cal all appear as CA in the final view.
  • Normalize schema—so State, St, and Province all appear as State in the final view.
  • Address multi-value fields.
  • Un-nest groups.
  • Find groups without owners or members or descriptions.

All this has to be done without changing or disrupting the data on the sources of identity, since they may have legacy applications dependent on the particular format and syntax that exists today

5. Get a handle on your groups before bringing them into your IGA environment.

Application entitlements are commonly driven by group membership. Groups can be split across data sources, nested, or even built dynamically. Without a common view of entitlements in a flattened structure consumable by IGA systems, the process of attestation becomes significantly more complex.

Groups split across multiple repositories need to be consolidated along with a correlated view of the user identities. The view can be structured with changes to the underlying identity repositories, ensuring that entitlements can be easily unified for importing into IGA systems. The associated global profile of the user also ensures that the IGA system is operating off a common set of user attributes.

Nested groups pose a complex challenge for IGA systems. A nested structure does not reflect all users associated with a specific entitlement in a single list. The nested structure may also be many levels deep, causing a high processing cost for multiple levels of recursion.

Once the groups are flattened into a unified list, IGA systems can determine entitlements based upon a single group without needing manual or complex work to identity all members in the nested structure.

In situations where groups representing unified entitlements across identity repositories do not exist, groups need to be built dynamically from the underlying sources—without requiring changes to the data or the creation of other repositories of manually synchronized data.

6. IGA Tools are not meant to drive hundreds of non-entitlement-related attributes.

User identities within and across repositories contain many attributes important to a global profile consumed by downstream services and applications, such as Phone, Mobile, Location, Division, Department, Title, or Language. However, many of these attributes are not used for attestation and should not necessarily be managed by the IGA system. Instead, there is a need for a robust attribute synchronization engine that ensures that the right attributes flow to the correct systems.

In addition, having an IGA view limited to only those attributes used during attestations limits complexity and reduces processing overhead. These limited views of profile attributes needed for attestation should be constructed dynamically to ensure that changes to the underlying repository or manual processing of the data is not required.

7. IGA tools are not designed to connect to hundreds of systems.

IGA tools expect user attributes and entitlement data to exist in relatively few systems. The reality is that most organizations have entitlement data spread across multiple systems. Many applications not only store data locally, but also in proprietary formats that make it complicated to unify. This complexity increases exponentially as more applications are included in the attestation process. Joining the profile attributes, groups, and other entitlement data into a single, scalable identity layer improves IGA performance and simplifies campaigns.

8. Looking at the data side by side will help you to understand your existing business processes—because automating poor processes just helps you do bad things faster.

Data analysis for IGA systems is complicated by multiple sources for identity and entitlement data. Many of the sources of data are due to legacy business processes. Identifying ways to improve business process and determining authoritative sources of data reduces the need to address data issues across every campaign. Being able to review a user’s identity data across systems allows you to not only determine the requirements for authoritative attributes, but also to better understand the sources of the identity data and what processes are associated with the management of that data. If two HR systems have conflicting data, maybe a better way to manage HR data is required—or perhaps with better data analysis, consolidation into a common HR system is possible.

9. Your IGA environment needs the ability to understand complex relationship models, different personas, and different views of the same data.

Identity data is stored in static structures across multiple repositories. A key requirement for IGA projects is the ability to unify this profile and entitlement information into views consumable by the IGA system. Often this requires the creation of additional static views of that information. The number of static views increases as more representations of the data are required.

The ability to take existing data and restructure it dynamically without the need for new repositories greatly simplifies the correlation and presentation of data. New views into the data can be created as different views are required. Implementing this dynamic data modeling approach breaks the dependency on data storage, allowing you to take the schema representing the identity sources and build a global model of the desired representation. Then views based on that model can be dynamically presented to the IGA systems.

10. The data in your IGA environment will be valuable to applications making real-time access decisions.

Identity profile and entitlement data are not static. Requests for access, access removal, employee role changes, and employment status all factor into determining application access. Additionally, attributes may need to be computed based on other attributes or business logic. While IGA systems may allow for views into some of this information, these entitlements and profile data elements are only as up-to-date as the last data import.

Being able to get a current view is essential to ensuring that access to application functions is properly determined.

This data must also be made available with a minimal response time since real-time decisions need to be made at access time. Data that is cached can help from a performance perspective, but you still suffer from out-of-date entitlement data. Real-time detection of changes enabling cache updates ensures that access entitlements are current and quickly retrievable

WE CAN YOU SUPPORT YOUR BRAND 24/7

We support a number of brands globally with Levels 1, 2 and 3 technical support 24/7. Not bragging rights per se, but we’re confident we can support your needs to maintain operational excellence and protect your brand with the right cost model. Identity Governance and Administration is not an insignificant investment. We have the resources you need to protect your environment and satisfy your customers.

ADVISE

  • Solution framework to assist clients across verticals for:
    • IAM Assessment & Health Check
    • Risk Based Assessment
    • IAM Strategy & Roadmap
    • IAM Workshop & Strategy Review
    • Emerging Technology Evaluation
    • Vendor selection
    • Independent verification and validation Audit
    • IAM Migration Strategy

TRANSFORM

  • Solution to manage risks across multiple platforms and applications
  • Ensures information security and regulatory compliance
  • Service offerings include:
    • User Administration & Provisioning
    • Identity & Access Governance
    • Identity & Risk Analytics
    • Privileged Account Management
    • Federation, Single Sign On & API Management
    • IAM Migration

MANAGE

  • Managed CoE Services
  • Managed Support Services
  • Service offerings include:
    • User Administration & Provisioning
    • Identity & Access Governance
    • Identity & Risk Analytics
    • Privileged Account Management
    • Federation, Single Sign On & API Management

Download White Paper

ABOUT SDG

SDG is a global cybersecurity, identity governance, risk consulting, and advisory firm that advises and partners with clients to address their complex security, compliance, and technology needs and delivers on strategy, transformation, and long-term management of their cybersecurity and IAM programs.

To learn how SDG can help you ensure the security and compliance of your technology and data infrastructure, visit SDGC.com.