SaaS Management POD
Erin Geiger
 , 
Director of Content at Lumos

Identity Governance Explained

As a company with identities (think employees, third party vendors, databases, etc), your IT team needs an identity governance and access management plan.

Table of Contents

As a company with identities (think employees, third party vendors, databases, etc), your IT team needs an identity governance and access management plan.

Here’s an example of how poor identity management could impact the productivity and data safety of a whole company:

• A new employee is hired - yay!

• That new employee needs access to a wide variety of SaaS apps and confidential data, so their manager makes a quick list and sends it in Slack to their well-loved IT team.

• The IT team sees the message, but they also have 12 other new hire requests, 29 tech support tickets, and, the cherry on top, they are in the midst of preparing for a security audit.

• After a few days, the IT team is finally able to respond to the ticket and get the employee access to the apps they need, but they weren’t sure how much privilege they need, so they decided just to give them the highest level to avoid another back-and-forth interaction.

• The employee gets to work and decides they need another app to successfully complete their job, but, instead of trying to get the IT team to approve the use of the app and get them access, they just use their work email and work credit card to make their own account.

Do you see the multiple places that the company’s security and productivity were threatened in this example?

If this sounds familiar, keep reading to learn more about identity governance, why it’s so hard to manage identities in the first place, the benefits of implementing an identity governance framework, and how to implement one in your company.

Identity governance and access management: a football analogy

Right now, if you’re on your company’s IT Team, there’s a good chance you have a ton of weight on your shoulders when it comes to managing your company's user identities and access. Like the quarterback on your favorite football team, you’re probably in charge of making sure things are done right and you have to be hands on every single “play.” This likely includes supporting and approving the access other employees have to the tools they need to do their job.

This creates bottlenecks and leaky buckets thanks to the hundreds of tickets piling up on your desk every week coming from new hires, new tools, and other internal changes. Identity governance and administration IGA lets IT team members take a break from the pressures associated with being their company’s security quarterback and, instead, work in the much more comfortable, rewarding position of general manager.

As the general manager, you make sure that your IT football field is organized, well maintained, and staffed with qualified referees (well-managed processes and identity management products). As the general manager you are able to touch the ball much less and make sure your teammates (other employees in this case) can do their jobs safely and responsibly.

IGA or (IAG identity access governance) enables security administrators to efficiently manage user identities and access throughout their companies. It improves their visibility to the various identities and access privileges that exist and helps them implement the necessary controls to prevent inappropriate or risky access. With an identity and access management governance plan in place, employees can solve access issues themselves in safe and responsible ways.

IGA enables security administrators to efficiently manage user identities. It improves their visibility to the various identities and access privileges that exist and helps them implement the necessary controls to prevent inappropriate or risky access.

Why is it so damn hard to manage identities?

There are multiple reasons why managing identities is often difficult and time consuming for IT teams. Especially as teams continue to migrate towards remote or hybrid offices and rely on more SaaS apps and cloud-based programming. Let’s dive in to a few of them:

There are SO many identities

Every time a new employee is hired, an old employee leaves the company, someone is promoted, or a new app is requested, IT team members spring into action trying to manually manage access and permissions.  But even that’s not the whole picture of identity management governance. At first thought, it might seem like 253 employees = 253 identities to govern, but that’s not the case.

Think about how many servers, databases, contractors, third party vendors, and team aliases (looking at you, marketing@saas-app dot com) your company is associated with. Each of these entities require well-managed, secure identity governance as well. With potentially thousands of identities to govern, it’s obvious how a few of them might fall through the cracks and security can be put at risk.

There are SO many SaaS apps

Now that your mind is blown thinking about how many identities your company has,  consider how many different SaaS apps each of those employees, servers, databases, contractors, third party vendors, and team aliases need access to. Our guess is that it’s likely too many to count off the top of your head. In fact, the average company is estimated to have 254 SaaS apps, and enterprise companies are estimated to come in closer to 364.

And that’s not all, it’s estimated that the average app engagement for a company is around 45%. This means that over half of all apps that employees have access to are going unused. Not only do employees not use a large portion of the apps they do have managed access to, they might also be using apps unknown to the company. Employees sometimes do this when they want to skip through the IT red tape and just get to work using a tool they know they need.

These unused apps and ungoverned apps are considered Shadow IT. Shadow IT is a major source of both wasted money and dangerous security risks. The identity-related security risks companies experience are even more threatening as companies start to use more and more cloud-based apps and databases. Cloud identity governance is a relatively new concern, but any company who uses cloud-based data or apps should have a strategy for cloud identity access governance in place. Source

Identity management requires user identity, roles, and privilege information

A matrix exists at the intersection of user identity, roles, and privilege, and IT employees are most often not in charge of making decisions around all of this information. For example, an IT employee doesn’t typically decide if a new hire has access to a specific SaaS app or what privileges they need within that specific app. This creates a not-so-fun game of telephone that involves employees, managers, and IT team members and results in tons of tickets thanks to inefficient processes and confusing requests.

A delay in the provisioning of SaaS or data access thanks to bad identity management processes could cause major productivity delays in the hiring of a new employee or promotion of an existing employee. On the other hand, delay in the deprovisioning of this access when an employee leaves a company thanks to bad identity management processes could cause major security threats.

Mid-market IT teams are also facing increased numbers of security breaches and ransomware attacks thanks to larger digital portfolios paired with insufficient identity management practices.

Current market solutions are limited

As if the three factors listed above weren’t enough to drive any IT team member crazy and cause major security and productivity issues, the lack of identity governance products for mid-market IT teams adds another layer of difficulty. In the current identity governance market, solutions are typically meant for enterprise companies.

This means that the existing identity governance and administration vendors are usually expensive, and their identity management and governance tools are often difficult to implement. Because of this, there is a growing need for identity governance companies who serve mid-market businesses. This growth in demand is due to the number of apps, identities, and compliance requirements even medium-sized companies are now facing.

Mid-market IT teams are also facing increased numbers of security breaches and ransomware attacks thanks to larger digital portfolios paired with insufficient identity management practices. Because of these challenges and security risks, mid-market IT teams are looking for safe, effective ways to automate and streamline their IT security operations. The identity governance and administration market needs to rise to the challenge and support mid-market IT teams.

Benefits of identity governance and administration

There are many benefits to implementing an identity and access management governance framework.

• Increased security: Controlling and tracking who has access to which information helps a company avoid identity theft and unregulated access to sensitive information and data.

• Compliance: Tracking and managing identities helps companies quickly meet a wide variety of compliance qualifications and prepare for security audits.

• Enhanced productivity: When an IT team no longer has to play quarterback and can, instead, manage the playing field like in the analogy at the top of this article, employees all throughout the company are more independent and can more efficiently complete their job tasks.

• More collaboration and better user experience : A safe, well-managed identity governance plan can allow customers, vendors, and other outsiders to seamlessly access relevant data without risking security or user experience.

• Cost reduction: Elimination of shadow IT, excess IT work hours, and expensive security breaches can help companies save money immediately.

How to implement identity governance in your company

Once you’ve decided you simply can’t miss out on the benefits listed above, it’s time to implement an identity governance and administration plan for your company!

Step 1: Review and assess your company’s current identity governance situation

This step will likely include:

• Making an inventory list of the current apps used by your company and which ones you might not really need

• Estimating how many non-sanctioned apps are being used by employees

• Reviewing which access levels various employees need to each app you inventoried above

• Understanding your current onboarding and offboarding processes for new identities and changes in identities

• Calculating the management and support costs for your existing identity management and IT processes

The information you gather from this step will be used to help inform your new identity governance framework.

Step 2: Consider which identity governance solutions might be best for your company

This step will likely include:

• Considering which safety, compliance, and productivity concerns your specific company has

• Researching the pros and cons of different deployment options such as out-of-box-ready vs custom built solutions and cloud-based vs on-premise options

Step 3: Create an implementation strategy and follow it

This step will likely include:

• Identifying the key stakeholders who will need to be involved

• Defining a deployment plan including details such as requirements, timelines, metrics, and other dependencies

• Implementing the chosen strategy and working to gain user buy-in

Once you have reviewed your existing identity governance situation, consider your needs going forward, and implement your new plan, it will likely take some time to receive buy-in and compliance from everyone involved. Stick to your desired identity governance and access management strategy (identity governance trends come and go, so be aware of the market) and your team will eventually hop on board, eliminating unneeded security risks, lowering costs, and ultimately helping your IT team and employees get back to what they do best.