Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
As an identity and access management (IAM) professional specializing in identity governance and administration (IGA), Abhishek Chowdhury, CISSP, CCSP, has faced a persistent challenge of implementing and maintaining comprehensive IGA solutions. The complexity of integrating with a myriad of systems and applications (legacy, on-premise, SaaS etc.) can indeed be overwhelming. Here he shares his experiences and how he has learned that sometimes, the key to success lies in starting small and gradually improving.
Identity governance and administration (IGA) involves the policies, processes, and technologies used to manage and protect user identities and control access to systems and data. It encompasses monitoring and regulating who can access specific information, when they can access it, and under what circumstances. It also oversees the entire lifecycle of identities, from creation to modification, then ultimately deactivation or deletion.
At its core, identity governance ensures that the right individuals (or entities) are granted the appropriate level of access to resources at the right time and for the right reasons. This is not only critical for protecting sensitive data but also for ensuring compliance with regulations such as GDPR, HIPAA, and SOX.
My Journey in Simplifying IGA Implementation
A couple of years ago, I worked on a big project to create an IGA system for a medium-sized retail chain. We had to connect lots of different systems like directories, ERP, HR, SaaS, home grown apps, legacy apps. It was tough because each system worked differently, needing special rules to work together, which was very draining. The project was hard and we were running out of time as well as resources. So, I changed how we did things by pivoting to a phased approach: we shifted our strategy to prioritize critical systems and simplify day one onboarding, and make the company secure by implementing a “leaver” process.
Initial Setup: Onboarding the “Crown Jewels”
Our first step in the phased approach was to onboard what we called the "Crown Jewels" of our systems. This meant integrating the most critical applications first, such as HR, directory services, financial systems and customer data systems. As these are the backbone of the organization's operations, ensuring their smooth integration into the IGA framework was paramount. By focusing on these high-priority applications, we established a robust foundation for our identity governance, ensuring that the systems most vital to business continuity were secure and well-managed from the start.
User Experience Enhancement: Simplified Onboarding
We aimed to make the first day at work for new hires as seamless as possible by ensuring rapid access to the necessary resources. This involved setting up automated provisioning to grant appropriate permissions without unnecessary delays, thus reducing the administrative burden on IT staff and enhancing new employee productivity. This phase was crucial for fostering a positive initial impression of our IGA system, promoting user satisfaction and reducing support tickets related to access issues.
Access Control
With a foundation laid and user onboarding streamlined, we moved to fortify access control through certification setup. We established processes where access to critical applications was regularly reviewed and recertified, ensuring that only authorized individuals had permission to sensitive data and systems. This phase was about maintaining compliance and reducing risk by confirming that access rights were correctly aligned with current job roles and responsibilities. This part of the approach enhanced our security posture and regulatory adherence.
Security Management: Implement a Leaver Process
Finally, we implemented a comprehensive leaver process to manage security when employees left the organization. This involved setting up a workflow where access to all critical applications was immediately revoked upon an employee's departure. This step was essential for preventing unauthorized access post-employment, reducing the window for potential data breaches and maintaining the integrity of our data protection strategy. By automating this process, we ensured that security was not compromised due to human oversight, marking the completion of our phased approach to IGA with a strong emphasis on security maintenance.
This new approach helped a lot. We built a basic system that worked for what was needed at that moment. Then, we could add more elements little-by-little. The result was much easier to handle and grow. By keeping things simple at first, we could add new things without having to change everything. This also meant the system could grow as the store grew, rather than saddling the organization with a large and potentially cumbersome system in the hope it would eventually grow into it, complete with the associated IT growing pains.
Looking back, I learned it's better to start with what you need now and expand slowly. This project showed me how to make technology projects work better by going step by step.
Reflecting on the Outcomes
That said, this strategy was not without its challenges. For example, ensuring that each new module seamlessly integrated with the existing system required careful planning and execution. However, the benefits still far outweighed the hurdles:
- Improved Security: By implementing the leaver process, we significantly reduced the risk of unauthorized access to sensitive data, enhancing the overall security posture of the organization. This proactive approach to access management meant that the moment an employee left, their access to critical systems was revoked, minimizing potential security breaches.
- Enhanced User Experience: The simplified onboarding not only helped new employees start working efficiently but also reduced IT support tickets related to user access issues. This led to higher satisfaction among new hires and less strain on IT resources.
- Increased Cost Efficiency: The phased approach was not only less resource-intensive but also more cost-effective. By focusing on what was immediately necessary, we could allocate our budget more strategically, investing in areas that would yield the most immediate benefits.
- More Effective Risk Management: By addressing critical systems first, we could manage risk more effectively, ensuring that the most vital parts of the business were protected from the outset. This was particularly important in managing compliance and data protection requirements.
The Role of AI in Enhancing IAM
In recent years, I've explored the potential of AI to further streamline IAM/IGA processes. AI has shown promise in automating identity analytics, identifying risks and enhancing security measures. For example, AI-driven access management can dynamically adjust permissions based on user behavior and location, improving both security and user experience.
Although some AI capabilities are still in development or early adoption phases, the potential is immense. I envision AI playing a critical role in identity governance, providing deeper insights into identity data and helping organizations make informed, compliant decisions.
For IAM/IGA professionals and organizations alike, I encourage embracing a simplified, modular approach. Start small, focus on your immediate needs, then be ready to scale as you grow. By sharing these experiences and insights, I hope to inspire others to rethink their IGA project implementation strategies for more sustainable and effective outcomes.
Abhishek Chowdhury, CISSP, CCSP, has 18 years of experience in financial services, manufacturing, retail and healthcare. He has held solution architect and technical leadership roles, focusing on building secure IAM solutions and driving innovation in identity. His cybersecurity work spans IAM roadmap development, architecture design, risk management and advanced identity strategies.
Related Insights