The Identity Governance and Administration (IGA) space continues to evolve and enters mainstream market adoption with most vendors providing mature capabilities around the core IGA functions.
With that in mind, this blog provides and insight into Key Questions to ask your IGA Vendor ensuring a successful deployment.
CODE FREE CONFIGURATION
Is the platform easy to deploy and without custom configuration?
Check that the platform has been built to be straightforward to configure and features off-the-shelf workflows for most of the scenarios faced by the modern enterprise. You’re looking for a platform with a flexible RBAC model baked into the product, where no custom code is required to configure the policies which will drive the identity lifecycle in most cases.
However, you also need to check, for more advanced scenarios where workflows can be modified and a scripting engine can be used.
You are looking for balance between the ease and lower cost of ownership of a codeless approach, with just enough flexibility without burdening the organisation with custom bespoke code to manage.
STANDARDS FIRST APPROACH TO INTEGRATION
Does the platform comply with industry standards?
Ideally your IGA platform will be built upon the industry standard for identity management, SCIM. This adherence to standards means it’s easy to integrate with other applications and identity platforms.
However, not every application supports SCIM – so check that the IGA platform provides other methods of integrating via standard methods like LDAP, JDBC, CSV or REST.
Be aware that some vendors charge additional license fees for these different integration modules, so look for a vendor with an ‘all in’ license model or factor additional costs into your considerations.
Can you securely delegate the ability to request, manage and approve access to another person, department and/or office?
One of the core benefits of an IGA platform should be efficiency, therefore avoid a platform that requires all identity administration via a central IT department. Aside from that, it makes sense to allow users across the organisation to onboard new users locally – for example if they have a contractor working in their department for a period of time.
With this in mind, check that your IGA solution provides delegated administration features that enable identity administration activities to be delegated either within or outside of the organisation. Determine whether these capabilities are out-of-the-box or require consultancy services to develop or implement. It’s also important to satisfy yourself that even in a delegated scenario you will retain sufficient control over access control and identity governance – verify that centrally defined policies will apply across your delegation framework.
Does the solution offer multiple deployment methods?
Many organisations now say they are ‘cloud first’ but the reality is that it is a hybrid world. Few organisations are 100% cloud, and few are 100% on-premise. Depending on the scenario, IGA can be best deployed on-prem, in the cloud or in a hybrid configuration, with some elements on-prem and some cloud hosted.
The right answer for you will depend on your preference and local network factors. Make sure that the IGA vendor has the flexibility to support the model that you need, and to flex in the future if your needs change.
It’s worth noting that while a 100% cloud approach may sound attractive, there are sometimes good reasons why a hybrid model may make more sense – for example if there are no agents on premise, then the cloud hosted IGA platform may need to go through your firewall to integrate with on-premise applications – your security team may not be in favour of this.
Finally – if you’re going down the 100% cloud route, double check with the vendor that it really is 100% cloud – make sure that, if there are no on-premise components or agents, that you understand the compromises that may be required as a result.
Is your chosen IGA platform cost efficient?
There are various elements that make up the total cost of an IGA platform. As an integration technology, it won’t do much of value until it has been integrated with your other applications – so there is likely to be a consultancy aspect, or if not then a level of effort from your in-house team. Make sure you understand the level of effort that will be required to implement, keeping an eye on how quickly you will access benefits for the organisation. Ask your vendor if they offer quick-start consulting options which can help unlock these benefits quickly.
Bear in mind that the technical choice you make will have a direct bearing on consulting or development effort. If you choose a platform which requires development of custom code you may be looking at a ‘months and years’ deployment, whereas a configuration, ‘out-of-the-box’ approach is likely to be measured in ‘days and weeks’.
Aside from consultancy effort, you also need to consider ongoing management costs. The relationship between technology approach and effort holds here too – more custom code means more that can go wrong, and more effort involved in maintaining the solution and adding new integrations.
Finally, take a good long look at the license model. Is it an ‘all-in’ model where once you buy into the platform you can use as much of it as you need – or is it more of an ‘a la carte’ model, where each element and module requires an additional license fee. If the latter, make sure you understand how much these additional elements will cost you, and give consideration to the cost of future features and modules which may not exist yet.
Our partner ideiio have published an IGA maturity model whitepaper for download. It’s an insight into where you are in your IGA journey and highlights the steps you need to take to grow, allowing you to evaluate risks and determine priorities.
Written by Tom Eggleston
With over 15 years industry experience, ProofID’s Tom Eggleston eats, drinks and sleeps identity and access management. A regular industry speaker in Europe and the US, Tom knows how to balance technical evangelism with the real world, finding practical solutions to the identity challenges faced by modern businesses. As CEO of ProofID Tom has been instrumental in growing the company into the leading provider of managed identity solutions, employing over 50 people across the UK and the US.