We sat down with Tommy Almström, Product Manager at PhenixID to hear his thoughts regarding the new criteria presented by Gartner for Identity Governance and Administration (IGA)
Tommy Almström, Product Manager, PhenixID
Tommy has broad experience in Identity and Access Management area , + 20 years, with strong focus on authentication, federation and identity management technology.
“You can’t login if you don’t exist! Identity management is vital!”
Identity life cycle: Maintaining digital identities, their relationships with the organization and their attributes during the entire process from creation to eventual archiving, using one or more identity life cycle patterns.
TA: This has been something we have helped our customer with for the past 15 years. Utilizing our customers existing user stores and providing visibility and control has been a cornerstone in our success as an IAM vendor. The main criteria is that you need good accurate and qualitative data in order to automate and achieve productivity. Noteworthy long time clients are City of Stockholm, Stockholm County Council, Swedish Social Insurance Agency.
Entitlement management: Maintaining the link between identities and access rights to be able to tell who has access to what and who is responsible for maintaining an account or access right. This includes maintaining and curating the entitlements catalog to describe the types of accounts, roles, group memberships and other entitlements. Application entitlement management is a set of features in the IGA system that allow you to add, edit, and delete entitlements and other information used to describe them (titles, descriptions, owners, risk level, tags, and other helpful data).
TA: An important aspect when discussing IGA is that technology is not the answer to all challenges. It is crucial that the entire organisation has adopted this modern methodology and that all application owners understand why the decision process when adding services has to be designed according to the predefined stepping stones. Only then you will operate a system that has necessary level of detail that is needed for it to be dynamic and responsive.
Access requests: Enabling users, or others acting on behalf of a user, to request access rights through a business-friendly user interface.
TA: Our clients all express that ease of use is vital when personnel request access to applications or resources. With user experience as driver for swift organisation adoption we experience that designing the request process for mobile devices as the prioritized point of entry.
Workflow: Orchestrating tasks to enable functions such as access approvals, notifications, escalations, manual fulfillment requests and integration with other business processes. For example, this allows managers or resource owners to approve or deny requests.
TA: We have deployed a wide range of customized solutions over the years and we know how powerful an efficient workflow can be for an organisation. Good workflows removes friction and integrates processes and activities between people and systems. Activities can include anything from generating accounts, records and notifying owners or users of pending requests.
Policy and role management: segregation of duties, role engineering, role management. Maintaining rules that govern automatic assignment (and removal) of access rights; providing visibility of access rights for selection in access requests, approval processes, dependencies and incompatibilities between access rights; and so on. Roles are a common vehicle for policy management.
TA: If you get your customer to do the homework of defining sufficient roles within their organisation you have come a long way. This exercise is something we recommend doing even before entering the RFI/RFP process. The separation for role and rights is also an important aspect to get across out to application owners as it will save you a lot of time as your project proceed.
Access certification: Requiring people like managers and resource owners to review and certify the access rights that users have on a periodic basis to ensure access continues to comply with policies. (This is sometimes called “re-attestation.”)
TA: From a security standpoint we urge our clients to keep the intervals between re-attestation to moderate levels as employee turnover and other flutual variables is a fact for all organisations. Thanks to our One Touch application we can now even accommodate push notifications to managers and resource owners for them to verify and propagate access in a convenient manner.
Fulfillment: Propagating changes initiated by the IGA tool to account repositories. Automatic fulfillment (often called “provisioning”) connects with account repositories, while manual fulfillment utilizes a workflow or external process to complete actions.
TA: We are glad to see this as a defined criteria since we been solving this for clients for the last 15 years but it has not always been seen as a must have from everyone within our clients organisation. User provisioning is extremely powerful when you have well defined action and a real game changer for user data quality when you are up and running.
Auditing: Evaluating business rules and controls against the current state of identities and access rights, providing a means for alerting control owners of exceptions (such as changes made directly on target systems) and allowing for orderly remediation.
TA: This criteria has in recent times been fueled by regulatory compliance and standards but it is important to separate relevance from noise in reports and dashboards in order to gain more audit value than simply to apply to regulation. Worth mentioning is also that there is a wide range of different needs pending on in what business vertical your customer is active and this should reflect your setup.
Reporting and analytics: Providing a mechanism to report on and deliver deeper insights into data available to an IGA tool. Role mining is a typical analytics scenario used to design and optimize role definitions; however, analytics can also be applied to operational data to evaluate quality of service, adhere to service-level agreements and identify anomalous usage patterns.
TA: Your data and the ability to visualize it are inherently valuable. But that value increases dramatically when you can put that data into context. This is a field that is and will be under constant improvement as AI and ML will contribute over time. We feel that early adopter clients tend to have SIEM solutions in place that is the GUI of choice when it comes to their situational awareness. Our approach is therefore to always have API’s and log feeds available to accommodate clients pursuit towards proactive and reactive dashboards.