IAM (Identity and Access Management) and, within that domain, IGA (Identity Governance & Administration) are essential elements within IT for managing users and their access entitlements. IGA is focused on the Identity Lifecycle and Governance, i.e. creating and managing users and their accounts, and managing the access entitlements. This includes the required governance, such as regular access reviews and other activities.
On the other hand, ITSM (IT Service Management) also experienced a major uptake, driven by cloud-based solutions that simplify deployment, roll-out, and usage in contrast to the frequently rather complex and technical approaches in that segment. This segment is led by ServiceNow, which have a very significant numbers of customers on their ServiceNow platform.
There is virtually no IAM project that does not include a discussion about whether and how to integrate ITSM and IGA. While such integration is reasonable, we have seen several projects where that led to an approach of rebuilding IAM on top of the ITSM product, e.g. the ServiceNow platform. Such “build your own IGA on your ITSM tool” approaches are made to fail. There are various reasons for such failure:
- It leads to home-grown software that needs to be maintained for years. Many of such projects struggle early, during development, or latest after a few years, when the initial developers have moved to other jobs or left the organization.
- While initial steps such as creating Microsoft Active Directory (AD) accounts might be straightforward, complexity increases quickly, in various areas. Connectors to complex legacy systems such as mainframes or Lotus Notes are hard to build and maintain. Not to talk about SoD enforcement or complex models for entitlements such as multi-layer role models.
- Some of the logic within IGA (as for SoD policies or role management) is not simple. An initially small project might quickly grow to unexpected complexity and cause significant cost.
On the other hand, integration is – as mentioned – strongly recommended, if not even mandatory. This could happen by linking ITSM portals to IGA request, and by using ITSM for manual fulfillment within IGA. Manual fulfillment is the norm for many systems that are not connected to IGA for automated provisioning. In many organizations, the vast majority, frequently above 90%, of the applications are not provisioned automatically.
While some vendors provide out-of-the-box integrations to leading ITSM platforms such as ServiceNow, in many cases such integration needs to be built on a per-project basis. While this is far less effort than trying to rebuild IGA on top of ITSM, external integration still might cause significant complexity and cost.
Clear Skye, an US based vendor, takes a different approach by creating a standard IGA solution that runs on top of the ServiceNow platform. It thus comes with full and tight integration into the platform and the deployment and operations model ServiceNow provides. This provides customers with an interesting alternative to the established approaches for integrating IGA and ITSM. Relying on a COTS (commercial of the shelf) software, deployed in a SaaS model, provides significant advantage specifically when compared to project-based integration.