Event Recording

Richard Hill: Identity Governance and Administration - Where Does IGA Fit In


Hello, I'm Richard Hill, a senior Analyst at Cooper, Nicole, and I'll begin an overview of identity governance and administration, as well as the results of the 20, 20 IGA leadership compass. Looking at the agenda, there are three key areas that we'll be covering first. Why is there a focus on IGA platforms today, or basically, why should you care? Second, I'll go over the IGA solutions that were covered in the 20, 20 IGA leadership compass. And finally, I'll go over some aspects of IGA that you may need to be aware of. So where does IGA fit into the overall scheme of I am. And why is it needed?
I think it's important to understand some of the increasing pressures on organizations today compliance means conforming to the different rules, such as adhering to an organization's internal policies or external laws and regulations. This could be HIPAA healthcare socks, or this Sarbane Oxley act to guard against fraudulent practices in the enterprise user data protection like CPA or GDPR or other internal organization's use of information security standards, like the ISO 27 1 or any of the other ISO series as best practices. So how do you show that you're in compliance? You can show that you're in compliance through an audit, which is an inspection or an examination of what you're doing or did to be compliant with these rules. This might be done through showing the controls of a policy put in place in access records or any other types of artifacts in the end. It's the actions that matter. And when you migrate these compliance risks, by mitigating them by adding compliance related capabilities on top of the basic security controls of IM is the way to do it. So to summarize organizations need to ensure that they're in compliance with all the different roles, laws, regulations, and of course, passing the audits by putting the right security controls in place and then using them.
So at the core, the identity life cycle management of IGA is really about that provisioning of identities and access entitlements to those target systems. This includes the creation of management of accounts and connected target systems, as well as associating those accounts with groups and roles and other types of entities to enable entitlements and authorizations in those target systems. You use some of the key capabilities such as connectors to target systems, account mapping, and identity data modeling, given that flexibility to data models, allowing customization by the customers for their specific needs workflow capabilities to support the request and approval type of processes, as well as supporting automating the management of those identities and access. And then there's the user self-service interfaces for giving users access to password resets as well as requesting access and then giving good UIs also for administrations and DevOps to features such as delegated admin administration types of settings.
For example, when you look at access governance specifically, we, we need you to consider some things here. So we need access to systems, and this should cover as many systems as we can across all different types of deployment models. We need to connect to the systems wherever they reside, but also need the in depth or deep insights into these connected systems to correlate information. This is where the technology can really help us do things better because this insights that we're given into how things relate and where the problems occur often takes analytics and intelligence on what to do, which makes things in the end, simpler and better overall. And all these things need to be effective and in efficient focusing on what really matters or what's required and to automate where automation can be used or makes sense.
So where does IGA fit into all of this in the Cola IM reference architecture, IGA covers both the administration and auditing categories here on the left, addressing that joiner leave mover processes with identity life cycles and having access governance of who has access to what entitlements for examples is what's important here, balance transition to what IGA solutions I'm currently saving the market over the last year group Cole conducts a very comprehensive process when evaluating leadership asses. So they start with determining, you know, what is that evaluation criteria? And in this case for the IGA platforms that are being evaluated, and then they invite vendors to participate, we evaluate their responses regarding their product solution or service. And we at times, interview customers as well as rating the product objectively based on all the information collected. And then we prepare our report, which includes fact checks with the vendors that participated in internal reviews before it's published.
Here are some of the different areas that we look at in the leadership compass. So security is a measure or the degree of security that the product provides internally and externally functionality. This is the measure of in relations to really three factors, what the vendor promises to deliver the current status of that market industry, what and Cooper Nicole, what we expect the industry to deliver, to meet those customer requirements. And then there's deployment the measure of how easy or difficult it is to deploy and operate the product among other things, interoperability, the ability to have the product work with other vendor products, standards, or other technologies and usability, which is the degree in which solutions provide accessibility to users and admins and DevOps such as having those well integrated user interfaces or good documentation. As, as an example, other areas that we look at as part of that vendor evaluation.
So innovation is that ability to drive innovation in a direction which aligns with what Cola understands of that market segment, and then the market position. What position does that vendor have in the overall IGA market and then financial strength, which can be an important factor for customers when they're making it that purchasing decision financial strength can be an indicator on how well a company can execute on their roadmap, or it could be maybe an acquisition target. If they're only venture finance, an ecosystem looks at the partner base as well as their ability to act as that good citizen in a mixed it environment.
So the leadership compass provides ratings of vendors for these categories. So product leadership is based on features and overall capabilities of the various products or services they provide market leadership looks at certain market criteria, including, but not limited to the number of customers, the partner ecosystem that they provide, as well as their global reach innovation is a key capability in it. Market segments that will require really what the customer needs for keeping up with the constant evolution in those emerging customer requirements. And then the overall leadership is that combined view of the product market and innovation ratings.
So there's some important capabilities of I IGA type of solutions to consider, which are for example, identity life cycle, where we talked about the joiner leave remover processes, that ability to provision identities and access entitlements and other identity related information in the target systems, as well as the ability to access identity stores or data modeling or mapping between the different systems. And then the ability to handle those different identity types. Another key component of IGA are those connectors, both the depth and breadth of the connectors and their, what they're able or capable of handling consider both the number of connectors and the breadth of the target systems that could reach the depth of the connectors when it comes to connecting to complex type of target systems, such as SAP environments or legacy mainframes in that customization capability, through connector toolkits, and their ability to use those popular and relevant standards.
That's some examples. And then there's access and review support that supports the auditing and ensuring compliance such as the route review and disposition of user access request, certification campaigns and access remediation when violations are found and also looked at are the, is that segregation to duty controls as well as the roles and policy management capabilities as well. And increasingly IGA solutions are providing identity and access, intelligent capabilities, IGA intelligence that provides business related insights, supporting effective decision making and potentially enhancing the governance. The use of automation is also increasing as organizations seek efficiencies, which includes workflows and orchestration of the security processes as some examples. And then there's that centralized governance visibility. And this includes the extent to which identities and the access under governors can control or be viewed in some kind of a consolidated or single paying view, such as a dashboard of some kind with different types of formats or the 22 vendors that we reviewed in the 2020 IGA leadership compass.
Some are well established companies welders have been in the market relatively less time. Also some vendors have different geographic customer bases, for example, you know, are they primarily in north America or the EU or APAC regions, for example, like IEX and beta systems, which are more EU based or identity automation with a relatively small presence outside of the north American region? Well, some of the more established companies have more even split across regions, such as IBM or micro focus and power ID. Other things to note from the prior IGA leadership compass is that Broadcom acquired CA technology and semantic enterprise business. Since then RCA security, formerly part of Dell technology has been recently acquired by the symphony technology group.
So 11 companies appear in the overall leaders segment. This includes sale point IBM ENT one identity, micro focus, Oracle power ID Broadcom, RSA security, Hitachi ID, and SAP. And these are the more established players with strong offerings and customer base. The remainder of the vendors fall into the challenger segment note that there are, are some distinct groupings of vendors within the segment indicating similar levels of capabilities and innovation or market presence. For example, one grouping is near the top of the section while another grouping stands out in the middle. And then they're remaining three vendors are grouped near towards the bottom of the challenger segment. None of the vendors evaluations fell within the follower section. And just a reminder that, you know, a thorough evaluation of your company's requirements and mappings to the product features is needed to determine, you know, what is that best fit for your organization?
When you look at IGA solution where the market leadership, the top vendors are sale point IBM, Microfocus Oracle, one identity Broadcom SAP, RSA security, primarily for the more extensive global customer base partners and support networks with the bottom section of the market leadership comprised OFS empower ID Evian and beta systems. In the challenger section, we find most of the remaining vendors having good products, but maybe lacking in one or more areas of their customer base partner or support networks compared to the other market leaders. And the only vendor that appeared in the follower section is which is, has a relatively small vendor presence and partner ecosystem.
So the product leadership is mainly based on the analysis of those product features that a vendor solution provides and the overall capabilities of those various services, as well as the functional strength or, or completeness of the product in the product leader. Section sale point is leading, followed by IBM saving and empower ID, all with very strong products and overall ratings. We also see Microfocus Hitachi ID, one identity and Oracle group towards the center with RSA security, Broadcom and beta systems near the bottom border. In the challenger section, there are three clear groupings. So there's Fisher Vivian Atlantis, Saper soit ID appear near the upper border in a second grouping towards the midsection. We see semi and Alexei and ERU identity automation evolve them group near the bottom border, having a stronger product than overall ratings. All the products in the challenger section are found to be good products, but didn't make it into the leader section because of things like maturity, you're missing some of the features that we found amongst the leaders, innovation is what customers require to keep up with the constant emerging customer requirements that they are facing in the leadership category are the vendors that have driven this market forward through the innovation of the products which are sale point IBM saving empower ID followed by one identity, Hitachi ID, Oracle Microfocus, AERs RSA security and Broadcom near the bottom border.
The other vendors appear in the challenger section with only one vendor in the follower segment, having a good product, but falling behind in innovation features when compared to the other vendors. So the IGA leadership compass provides much more detail. So please take a look very quickly. I'll go over some of the IGA considerations that you may need to be aware of.
So aspects of IGA integration to consider, of course, the connector's ability to integrate with the target system is essential. You may also want to consider the connector's ability to support things like bidirectional interaction with those systems, or if it's communication channels between the connectors and target systems or secure, secure enough. Something else to look at is the Solutions's ability to integrate with identity sources and its performance impact for, for better or for worse. Other considerations might be its ability to integrate with existing IM services or how well it supports accepted standard protocols or formats or frameworks is important too. And when it comes to customization or when it's required, can that IGA solution support developers and DevOps processes as well.
So some of the benefits of IGA is its ability to provide that visibility to user access or tracking certification processes and other trends or anomalies support for organizations, ability to demonstrate compliance is, is definitely key giving resiliency through mitigating risk and improving security postures, and then providing efficiencies with workflows and automation that help improve the customer processes. So if you're interested in this topic, please see the IGA 20, 20 leadership compass, as well as some of the related research with these vendor products that you see here. And then the IGA 2021 leadership compass will be published some time in the second quarter of this year with the third more vendors. Yeah. It's last year. So please take a look when it's published. So thank you for attending this presentation.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #151: Identity Governance and Administration

Identity Governance and Administration (IGA) combines the traditional User Access Provisioning (UAP) and Identity and Access Governance (IAG) markets. Nitish Deshpande joins Matthias for the first time on the occasion of the publication of the Leadership Compass IGA 2022 , which he has…

Webinar Recording

Multi-Cloud Identity Governance 101

In an effort to cut costs, improve efficiencies, and cater for a mobile and remote workforce, businesses are adopting cloud services from multiple providers. This has created a host of challenges in managing identity and access across multiple clouds, and has introduced several risks that…

Webinar Recording

Dealing Effectively with Modern, Industrialized Cyber Threats

The cyber threat landscape has become very complex, with state-of-the-art intrusion, ransomware, and cryptocurrency mining tools now readily available through online stores and service providers, and an expanding attack surface due to increased cloud computing and remote working. Keeping…

Webinar Recording

Mitigate Risks, Cut Cost, and Achieve Compliance With AI-Driven IGA

Effective Identity Governance and Administration (IGA) is becoming increasingly important as digital transformation, cloud computing, and remote working increase the scope and complexity of Identity and Access Management (IAM) to new levels. But legacy role-based access control (RBAC)…

Webinar Recording

Sicherheit für SAP und mehr: Wie IGA-Systeme unterstützen können

Access Governance-Tools sind in der heutigen Business-IT ein unverzichtbares Element. Sie dienen dem Management von Benutzer- und Berechtigungsworkflows, der Vergabe von Zugangsrechten, der Durchführung von Kampagnen zur Zugriffszertifizierung und der Implementierung und Prüfung…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00