Identity governance as a managed service
By Quinton Hughes, CTO at Integralis IT Consultancy
Information and intellectual property are the new currency of businesses, with employees having the keys to the vault in most instances. Protecting who has access, for what reason, and for how long has never been more critical than at present, as security and compliance breaches cost businesses billions every year, not to mention the loss of reputation and brand equity. Enter identity governance and administration (IGA).
Next-generation IGA programmes can proactively help shield organisations against security breaches, regulatory fines and reputational damage. With the moving of applications to the cloud and the recent necessity of rapid enablement of the mobile workforce during the COVID-19 pandemic, security is more important than ever. The essential question to address is, therefore: 'How do I manage and control who has access to what and why?’ while maintaining a high level of security and ensuring users have the appropriate access to do their work.
Businesses that started with the initial iteration of identity management (which is a precursor to identity governance) to address the management and access of their employees, would typically spent vast amounts of upfront capital on products that promise to deliver on the management of identities across multiple platforms and the compliance and governance enforcement of accounts and entitlements in various systems. In reality, though, once a particular product is deployed, the service provider only plays a supporting role, ensuring the product or technology in question is operational and available.
This leaves businesses to fend for themselves when the auditors come knocking and information requested is not readily available because of some business process and system or data changes that have crept in over time. In many instances, there may not be any measures in place to drive and maintain compliance through a contracted service, except the standard availability SLA offered by the product vendor or service provider. Even worse, security breaches may go undetected as the IT landscape evolves and business grows.
IGA as a managed service
What if a business could sign up for a managed service to ensure identity compliance as well as security and governance are maintained? What if the measure of this service is defined as a ‘compliance level agreement’? What if the business could choose different levels of compliance enforcement for different systems, based on the risk-level of that system?
Integralis IT Consultancy has been delivering identity management solutions to customers for more than 13 years and has applied all the experience and knowledge gained over this period to produce a managed service that will do just that! A new model and a new service that we believe will change the way businesses think about IGA in future.
Integralis is the preferred solution partner in the Africa region for Omada. Omada is one of the leading IGA vendors on the Gartner Magic Quadrant for Identity Governance and Administration solution providers.
Omada Identity Suite delivers comprehensive identity and access management functionality on-premises or as a service. The end-to-end IGA solution allows organisations to manage and govern all identity types (privileged users, employees, contractors, business partners, customers, devices and machine identities) and manage access to all resources across systems, applications and cloud resources. In addition, Omada provides a clear and consistent path for organisations that migrate users and their access from on-premises, to hybrid, to multi-cloud solutions.
Built on Microsoft technology and supporting heterogeneous environments (including SAP), the Omada Identity Suite is a flexible and future-proof choice that delivers scalable and configurable identity and access management processes with essential identity governance and administration capabilities.
With Omada as our technology partner, we are able to provide our customers with value much quicker, and in an agile approach, implement governance and enforce compliance through our managed services delivery model.
Frank Larsen, Product Manager at Omada, says:
- Our Identity Governance and Administration platform is unique in that it allows organisations to incrementally move to a higher level of compliance within each connected service or application.
- The Managed Identity Governance and Administration model that Integralis is offering their customers, using the Omada platform, really takes the service to the next level. Furthermore, the concept of a ‘compliance level agreements’ between service provider and business to ensure that compliance is achieved and maintained, is an exciting new perspective on IGA.
Managed identity governance and administration, or MIGA, as we have ’creatively‘ coined it, is an offering that provides solutions to the challenges faced in this field today.
MIGA comprises a foundation identity management service that is complemented with different levels of managed compliance services for each connected (integrated) system or cloud service.
The MIGA Foundation service is defined as the management of an identity from an authoritative source and the life cycle management of this identity as they enter, move around and leave the organisation.
The foundation service ensures the platform is stable, identities are maintained in the correct state, business processes – such as segregation of duty, constraint policies and violations, control and assignment policies, risk mitigation and context administration, as well as enterprise roles and logical applications – are all constantly managed, monitored and reported on.
Building on the foundation service, a business can choose from four different managed compliance levels for each system or cloud service they would like to incorporate into the IGA platform for management.
The different compliance levels are:
- Essential (Reporting mode)
The Essential compliance management service allows a business to establish a view of a specific system and the data (accounts, permissions, resources) that is manually or externally managed and maintained by the system owner or service provider. A business can use the essential service to hold the service provider accountable for who has access to what in the system without integrating the system. This is achieved through detailed audit reporting and real-time dashboards.
- Essential Plus (Account management)
The Essential Plus+ compliance management service builds on the Essential service and includes account management in the connected system. Essential+ delivers the automated provisioning and de-provisioning of accounts in the connected system, based on business policy or request and approval self-service access requests.
- Managed (Role management)
The Managed compliance management service further extends the Essential Plus service to include entitlement management in the connected system. Permissions in connected systems are automatically provisioned and de-provisioned for different accounts, based on policies, business rules and identity validity. Attestation surveys or access reviews are provided and a complete reporting dashboard offers a detailed overview of who has access to what, as well as the compliance level for that permission.
- Governed (Explicit management)
The Governed level is the ultimate ‘take no nonsense’ compliance level. Governed compliance is the enforcement of business policy, including automated de-provisioning on anything not conforming to the business policy. Essentially, any unapproved additions, deletions or changes on accounts or permissions by an administrator will be flagged as a violation and will be reverted automatically.
- Real life scenario
A business will choose which of their systems to place into which compliance level. As an example, a business can decide to place their on-premises active directory into the Managed level of management, while placing their sales force into the Essential+ level of management. This means that user accounts will be automatically created, updated or deleted in the sales department based on business rules and thus ensuring that no unauthorised access is granted should the employee change role or leave the employ of the organisation.
The business can also transition systems into higher levels of compliance quickly and efficiently, gaining exponential benefits with each transition.
Each compliance level will increase process automation, compliance and governance and reduce the risk the business is required to mitigate.
Additionally, each compliance level offers different cost profiles and compliance level agreements that will allow the business to slowly introduce IGA into their day-to-day operations, while at the same time also holding the service provider accountable for compliance and governance in a specific system.
At Integralis IT Consultancy, we believe this model and managed service allow for an agile approach to IGA, assisting the customer to realise return on investment much quicker and ultimately leaving the business to focus on their business!