BEST PRACTICES: Rising complexities of provisioning identities has pushed ‘IGA’ to the fore

Identity governance and administration, or IGA, has suddenly become a front-burner matter at many enterprises.

Related: Identity governance issues in the age of digital transformation

This is, in large part, because the complexity of business networks continues to escalate at a time when compliance mandates are intensifying. I had the chance at RSA 2019 to visit with Mike Kiser, global strategist at SailPoint, an Austin, TX-based supplier of IGA services to discuss this.

SailPoint, which went public in November 2017, has grown to more than 1000 employees in 30 locations. Its customer base is comprised of eight of the top 15 banks, four of the top six healthcare insurance and managed care providers, nine of the top 15 property and casualty insurance providers, five of the top 13 pharmaceutical companies, and 11 of the largest 15 federal agencies.

The identity challenges these large organizations are wrestling with can be instructive to organizations of all sizes and in all verticals – any entity that is participating in the global supply chain. For a full drill down of our conversation, give a listen to the accompanying podcast. Here are a few of the key takeaways:

Identity’s moment

Traditional concepts of putting up perimeter defenses to protect on-premise systems have gone out the window. Companies today routinely use a combination of on-premise and cloud-supplied infrastructure. Meanwhile, employees, partners, suppliers and customers are using their smartphones to gain access.

In this digitally transformed environment, maintaining perimeter defenses still has a place. Yet,  most breaches today can be traced back to a compromised identity, or misuse of an authorized identity. Thus, continually assuring the validity of authorized users has now taken center stage.


“We have a change in the environment where there is no longer a hard perimeter,” Kiser told me. “So people are realizing that identity is having this moment, with identity being the new perimeter.”

To protect this new amorphous perimeter, the overall safeguarding of identities has become vital,  Kiser argued, and a key part of accomplishing that is implementing strong, flexible identity governance. Companies need a reliable way to know at all times where sensitive data is sitting, and who might be accessing it, in order to keep it out of the hands of threat actors, he said.

Users re-defined

Not only is the notion of what comprises a perimeter shifting, the definition of what constitutes a “user” is metamorphizing, as well. Most often, a user is a human being. However, a user can be an automated program, aka a “bot,” one type being a RPA, which stands for robotic process automation.

RPAs already are used widely in legitimate commerce, which might surprise some people. Companies are increasingly deploying this new technology to replace contractors and to do automated tasks.

“Think of a customer service chat bot, for instance,” explained Kiser. “When you’re on a website, interacting with a company, that interaction is often a program guiding you to a potential solution before you actually talk to a human.”

The key security lesson is that an identity gets assigned to each and every RPA, creating fresh attack vectors. With each identity comes certain entitlements and authorizations, which need to be monitored and governed. Today IGA tools and services are continually getting better at recognizing authorized users, be they human or not, and granting access in more granular ways.

Compliance matters

As complexity has intensified, so have compliance challenges. Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, and the Federal Information Security Management Act set forth longstanding data handling privacy and security rules.

Meanwhile, yet another layer of data handling protocols has arisen in the form of Europe’s General Data Protection Regulation, New York state’s Cybersecurity Requirements for Financial Services Companies and California’s Consumer Privacy Act.

All these privacy regulations have a direct impact on IGA service, which help companies automate, as much as possible, governance processes, as a foundation proving compliance.

“In other words,” said Kiser, “you couldn’t just say ‘yes, we are giving the right people the right access at the right time,’ you’ve got to document it all along and prove that to auditors.”

Auditors aren’t the only one companies must satisfy. Public trust must be maintained. This goes beyond taking a check-the-box approach to compliance.  Smart companies will do their due diligence beforehand, and carve out resources to invest in tools and services, including advanced IGA administration services, to avoid that fate. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone