We commissioned Dimensional Research to do a security-focused global survey to capture hard data on experiences and approaches to Identity Governance and Administration (IGA). Data was collected from more than 1,000 IT professionals with security responsibilities. Here’s what we learned about the systems-maturity level and preparedness.
In general, most organizations rely on manual processes to execute all or part of their identity management tasks. A few organization are fully integrated and leverage automated workflows to provision and deprovision user access to resources. And fewer still have true governance with access certification (and attestation), access request capabilities and automated approval processes, which makes it more work to stay compliant and maintain optimal efficiency.
In this post, we’ve highlighted key points in the survey to provide an overview of the state of IGA around the globe.
IGA Framework Directories – Most Common Source of Identity Data
To achieve true identity governance – and to simplify management in general – it is essential to have a reliable and accurate Authoritative Data Source (aka the single source of truth) where all IGA functions pull from and save user access permissions. Of the four common authoritative sources – a directory within an IGA framework, an HR system, Azure Active Directory and on-premises Active Directory (AD) –respondents that use an IGA framework gave their system the highest percentage of ‘Excellent’ rating at 26 percent, followed closely by HR system (21 percent), Azure AD (18 percent) and on-prem AD (17 percent). On average 80 percent of respondents felt that the way their organization does IGA at least ‘could be better.’
With issues in the base resource – or if your organization doesn’t have a data of record – it becomes difficult to fully implement identity governance processes.
For large organizations with multisystem/multiplatform enterprise environments, manual identity provisioning is labor intensive, prone to human error and can take a long time to work through large projects – such as wholesale changes from a global pandemic. The survey found that only 8 percent of respondents were fully automated across all systems. Nearly 70 percent still relied partially on manual processes to manage joiners/movers/leavers; and slightly more than 20 percent did all their IGA tasks manually.
Access Request refers to the ability of existing users to ask to extend their access to additional resources. Just 9 percent of respondents’ organization have fully automated access-request processes for all their systems.
The other 90+ percent rely on manual processes – completely or partially – to submit, review and approve/deny access requests. Just less than half (47 percent) said they have combination of manual and automated processes, and 37 percent have no automated processes, while 7 percent somehow operate without any formal IGA process or system at all.
Then for certification – the ability to confirm access is appropriate for a user, which typically happens on an annual or semi-annual basis – 47 percent have no automated way of certifying user access, including those with no process at all.
Moving to workflows for any IGA process, 23 percent operate completely with manual processes for provision, access request, approvals and certification. When you include the 8 percent of organizations that have no identity management workflows, nearly a third of organizations have no automation at all. That’s a sizable part of the corporate/government world that is at risk from human error and data breaches.
Now, 60 percent said they have a combination of automated and manual processes. When you add together organizations that completely rely on manual processes and those with no workflows at all, that means that approximately 90+ percent of the corporate world are potential targets. In addition, even if they never are breached, these organizations are running less efficiently than they need to be.
Role management is lacking at the majority of organizations. This capability enables identity systems to manage user permissions by the type of work the user does and the systems they typically need to access. User rights can be grouped by roles and as those roles evolve, the default rights assigned to them can be optimized for that role. Just 12 percent of organizations have implemented fully automated role management across all their systems. Another 12 percent has no role-management systems or processes at all. And in between these two groups, the majority (76 percent) of organizations have some form of role management but it is not integrated across all their systems, nor is it automated in many cases.
Identity Lifecycle Management
Stepping up to the top level, which is Identity Lifecycle Management, 19 percent have no system at all and just 11 percent are completely integrated across all systems and users. The survey results show that 30 percent of respondents use identity lifecycle management for a few systems, with another 40 percent reporting they have inconsistent processes across their enterprise.
Identity Investment is Increasing
The good news is that survey respondents said investment in the six identity management disciplines was increasing. The survey showed the 73 percent were investing in multiple identity disciplines. As we head back to some sort of normalcy and begin to bring back laid off workers and furloughed employees, and offices come back to life, it’s important that all policies and permissions can be quickly and securely updated. For organizations that rely on manual processes to make changes to their identity management system, it will be an arduous task to complete. It will also be fraught with risk and potential human errors as overworked identity teams attempt to make the updates under great stress to get things done quickly.
A Note About Our IGA Survey
The goal of this survey was to capture hard data on current experiences and approaches to Identity Governance and Administration (IGA).
An online survey was sent to global sources of IT security professionals. Questions were asked on a wide range of topics including IGA practices, IAM approaches, security issues, and third-party contractors.
A total of 1,005 qualified individuals completed the survey. All participants had direct responsibility for IT security and were very knowledgeable about the IAM and privileged access approach at their company. A wide range of industries, countries, and company sizes were represented.