Every year, the world’s organizations collectively spend tens of billions of dollars on Identity and Access Management (IAM) and Identity Governance and Administration (IGA) solutions. Yet, while there are many capable IAM and IGA products available, extending their reach to cover all the apps used by an organization — to deliver the desired outcomes and fast time to value — has proven challenging.
In this post, we’ll explain why that’s the case.
The importance of IAM and IGA
As a starting point, let’s quickly review what IAM and IGA are, and why they’ve become so important.
Identity and Access Management (IAM)
IAM consists of technologies and processes that help organizations to control and manage digital identities and the access associated with them. Leveraging broad integration throughout the IT environment, IAM provides essential functions including:
- Authentication: establishing with the necessary degree of confidence that a user (or non-human entity) genuinely is who (or what) they are purporting to be
- Authorization: determining and enforcing access rights and privileges (e.g., to applications, resources, data, etc.)
- Identity management: the behind-the-scenes CRUD (create, read, update, delete) operations that manage joiner/mover/leaver (JML) events and cycles
While these functions seem straightforward when described so succinctly, in concert they enable organizations to precisely control which entities have access to which resources at any point in time — a capability that’s critical for maintaining a strong security posture, enabling a productive workforce, and meeting compliance obligations.
In fact, IAM is so fundamental to today’s organizations — and so complex that building the functionality in house isn’t practical — that the global market for IAM solutions is expected to reach $43.1 billion by 2029.
Identity Governance and Administration (IGA)
IGA focuses more on identity lifecycle management (LCM) and entitlement management to enable security and compliance goals, through a combination of:
- Identity governance: Processes and policies pertaining to roles, access reviews, and separation of duties, plus requirements for logging, reporting, and analytics
- Identity administration: LCM, entity provisioning and deprovisioning, and entitlement management
Owing to its technology focus, IAM tends to fall squarely under the IT umbrella, whereas IGA often exists within the purview of broader governance, risk management, and compliance (GRC).
Like IAM, IGA is itself a significant market — projected to reach $12 billion by 2026.
The expected outcomes of IAM and IGA
While IAM and IGA each address important organizational needs and provide standalone value, their value compounds when such solutions are deployed in tandem.
The more easily, effectively, and efficiently that an organization can leverage its identity infrastructure, the better positioned it is to:
- Build and maintain a strong security posture that preserves productivity and avoids costly breaches by preventing, detecting, and responding to attacks that target or exploit identity
- Achieve stronger governance and compliance to manage regulatory risk, gain and maintain certifications, satisfy standards requirements, and meet contractual obligations
- Enable workforce productivity by ensuring every member of the team — including the extended workforce of contractors, partners, and other third parties — can access the applications and resources they need, when they need them
- Increase efficiency, accuracy, and scalability by replacing tedious, time-consuming, and error-prone manual processes with automated workflows
- Gain greater control over and visibility into how applications are being used
There are many excellent solutions available from the likes of Okta, Microsoft, Ping Identity, Saviynt, and others — but for an organization to get full value out of its IAM and IGA investments, these solutions need to be deployed with full coverage of the app ecosystem.
The disconnected app problem
Today’s organizations rely on a large and ever-growing number of apps. Even smaller companies may use well over 100 apps, and enterprises — many of which have reached immense scale through mergers and acquisitions — typically have hundreds.
Unfortunately, attaining full coverage across this ecosystem has proven to be elusive.
The reason? Disconnected apps.
Alternatively known as non-federated apps, non-standard apps, or unmanaged apps, these apps exist outside the integrated and automated controls organizations have invested so much time, effort, and money to implement — making them prime targets or tools for threat actors. In fact, a recent Ponemon report found that 53% of organizations have suffered a breach due to the inability to secure access to disconnected apps.
Why are so many apps disconnected?
The ability of an organization’s identity infrastructure to manage apps largely depends upon the apps providing APIs and supporting a variety of standards, including:
- SAML (Security Assertion Markup Language): an XML-based open standard that provides cross-domain single sign-on (SSO)
- WS-Federation (or WS-Fed): an older protocol from the WS-* series of services, typically used within Microsoft environments to enable SSO and federated identity
- SCIM (System for Cross-domain Identity Management): an API-based integration standard designed to streamline identity lifecycle management, primarily for cloud-based apps
- OIDC (OpenID Connect): an authentication protocol, based on OAuth 2.0, that uses via JSON Web Tokens (JWTs)
However, the reality is that over 40% of apps don’t support the necessary APIs or standards in the first place, while many others charge a premium to access APIs that enable identity security functionality like SSO and user management (the “SSO tax”).
Without these standards and APIs, IT teams are forced to stay in the past, trying to close the coverage gap through workarounds including:
- Tracking access in spreadsheets
- Writing custom scripts
- Employing ticketing systems (e.g., ServiceNow) that trigger manual fulfillment workflows to request and grant access
- Building and maintaining custom integrations for high-priority apps
This approach is costly, vulnerable to human errors, and doesn’t scale.
Closing the app gap: extending identity and governance controls without adding complexity
Ultimately, disconnected apps artificially limit the reach of your IAM and IGA tooling. In doing so, they undermine your desired outcomes and impose costly and unscalable workarounds that hinder security, introduce audit/compliance risks, and harm productivity.
Learn more about Cerby’s offerings in this area by visiting Cerby’s website.
View the original blog here.
About the Author: Navrup Tom is a product marketing leader with deep expertise in B2B SaaS and cybersecurity. She has held leadership roles at companies like ActiveState, Dialpad, and Auth0/Okta, and currently leads product marketing at Cerby.
