Next-Gen IGA is the latest (for now) evolution in Identity Governance and Administration technologies, but what does this really mean? What is Next-Gen IGA and how is it different?
Let’s start with a trip on the way back machine and look at the evolution of these technologies to date. Skipping past the work on e-mail addressbook synchronization that preceded it, the concept of automated provisioning started with simple directory synchronization which quickly led to the novel concept of a centralized directory. Who can forget the X.500 vs LDAP debates after hours at many EMA conferences? And thank you Burton Group for introducing us to the idea of a Meta-Directory and the first wave of products that followed owed to give us a consolidated tool for managing all of this. Hats off to the late Kim Cameron for being the pioneer he was as I stare at the old Zoomit X.500 Dirsync and Via meta-directory documentation on one of my bookshelves. After meta-directories we had a wave of User Provisioning technologies and concepts such as “connector factories” that the vendors insisted were different from meta-directories. Around this time XML showed up to be the savior that was going to standardize everything leading every RFP to ask the question, “Do you support XML?” leaving us scratching our heads and wondering what that even means. Even the people writing the RFP couldn’t tell you what they meant, but XML was a hot topic so they had to ask about it. Ok. A key selling point at the time was what I call the framework-based products that provided tremendous flexibility into how the product was implemented. You could mold it to do whatever you wanted it to do and most organizations did just that and many IGA programs were run like product development programs with parallel release cycles.
It was around this time that the market was waking up to the risks associated with the digital world and we saw regulations such as SOX and HIPAA. This is where Gartner introduced the term IGA to combine the concepts of user provisioning and access governance, and vendors such as Aveksa and SailPoint introduced IGA tools to provide one tool to cover both user provisioning and the access governance that was previously done manually via spreadsheets and scripts. For the sake of this writing let’s call this IGA 1.0. One of the biggest lessons learned from IGA 1.0 is the complexity, translating into time and cost, requiring large development teams to both implement and support. This started to become an issue around 2010(ish) when the organizations with mature meta-directory implementations began to realize the effort involved in moving from the older tools to the newer IGA tools. Best practices began to ask “should we” and not only “can we” when considering customization and the goal was as little customization as possible to reduce the effort required for ongoing support and maintenance. Of course, IGA implementations did not always heed this, for various reasons, and there are some very complex IGA implementations out there. The move to SaaS has assisted with this simplification and reducing the TCO but they are still very costly and time consuming to implement and support.
Next-Gen IGA is a further move towards addressing these challenges, providing technology that is simpler and easier to implement and support, translating to lower TCO and faster time to value. These tools provide features such as simpler and easier to use user interfaces, low-code no-code workflow, a large catalog of pre-defined integrations, tools to facilitate access modeling and support for more dynamic models than static RBAC, AI-assisted features, and accelerators for on-boarding new applications and developing new integrations. These next-gen tools are also cloud native or micro-services based to simplify deployment and maintenance. Deployments can take less than half the time it took with IGA 1.0. There are more new technology vendors touting “next-gen IGA” capabilities than I care to count, and some of the existing IGA vendors have also evolved their products, although moving to these newer products is also a heavy lift. For the sake of this writing let’s call this IGA 2.0.
Is Next-Gen IGA a marketing term like so many of the others I mentioned? Of course it is, but there is more to it than that. The idea of IGA evolution is an important one, and organizations still supporting “IGA 1.0” using older products need to take a hard look. They are probably spending too much on maintaining and extending the current platform and getting too little value from it. I have spoken to large organizations spending over $1M USD per year just to keep the IGA 1.0 platform updated to N-1 and patched. Moving to a new, modern platform won’t be easy. Any move from one IGA technology to another is a costly and time-consuming endeavor and this is no different. It will be an investment short-term. There may be adjustments required to change the way you do things, and this is still IGA, so it will take some time. Much less time than the IGA 1.0 implementation, but it won’t happen over a weekend. Over the long-term it will be worth it, with a lower TCO and a more agile platform to build on going forward. One additional note. Some organizations struggle with the fact that they are currently paying a low maintenance fee for a perpetual license and this is much lower than the subscription cost for the new platform. The reality is that software has moved to a subscription model. It will be necessary to convert to subscription pricing model at some point even if the organization remains on the old product. Be sure to consider this when putting together the business case to move to an updated platform.
Is Next-Gen IGA the end or is there more to come? We are already seeing GenAI chatbots and agentic AI being integrated into some of the Next-Gen products. There are some really interesting technologies hitting the market now and we are just scratching the surface of what fully embracing AI can do for us. This has the potential to be the most radical shift in how we work yet. I am excited for what is coming in IGA 3.0, the Next-Next-Gen IGA.
About the Author: Allen Moffett has been in the identity and security business for over 35 years and is currently the Global Head of Identity Security at Eviden where he leads the strategy, go to market, and portfolio of identity services that Eviden provides to it’s customers. Allen is also an Executive Advisory Board member for the IDSA and is a trusted advisor helping many Eviden customers with their identity and security strategies and roadmaps. In his leisure time, Allen supports local animal shelters and rescues as a dog trainer working to help the dogs become more adoptable.
About the Company: Eviden is an Atos business, a next-gen technology leader in data-driven, trusted and sustainable digital transformation. With a strong portfolio of patented technologies and worldwide leading positions in advanced computing, security, AI, cloud and digital platforms, it provides deep expertise for all industries in more than 47 countries. Bringing together 41,000 world-class talents, Eviden expands the possibilities of data and technology across the digital continuum, now and for generations to come.
