KuppingerCole Report
Whitepaper
By Martin Kuppinger

Identity Governance. The Value of Leveraging IGA Functions from the Cloud

With IT functions gradually shifting to the cloud, it is time to rethink the way supporting infrastructure and platform services such as IGA (Identity Governance and Administration) are implemented. While solutions running on premises, but also supporting cloud services were the norm until now, running IGA as a service, with support for the hybrid reality of IT infrastructures becomes the adequate solution.
By
mk@kuppingercole.com

Content of Figures

  1. Figure 1 Current IGA is primarily focused on static entitlements and SoD (Segregation of Duties) for financial risks, but doesn't cover all business-relevant access risks
  2. Figure 2 IGA as of today focuses on static entitlements of on premises applications. However, access risks derive from all applications, and beyond access risks. Future IGA has to expand its focus.
  3. Figure 3 Microsoft EMS (Enterprise Mobility + Security) provides an integrated solution, well-beyond the traditional focus of IGA.

Commissioned by Microsoft

1 Introduction

IGA (Identity Governance and Administration) is one of the core disciplines of today’s IAM (Identity and Access Management). IGA factually is a combination of Identity Provisioning and Access Governance. The traditional focus of IGA is on on-premises applications and on static entitlements, i.e. the access rights granted in the applications. However, when looking at the reality of Business Access Risks – the risks imposed to business by fraudulent access – the scope broadens. IGA today must take a perspective beyond the financial risks, and also beyond static entitlements. It must cover all types of applications, all types of business access risks, and it must implement security controls at various levels.

Factually, such broader scope of IGA could be implemented both on premises and in the cloud. However there are good reasons to run this integrated, extended IGA from the cloud. Historically, hybrid IT was centered around – mostly established – on premises solutions that where extended to support the “new” cloud infrastructure. The reality of IT in many businesses has changed since then. Cloud is the new normal, while there remain on premises services that need to be supported. While IT remains hybrid for most businesses and will do so at least mid-term, sometimes even long-term, the focus of IT initiatives already shifted from on premises to cloud. Thus, core functions of IT – such as IGA – should be considered becoming a “cloud first” service.

With that shift in the way IGA is done – as a service, taking a broader perspective on access risks – it is time to rethink the existing IGA infrastructures. Beyond that, IGA is only one (central) piece in a puzzle of technologies required for protecting systems and information. IGA is one element of IAM and needs to work seamlessly with Adaptive Authentication, Privileged Access Management, and other technologies. Beyond that, it also must integrate with services such as Threat Intelligence, Enterprise Mobility Management, or CASBs (Cloud Access Security Brokers).

Microsoft delivers a range of technologies for moving IGA to the cloud and provides integration with a variety of additional capabilities within the Microsoft EMS (Enterprise Mobility +Security) offering. Microsoft Azure AD Identity Governance is a set of services and capabilities that allow businesses to manage identities and their access from the cloud, with integration to existing on premises environments and specific Access Governance capabilities such as access reviews.

Such approaches form the foundation for re-thinking the IAM and IGA infrastructure as part of the overall move of enterprise IT to the cloud.

2 Highlights

  • Identity & Access Governance’s shifting focus from on premises first to cloud first, supporting all types of services
  • The need for Identity & Acce ...
Login Get full Access

3 Identity & Access Governance: More than on premises, more than Least Privilege

IGA has to support the entire breadth of today’s IT infrastructure and business applications. With the shift to the cloud, the focus is shifting fro ...

Static entitlements only define which access is allowed or not, but don’t address which access factually happens. There are various situations of fr ...

Login Get full Access

4 The new focus of IGA: Entitlements, Devices, Access

IGA must support all types of services, regardless of the deployment model. IGA must support all types of users, from employees to consumers. IGA must ...

However, it does not deal with other challenges such as

  • insecure devices that e.g. carry malware
  • attacks that run in the context of users, via s ...
Login Get full Access

5 The solution: Integrated IGA from the Cloud

Running IGA from the cloud delivers best support for today’s cloud-centric IT infrastructures. It also allows for orchestrating various security ser ...

Login Get full Access

6 The Microsoft approach on IGA from the Cloud

Microsoft Azure AD Identity Governance is a set of capabilities for delivering IGA from the cloud. It integrates with other Microsoft Azure based secu ...

For managing the identity lifecycle, Azure AD delivers a set of capabilities. Users can be managed directly within Azure AD. Azure AD also supports fl ...

Login Get full Access

7 Action Plan for implementing IGA as a Service

IGA should become a service. This shouldn’t be simple a tools choice, but part of revisiting the IT strategy, the IT security strategy, and the IAM ...

Login Get full Access

8 Related Research

Advisory Note: Redefining Access Governance - Beyond annual recertification - 72529
Advisory Note: Working to the Business not the Auditors - 70865
Leadership Compass: Identity as a Service: Single Sign-On to the Cloud (IDaaS SSO) - 71141
Leadership Compass: Identity as a Service: Cloud-based Provisioning, Access Governance and Federation (IDaaS B2E) - 70319
Executive View: Microsoft Azure RMS - 70976
Executive View: Microsoft Azure Stack - 72592
Executive View: Microsoft Advanced Threat Analytics - 71554
Executive View: Microsoft ADFS: Active Directory Federation Services - 71126
Executive View: Microsoft Azure Blockchain Services - 71332
Executive View: Microsoft Azure – Security and Assurance - 71282
Executive View: Microsoft Azure Active Directory - 71550
Executive View: Microsoft Azure Information Protection - 72540

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top