The Identity Blog

Background image

Hot Take: IGA Doesn’t Completely Manage Identity Lifecycle

SecZetta Hot Take: IGA Doesn’t Completely Manage Identity Lifecycle

Yes, of course Identity Governance and Administration (IGA) is integral with identity lifecycles. However, IGA solutions manage and govern an identity’s access, not the lifecycle of the identity at its highest level. IGA solutions provision access, certify access, review access, verify that it’s the right access, and when appropriate, remove that access. Ultimately IGA solutions perform all the actions around managing the access that an identity has and providing visibility of that access.

But what IGA solutions don’t manage is the actual identity lifecycle, meaning it generally relies on another system, an authoritative source, to inform it when there are lifecycle state changes to that identity.

For example, when someone is transferred to another department, or when a contractor starts a project where access is needed, or a machine is decommissioned. All of those different lifecycle states of the actual entity that the identity represents…that information is managed by an authoritative source, not the IGA solution itself.

Without the authoritative source, you’ve got a beautiful Lamborghini for an IGA solution with an empty tank of gas.

For an organization’s employees, information can and should be managed by an HR solution.  But for all other identities (contractors, vendors, consultants, volunteers, guests), they need to be managed in their own, purpose-built system and with just as much rigor as those employees.

With an authoritative source of non-employee data, organizations can better position themselves to provision access, have visibility into high-risk identities, and deprovision users as needed. It’s a missing step for many organizations; according to a 2021 Ponemon Institute study, 65% of organizations surveyed have not identified the third parties with access to their most sensitive data.

That same study found that organizations grant access to sensitive information without properly assessing the security and privacy practices of their third-party connections. By implementing a comprehensive third-party risk management solution, organizations have better transparency into the dynamic relationships they have with each individual third-party identity, enabling them to make well-informed, risk-based decisions about provisioning, verifying, and deprovisioning access to these high-risk users.

SecZetta’s Third-Party Identity Risk solution allows organizations to collect third-party, non-employee data in a collaborative and continuous manner, from both internal and external resources, throughout the lifecycle of the third party. This creates an identity authority for third-party individual user data that organizations can use to automate key identity processes and improve operational efficiency and accuracy in onboarding, streamline compliance audits, provide identity verification, and deprovision access in a timely manner.

Take a self-guided product tour of SecZetta’s Third-Party Identity Risk solution and see how automated identity lifecycle processes can expedite your access decisions and help mitigate your risk.