Identity Governance and Administration (IGA) in IT Infrastructure of Today

David Balaban
June 16, 2018 by
David Balaban

This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.

Identity Governance and Administration (IGA) can be considered a very important area in the management of information technology in enterprises and organizations, which is covered on the CISSP exam. The level of IGA importance can be compared to managing licenses, configurations, security incidents, vulnerabilities and other processes well described in the ITIL libraries. Moreover, although IGA is not the basic process of ITIL, its role only grows with time.

Among the reasons for the increase in the importance of IGA, one can single out the increase in the role of information security and the growth of both external and internal threats, the heterogeneity and complexity of systems and software.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

IGA solves the following tasks important for IT infrastructure of an enterprise:

  1. Enhancing IT-systems information security.
  2. Optimizing the information systems load.
  3. Optimizing the work of users in information systems, as well as IT staff.

IGA systems implementation workflow

The implementation of the Identity Governance and Administration solution, like any IT system that automates business processes, cannot be done without serious changes in the business processes of the organization. Moreover, here we are talking mostly about personnel management, including identity and access management. The "maturity" of these processes directly affects the quality of the implementation of the IGA system. Organizations planning to implement and further develop IGA system should systematize and structure these processes in advance. Already at this stage, "distortions" can be identified, which are to be fixed best before the IGA system implementation itself.

At the preliminary stage of implementation, the organization must go through external or internal consulting, the results of which should formalize the appropriate access management processes, and refine the existing information systems, first, the personnel management infrastructure. A good result at the end of the consulting stage is the development of a role-based access control model.

Assessing the relevance of the system to the existing IT landscape in the organization, its functionality and flexibility are the key principles to be considered when selecting an IGA system. The price factor is also important.

The need to introduce IGA in the organization is subject to certain criteria, as follows:

  • A large number of employees involved in information and accounting workflows
    An organization having several thousands of employees that deal with several complex systems is to consider incorporating IGA in its IT and InfoSec schemes. To give you an example, 80% of US companies having 1,000 employees and more make use of IGA systems.
  • Badly heterogeneous IT landscape
    Identity and access management is often difficult to carry out in such a landscape, and it requires significant resources.
  • Specific business-model
    Access management becomes crucial both in IT and InfoSec for a business model which is highly sensitive to data loss or leaks.
  • Static IT landscape
    Where IT landscape is rather static, and most systems are large, IGA system may contribute best to cost-saving in account management, raising the level of information security, and reducing IT crew idling.
  • High turnover of staff
    This unit itself might still fail to provide a determining factor. However, coupled with the big size of the company and considerable cost of data loss, it becomes a significant factor.
  • Reorganizations of business through mergers and acquisitions
    With such reorganizations, obviously, one of the key issues is the transformation of the IT landscape. Often, before the merged companies move onto a single IT structure, a certain, maybe even a long time, they remain working in their old IT systems, while gaining access to new ones to perform the same tasks.

Modern IGA systems market

IGA system market has grown dramatically over last 10 years as new players entered it. In 2017, Gartner updated its Magic Quadrant highlighting 15 solution providers offering IDaaS models.


The leaders are six vendors — Oracle, IBM, Microsoft, CA Technologies, Okta, and PingIdentity. All the leaders in the new magic quadrant have an income of $100 million or more, although many of them are still building this income on older products released to the market in the 1990s. Okta, which gained the most place in the report, was praised by Gartner due to its rapid implementation, reliability, and support level. Oracle and IBM over a range of years remain quite at the top. Microsoft offers lower-cost solutions attracting a broader audience.

Return on investment

It is not easy to calculate the return on investments when it comes to IGA systems. IGA neither impacts core operations nor generates any added value directly. The initial costs for the implementation of IGA as a rule, are significant, but as the organization grows, IGA share in total costs gets reduced, while the role and importance are growing.

Therefore, investments in IGA should be viewed not only as an integral part of investing in the information security of an organization but more as an investment in strategic stability and the sustainability of the organization's growth. A few approaches can be identified that will help in calculating the economic effect of setting up IGA processes, allocating resources to it, and implementing IDM systems.

Risk management

It is obvious that in each information system there are risks that certain users (depending on their functions in the system) can perform malicious actions, the consequences of which will be significant for the company's business. Poorly controlled access to critical business processes in information systems can lead not only to significant financial losses but even loss of business itself.

A lot of such examples are available on the Internet and are described in sufficient detail. For example, losses of critical data in information systems due to users' fault make up more than 10% among all the categories broken down by their cause. Moreover, among the 10 main threats to information security, malpractice of users in information systems take the second place in the total number of incidents (according to Ernst & Young estimates).

Managing the users operating in the systems

User roles and access levels in the information systems overlap or are duplicated quite often. The reasoning offered for such a duplication leaves much to be desired. This leads to increased expenditures due to extra time and resources to be spent on relevant functions. Meanwhile, the incapacity of the users to complete required tasks in the information systems in time might entail financial losses, too. The losses commonly occur as the users waste working hours awaiting the access to be provided to the resources they need for the job to be done. Getting access to necessary resources may take days.

This process often includes several stages — users ask their boss, then it goes through approval, once approved users must call or email IT department or service desk after that IT staff start working on granting you access. The introduction of IGA in such cases, especially in complex multi-user environments, brings a tangible economic effect related to the reduced time consumption for any given task to be completed by the users in the systems.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Confidentiality, integrity, accessibility

Another approach to assessing return on investments with regards to IGA rather relates to the assessment of losses across the following three core characteristics (services) of information security: confidentiality, integrity, and accessibility.

Such an approach computes the losses as a total of the losses broken down in several units (losses from the untimely provision of access services, losses from unauthorized data changes, losses associated with restoration of functionality, losses associated with idle time, losses associated with loss of income.) Modern studies well address techniques for computing such losses.

David Balaban
David Balaban