Was the IGA Refresh a Fool's Errand?

written by
Erin Duncan
ServiceNow
May 12, 2020

Gartner defines a legacy application or system as “an information system that may be based on outdated technologies but is critical to day-to-day operations.” Companies continue to run outdated software because replacing it can be both expensive and risky.

Software modernization in the Identity Governance and Administration (IGA) space can be particularly challenging. IGA deployments automate business processes associated with granting and removing access to hundreds of applications for thousands of employees. A tremendous amount of effort goes into analyzing and optimizing those business processes so that they can be automated within the IGA system. Once processes are understood the IGA system must be integrated with the target applications they support in order for account lifecycle management. These integrations are expensive to build and require maintenance and support. When replacing an IGA system these integrations have to be rebuilt, and processes have to be reanalyzed so that they can be automated in the new system.

Despite these costs, many organizations, especially very large and complex ones, have gone through multiple IGA refresh cycles. According to Flexera’s Product EOL/EOS 2018 Report (PDF), most products have a five-year lifecycle. Identity Management (provisioning) has been around for perhaps 20 years and IGA for approximately 12. Software gets old and even when it’s not old it is often blamed for the failed deployments caused by the sheer complexity of managing an identity program.  The strategic push many companies are making towards the cloud has also been a driver for the modernization of IGA software. These drivers among many others have forced many organizations to take multiple stabs at rebuilding their IGA programs.

Some software vendors and consulting services firms advertise “migration paths” from one IGA platform to another. Honest and experienced practitioners will caution against the overblown promises of these “tools”. The truth is that there is no real way to migrate processes automated in one IGA solution to another, nor can integrations built for one solution, be easily reutilized for another. Faced with this reality companies are left with the silver lining of looking at an IGA modernization project as an opportunity to reevaluate their business processes and to re-optimize them prior to moving them to the new solution. In other words, the IGA lemon presents an opportunity to make lemonade.

When embarking on an IGA deployment to replace a legacy system, very few organizations choose a “rip and replace” approach. Ripping and replacing is incredibly expensive and risks having an impact on production due to the complex customizations that exist in most legacy IGA deployments. This is where the nature of IGA actually helps. Most IGA deployments are done in phases that onboard applications and automate processes sequentially. New applications that have not been integrated into the IGA program are constantly being added to the enterprise. This presents the opportunity for organizations looking to replace a legacy tool to stand up a new, modern one in parallel. This new deployment is a fresh start that can serve applications that were not in scope for the first deployment, or that have been added to the environment after the legacy IGA system was deployed. The intention being to slowly introduce the new IGA system, while phasing out the old one. Well, unfortunately for many, these good intentions create an IGA management hell. Legacy systems are rarely decommissioned, the new implementation has its own challenges and now the organization finds itself managing multiple IGA systems without benefitting from an enterprise wide view of “who has access to what”. Identity information becomes siloed in the different IGA systems making basic functionality such as User Access Reviews (UARs) or certifications very difficult. Imagine the frustration of having two or three IGA systems and not being able to carry out UAR across scoped applications from one pane of glass and through one user experience.

What options does a company have? Can they deploy a third or fourth system above the legacy ones to consume the information in the legacy systems in order to carry out basic UARs across all scoped applications? What’s to guarantee that the new system is going to benefit from a successful implementation and how does one justify the introduction of a new Access Review portal, new workflow and new complexity without any guarantee of success. Does it make any sense to have to retrain or hire very specialized administrators for the new IGA system? What does one do with the highly specialized, expensive legacy operators that have spent their careers learning legacy platforms? Perhaps the answer is to take advantage of this situation and use it as an opportunity to move IGA processes to the cloud. Unfortunately, lemonade coming from this lemon has proven to be much more bitter than sweet. Cloud based IGA solutions have been very limited due to the rigidity imposed by multi-tenancy. Even if there were flexible cloud-based solutions, their flexibility would not overcome the challenges with rip and replace described above.

Until now, options were very limited and even the most well managed IT shops, found themselves stuck managing expensive legacy systems that never delivered on the promise of enterprise-wide IGA. But what if there was an alternative that did make sense? What if one could leverage an existing platform that was already in-use across the enterprise, which business users were comfortable with, and in which an investment had already been made. If the platform already exists and is already delivering value to the organization, then there is no risk of adding a new solution that might not deliver adequate value. All one would be doing is getting more value out of a platform that is already delivering a return through automation to the enterprise. What if this platform is the ServiceNow Platform?

Imagine taking your investment in ServiceNow and using it to solve the problem of being unable to carry out basic User Access Reviews across multiple legacy IGA applications. There would be no need to train business users on a new platform, there would be no need to hire expensive resources to manage a niche solution, and the IGA processes would be moved to a tried and tested cloud platform that the company is already comfortable with.

Clear Skye IGA is built natively on (or in) the ServiceNow Now Platform. It requires no external software and no premium ServiceNow features. Clear Skye consumes identity information in legacy applications, correlates it and publishes it to employees and business users through the Service Portal that they are already familiar with. They would have the same user experience they have when carrying out other functions and thus, resistance and cost would be greatly reduced. This is a tremendous win, especially for organizations to whom the Now Platform is strategic. Those organizations have placed on the Now Platform other critical processes like risk management, vulnerability management, incident management, service management. Why wouldn’t they place IGA on the Now platform too? Not only are they moving to the cloud and migrating off their legacy IGA systems, but they are also going to be able to reap the benefit of placing Identity at the center of their business. Think UAR but imagine and dream of an enterprise wide governance and risk management system that enriches processes like IT Operations Management while benefiting from context provided by Now platform solutions like the Configuration Management Database (CMDB).

This is the promise of Clear Sky IGA. For the first time in many years, Identity leaders are being given an option that truly promises to refresh their IGA programs at a much lower risk and cost than previously available. The opportunity is to refresh by using what you have already paid for and what you are already deriving value from. The vision is digital identity at the center of your business. This is why Clear Skye for the large, complex enterprise is “A Better Way to IGA™.”

share on

Related Posts

Take a Self-Guided Tour

Personalize your own on-demand demo to see how identity security built on ServiceNow works.
Update cookies preferences