Making Sense of IGA and IAM

For the past two decades, I’ve been hiding something from all of you. Perhaps it’s a bit inconsequential, but let me share the secret: Because I have a background running large identity and access management (IAM) infrastructure, I am often introduced to audiences (now virtual) as an expert in this area. When I hear this, I feel a tiny stab in my side, because the truth is that IAM continues to mercilessly confuse me.

The large analysts haven’t helped matters, by the way. Gartner and Forrester, for example, looked at the governance aspect of IAM and decided to call it two different things (more on this below). So, when vendors try to explain their IAM package, they are forced to introduce an alphabet soup of acronyms, thus adding clutter. Enterprise users, including me (and you) are thus justified to feel somewhat confused with this area of cyber security.

The TAG Cyber analyst team spent time recently with a real expert in this field, Ravi Erukulla, from California-based Saviynt. With a truly meaningful background in this area, including time spent at Oracle and SAP, Erukulla was the perfect tour guide to assist in our understanding. He helped us through one concept after another, and showed how the Saviynt solution fits into the picture. Here’s what we learned during the discussion:

“The familiar concept of identity and access management (IAM) might be best viewed today as being an important part of a new security discipline known as identity governance and administration (IGA),” explained Erukulla. “This new IGA function was named by the industry analysts at Gartner, but is also referred to as Identity Management and Governance (IMG) by the analysts at Forrester.”

Understanding IGA (or IMG) requires first learning the concepts of governance and administration. When you join a board, for example, you are treated to an intense course on how governance is different than both management and administration. Governance is about high-level orchestration, oversight, and judgment – with an emphasis on compliance and regulatory control. Administration involves more hands-on activity.

IGA is generally defined to encompass and include the administration and management functions, and the Saviynt platform offers a useful glimpse into the types of support capabilities one should expect from a modern commercial IGA platform. One important goal, for example, is to complement the directory services and access management capabilities that are deployed and operational.

Saviynt’s platform includes its flagship identity governance and administration function. It is designed to aggregate and combine the many silo-based IAM capabilities found in most enterprise environments into a common platform. “An important aspect of our platform is that it addresses the many moving pieces we see in a typical enterprise deployment,” explained Erukulla.

The platform includes an application risk and governance solution, which recognizes the importance of apps in every business. Intense design focus was directed toward cloud-based security and cloud-based privileged access management (PAM). Saviynt targets customers who are cloud-first and gives these companies the opportunity to benefit from IGA, which had previously only been adopted by larger companies.

“It is also worth noting that we have also added data access governance and identity risk exchange to our IGA platform,” explained Erukulla. “All of these complementary capabilities fall under a common vision that we’ve created, and that we communicate to our customers. We call this vision Identity 3.0.” Readers can learn more about this Saviynt vision here.

If you’ve read this far in the article, then I presume you have interest in this area – and I also presume that you understand the complexities. As I stated up front, this is an enormously complicated aspect of modern IT security, and it is not unusual for experts to struggle. I certainly have. So, hopefully this summary will help you parse shorthand logical statements like this: IAM is included in IGA which is the same as IGM.

Please give Ravi Erukulla a call and ask to hear the Saviynt story. For companies who take transition to cloud seriously, the Saviynt platform is a particularly welcome fit for reducing the complexities associated with governance, management, and administration of identities, as well as privileges, access policies, and many other aspects of the ecosystem. I look forward to hearing what you learn after your discussion.

Stay safe and healthy.