Back in the early days of identity management, it was all about automation. Success was measured by how many identity systems you could manage, how quickly you could make changes, and how much of your identity lifecycle you could automate. Battles raged between vendors, some started by me, based on the ease of automation, the scalability between platforms, and overall efficiency gains. Then came a great disturbance in the force, Enron, and the resulting slew of regulations such Sarbanes-Oxley Act (SOX) and its cousins around the world. Organizations, and regulators alike, saw that identity governance was critical to avoid scandals like Enron from being repeated.
At first there was a balance between the automation and governance side. Existing leaders who specialized in the automation space (provisioning as it was called) began adding more advanced governance features such as roles, separation-of-duties, compliance packs, risk assessment, along with many others. New governance focused companies popped up as well, less about automation, and more about insight, access certification, and providing the business with information in flashy new dashboards. The new governance first vendors offered only token levels of automation preferring to rely more on ticketing and integration with organizations ITSM's. Enter the age of "pass-the-buck automation". (I'll write more about this not-so-wonderful thing in a later blog)
With this said, let me clear something up, I do believe that governance is vital. There is nothing wrong with a governance first approach if the work gets done quickly and correctly. Sadly, that is not the results that identity leaders see. In my career in the identity space as a vendor, consultant, and analyst, I find time-and-time again that as more identity lifecycle tasks get passed to the ITSM to fulfill, the time to completion increases. From a business perspective, this is a productivity issue as people wait, and wait, and wait for things to get done. From an IT perspective this is an efficiency issue as valuable staff are focused on doing the mundane instead of focused on driving value through transformation. Lastly, from a security perspective, it’s a risk as threat windows are left open for longer than necessary due to the lack of rapid and repeatable automation. Without automation, governance is just expensive reporting that requires the execution of a huge number of manual tasks, without consistency and accuracy. To sum it up, governance without automation is a bad idea.
At the end of the day identity automation is just as important as identity governance. Automation ensures that the investment someone makes in governance is made real without delay, without error, but without governance there would be nothing to base automation on. Unfortunately, organizations today must choose between automation and governance when selecting an IGA. Don't believe me, take a look at Gartner's research on the Critical Capabilities for Identity Governance and Administration. As you peruse the document you get the "Use Cases" section and what do you find? A choice between governance and automation. Why? Because most IGA's have convinced the world that pass-the-buck automation is equivalent to REAL identity automation. That you can't have one without the other.
So, what is an organization supposed to do? Perhaps your organization has invested a great amount of time and money into your IGA, or have complex processes built on an ITSM for governing identities and have been told that your IGA is dead, and you need to move to a new IGA or some new identity platform. (Incidentally, these identity platforms probably have even less automation capability than IGAs) Do you need to change your technology and processes? Fortunately, no you don't. The secret is to extend the identity automation capabilities of your IGA and ITSM not replace them with something new.
Don't believe the hype from IGA and ITSM vendors, you shouldn't have to choose between identity automation or governance. The READI platform has proven that its possible to get the automation you need without ripping-and-replacing technology or changing your processes. You learn more on the Readibots website, or download the READI Platform datasheet.