Almost every organization uses many applications that cannot be directly connected to the Identity Governance and Administration (IGA) platform. This can happen for several reasons, such as:
- The applications are old (legacy) and don’t support APIs needed for integration.
- Building APIs for them isn’t cost-effective.
- Application owners don’t want to give control to the IGA platform because the data is sensitive.
- There’s no direct connection between the IGA platform and these applications.
- No ready-made (out-of-the-box) integrations exist, and building custom ones takes too much time and effort.
Even with these challenges, organizations still need to govern these applications to meet regulatory & compliance needs and to reduce security risks. So, although not preferred, these applications are onboarded into the IGA platform as disconnected applications.
In this setup, the IGA platform creates manual tasks for the application teams. These tasks include granting or removing access for users. The application teams, who have admin rights, pick up these tasks, take action, and then close them for audit purposes.
This method helps to meet compliance needs but brings a lot of manual work for both the applications and IAM teams, especially during access review campaigns. Manual steps are more likely to have errors, which adds to the risk.
Because several members on the application team need admin rights to do these manual tasks, it increases the number of privileged users in the application. This expands the risk of insider threats and increases the attack surface area.
There is also an impact on cost and productivity. Manual processes cause delays in giving access, and application teams may need to be available 24/7 to support users across different time zones. During offboarding, access removal can be delayed due to workload, which creates security risks.
Because of the manual nature of these setups, it’s hard to improve security. Some key controls, like Just-In-Time or Time-Bound Access, cannot be deployed for such applications due to unavailability of automated provisioning and deprovisioning. For example, if a user needs access for just eight hours, but the manual task takes two days to complete, the delay defeats the purpose.
So, what can be done?
Ideally, these applications should be directly integrated with the IGA platform in an automated way. But as we explored, that’s not always possible.
Some tools in the market help automate tasks for disconnected applications using RPA (Robotic Process Automation) or AI. Each tool has its benefits and drawbacks, and also comes with a cost. So, it’s important to check the return on investment (ROI) on these tools. In security projects, calculating ROI is tricky because security is often seen as a cost, not a benefit.
It’s also important to work closely with application owners. Help them understand the risks and make sure they take responsibility for timely actions.
Finally, organizations should work with IT leadership to plan the modernization of these applications, given the risks they bring. All new applications should follow IAM best practices like supporting standard APIs, such as SCIM or REST, for easy integration.
Disconnected applications may be a challenge, but with the right approach and mindset, they can be managed securely and effectively.
About the author: Rajiv Dewan
Accomplished Identity and Access Management (IAM) Leader, is a recognized top contributor to IAM technical communities, a strong presence as an IAM blogger, and has a proven track record of delivering scalable, innovative IAM solutions for some of the world’s largest and most prestigious organizations. He has extensive experience in designing and implementing advanced IAM frameworks across diverse industries, specializing in Single Sign-On (SSO), Multi-Factor Authentication (MFA), Privileged Access Management (PAM), Identity Governance; Administration (IGA), Directory Services, and Password Vaulting. He is known for aligning IAM solutions with business goals to ensure robust, scalable, and secure digital infrastructures.