The Identity Governance and Administration (IGA) market is undergoing an evolutionary shift. Long considered a mature space served by established vendors like SailPoint and Saviynt, the market is getting a needed shakeup in response to changing business models and novel identity security risks. The move to cloud computing over the past decade and the more recent hyper-rapid adoption of remote work have created space for new tools better suited to solving modern identity governance challenges.
The good news is that this equals more choice in how we IGA—especially for fast-moving mid-market companies and enterprises underserved by the limited range of legacy offerings. The bad news is that a market crowded with new options can create confusion for buyers.
Gartner has started using the term “light IGA” to loosely categorize a crop of new solutions that don’t line up neatly with the traditional definition of full-blown IGA. The term captures a core benefit all the solutions at least claim to offer: they’re faster to deploy and easier to use than “heavy” legacy tools.
But the nascent category is very much in flux and “light IGA” can refer to tools ranging anywhere from minimally featured “IGA-ish” point solutions to complete platforms offering a more nimble, modern alternative to traditional IGA suites. In some cases the term is used to disparage tools as inadequate, while in others it’s meant to praise their time to value and usability.
Let’s look at where light IGA came from and clarify the two sides of the light IGA spectrum—what’s out there and which solutions may or may not fit specific buyer needs.
Why IGA needed to lighten up
Before any so-called light IGA tools hit the market, companies had to choose between one of two extremes for IGA: get by with manual processes (and maybe build an internal tool or two) or invest in a heavily featured platform like SailPoint, originally built for big pre-cloud-era enterprises. There was no middle path for smaller companies and forward-thinking enterprises who needed help securing identity but didn’t want a too-complex solution.
This is where ConductorOne and a similar cohort of vendors entered the market. They recognized that permissions were exploding as companies brought on more SaaS and IaaS solutions—IT and security teams were having a hard time keeping up. And with authentication methods like single sign-on (SSO) and multi-factor authentication (MFA) doing a decent job of protecting entry to company systems, identity was becoming more vulnerable—attackers were finding ways to steal credentials to get inside and exploit employee access.
To help companies better secure identity in this new landscape, ConductorOne and others offered the orchestration and automation needed to get a centralized view of access and streamline processes like user access reviews, provisioning and deprovisioning workflows, and entitlement management—without the need to bring on a complicated, expensive legacy platform.
These new vendors didn’t yet offer a complete IGA feature set, but they filled a gap in the IGA market with innovative solutions for the pressing identity challenges legacy vendors weren’t addressing well.
Modern IGA
A small number of new vendors like ConductorOne have continued adding capabilities at a swift pace and are now competing toe to toe with legacy IGA. Often called modern or next-gen IGA, these platforms are light in the sense that they’re designed to be much faster to deploy, more nimble, and more user friendly than legacy systems. They have out-of-the-box connectors, intuitive user interfaces, and support for developer tools that make them fully extensible, and they make smart use of modern tech like machine learning and gen AI to simplify IGA tasks.
Modern IGA solutions are also lighter on budgets. Because they’re quick to implement and easy to customize, and because companies can start with one or two use cases and expand as needed, these solutions erase the heavy implementation costs associated with legacy IGA.
At a minimum, to be a viable alternative to legacy IGA, modern IGA solutions should be able to integrate across cloud and on-premises environments and offer a foundational set of IGA capabilities including identity lifecycle management, self-service access requests, automated user access reviews, auditing and reporting capabilities, and policy-driven access controls that support a least privilege approach to access rights. Some offer more—ConductorOne, for example, also enables just-in-time access for privileged access management (PAM), separation of duties (SoD) conflict detection, and powerful risk insights and analysis.
With the exception of a small number of mega enterprises that may require totally custom IGA solutions, the majority of companies will see better security outcomes and faster ROI from these modern IGA tools—which are driving the current shift in the IGA market.
Not-quite IGA
On the other side of the light IGA spectrum are tools that help companies check some IGA boxes but can’t be used as standalone IGA solutions. These are often sold by established vendors capitalizing on the aforementioned gaps in the IGA market by adding some lightweight governance functionality atop their existing access controls.
In particular, identity providers (IdPs) like Okta and cloud computing platforms like Microsoft Azure have introduced light IGA products to their lineup in the last few years. While these tools have some utility, especially for existing customers with acute needs, they also have limitations that distinguish them from modern IGA platforms offering a more complete IGA suite.
IdPs, for example, operate on a group-based permissions model that, while expedient for the directory and authentication roles IdPs play in identity and access management (IAM), isn’t granular enough for a full identity governance solution—group membership only covers about 20% of entitlements. To really secure identity and meet regulatory compliance requirements, companies need more fine-grained visibility and control of access than IdPs can provide. Further, any apps and infrastructure in a company’s environment that aren’t connected through the IdP can’t be managed using the IdP’s IGA product.
IGA tools offered by cloud providers are similarly limited. They can be handy for governing identity and access for a single cloud platform and some SaaS apps, but they aren’t designed for multi-cloud or hybrid environments. Cloud-only companies using just one cloud provider may find that the provider’s IGA features suit their needs just fine. But growing companies and those with a more complex mix of cloud and on-prem apps and infrastructure are better off going with a modern IGA platform that will be able to connect all their systems.
The tools on this side of the light IGA spectrum are helpful for specific use cases, and the fact that they’re often easy to tack onto contracts with existing vendors can make them appealing. But mid-market and larger companies (and startups planning to grow) will find them too restricting to be useful in the long term—for these companies, it makes more sense to adopt a modern IGA platform that can expand to cover broader IGA use cases as needed.
Which light IGA is the right IGA for you?
For startups and small businesses that want to streamline manual processes but don’t need a full IGA solution (yet), both modern IGA platforms and “not-quite” IGA tools provide much more lightweight options versus legacy IGA. Determining which type of light IGA works best for your company is a matter of assessing your access environment and governance goals.
Small single-cloud companies with few user accounts and permissions to manage may just opt to take advantage of their cloud provider’s governance options, for example. However, if these companies anticipate bringing on other cloud providers and/or pursuing compliance certifications like SOC 2 or SOX, a modern IGA platform—which can be used for just one or two use cases to start and easily expanded—is a better choice.
For mid-market and large companies, modern IGA is the way to go. Platforms like ConductorOne are designed to provide quick time to value and a full suite of tools for securing identity and meeting compliance regulations in today’s cybersecurity and business environments. They’re a much lighter lift to buy, deploy, and use than legacy alternatives, but they can handle the full weight of companies’ IGA requirements.
To learn more about the differences between legacy and modern IGA check our Guide to Modern IGA. To find out how ConductorOne can solve your company’s specific IGA challenges, talk to our team!
