Our Vision for a Modern Identity Governance
What is Modern Identity Governance? At Zygon, our mission is to equip Security and IT teams with the tools they need to secure identity sprawl. At its core, our platform is designed for Access Management and Governance because we believe this is where the balance between ease of access to modern tools and robust security has been lost.
It’s time to offer a solution that truly aligns access and security.
Modern Identity Governance is about giving IT and Security
the tools to secure app access at the scale and speed of the cloud
We’re in a SaaS world, we don’t have to be in Identity Sprawl Hell
In today’s landscape, SaaS has won the modern enterprise.
By the end of 2023, 99% of companies are expected to be using at least one SaaS solution, and 38% will operate almost entirely on SaaS platforms (Zippia).
Rather than viewing this as a challenge, we see it as a win for enterprise productivity and innovation.
Teams are empowered to work with the tools they prefer, selecting features that best meet their needs to increase productivity. As a result, development roadmaps are faster, company margins improve, and market capture accelerates.
However, identity sprawl is an undeniable consequence of SaaS sprawl.
As organizations adopt SaaS at scale, the number of applications they manage multiplies quickly, often exponentially.
In fact, the average modern enterprise uses over 1,000 SaaS applications (CDP Institute), and each employee may have more than 35 identities across these platforms.
This growing complexity in identity management creates new challenges, making security and access control increasingly difficult to manage.
Currently, the solution to identity sprawl is placing unsustainable strain on already stretched IT and Security teams.
In the tech industry, it’s widely accepted that IT and Security teams are constantly racing to keep up with organizational needs. From their first day on the job, IT hires must audit and clean up existing practices while tackling ongoing challenges.
Identity sprawl only exacerbates this situation because the number of applications in use keeps rising—the number of apps on the market has grown fivefold over the past three years (G2).
As a result, IT and Security teams are under pressure to secure an environment where more than 40% of attacks now target the SaaS stack (Thales).
What strategies can be used to enhance overall enterprise security in this context?
We believe in a modern vision of identity governance that limits redundant tasks and empowers end-users.
Why Cloud IAM Fails to Secure the Identity Sprawl
The reality is that Cloud IAM is IAM in the cloud, not truly IAM for the cloud.
Historically, Cloud IAM solutions were developed to replace on-premise IAM systems, alleviating the need to host identity and access management infrastructure locally.
These systems were revolutionary in their time, integrating with popular cloud-based applications like Salesforce, Microsoft 365, and Workday.
However, they were not designed to accommodate the massive expansion of SaaS applications that we see today. Most Cloud IAM solutions have an integration catalog that includes only a few hundred applications, while the real landscape of SaaS encompasses a catalog of over 100,000 applications.
This discrepancy highlights a critical gap in modern Cloud IAM solutions, which are not fully equipped to address the scale of today’s SaaS sprawl.
The Product-Led Growth (PLG) model of SaaS applications is incompatible with traditional Enterprise IAM.
Although enterprise software constitutes approximately 70% of SaaS market revenue, most SaaS applications lack the level of security and user management required by large organizations from day one.
The industry’s so-called “SSO Tax” exemplifies this gap, where customers must upgrade to premium “Enterprise” pricing tiers to access essential security features like SAML SSO.
Yet, even with such upgrades, many applications do not fully support user management standards such as SCIM, limiting their ability to integrate smoothly with enterprise IAM systems.
Currently, while around 70% of key applications used by organizations are covered via SSO (primarily SAML-based), only about 10% are supported by SCIM or similar provisioning standards.
This leaves a significant portion of the tech stack to be managed manually - or not at all - creating security blind spots within the organization.
The top-down approach of IAM configuration fails to reflect the real application usage within organizations.
Many companies implement SaaS approval processes that are integrated with financial workflows and vendor review systems.
However, these processes frequently overlook certain cases, particularly when applications are on free tiers (often the least secure), or are categorized as tools rather than formal vendors.
Team preferences and decentralized application use can also slip under the radar. This issue is compounded in larger enterprises, where top-down visibility struggles to capture the real, on-the-ground usage of applications across different locations, subsidiaries, or after mergers and acquisitions.
This approach limits valuable bottom-up insights, which could otherwise inform security policies based on real needs.
Ultimately, the disconnect between employees and security policies can lead to a strained relationship, as modern tool preferences clash with a rigid, outdated IAM model.
Together, these limitations underscore why traditional Cloud IAM solutions struggle to secure the sprawling landscape of SaaS identity management, and why organizations need a more adaptive, inclusive approach that captures both the complexity and reality of modern application usage.
Modern Access Management is about giving IT and Security the tools to secure identities at the scale and speed of the cloud
Bring everything onto a single pane of glass in a few minutes.
Identity sprawl is too fragmented to enable effective action, and consolidating all identities within an organization is essential for a comprehensive access management program.
However, traditional IAM projects and migrations can take months or even years. A truly modern solution must be capable of capturing this fragmented identity landscape quickly, without demanding a lengthy or intensive implementation process.
The necessary tools exist, but they’re too fragmented to be effective on their own. The toolkit required to secure identity sprawl is extensive, yet many solutions only address a small piece of the puzzle.
At Zygon, we bring together critical features from across multiple categories to create a complete solution:
- From IAM platforms, we integrate IGA essentials like asset inventory, ownership information, and vendor details.
- From SSPM, we include security configuration controls, access reviews, and alerting mechanisms.
- SASE features are added for detection and cataloging, providing full visibility over the tech stack.
- We incorporate ITSM’s best practices for collaboration between IT and users, facilitating user requests and delegating actions as needed.
Zygon weaves these elements together within a flexible workflow system to automate and orchestrate actions, supported by an extensible platform that enables precise querying of all identities.
Controlled costs and a transparent pricing model.
Solving the challenges of SaaS sprawl with traditional approaches often forces customers to assemble a patchwork of multiple solutions, each with its own costly license.
Beyond direct costs, this patchwork approach incurs indirect costs, requiring complex scripts, integrations, and often labor-intensive manual operations across different systems.
This is the comprehensive “bill of materials” required to tackle identity sprawl at the appropriate level, and we call it Modern Identity Governance.
Whatever name it takes, the goal should be clear: delivering a solution that aligns access and security effectively, empowering IT and Security teams to manage identity at the speed and scale of the cloud.
FAQ
All the questions you can have
Two-factor authentication (2FA) necessitates users to authenticate their identity using two distinct methods before they can gain access to an account or computer system. One common example of this is combining a password with a code that is sent to the user's phone.
Multi-factor authentication (MFA) is a security measure that requires users to provide multiple forms of identification or authentication to access a system, account, or application. MFA enhances security by adding additional layers of verification beyond just a username and password. Typically, these additional factors can include something the user knows (like a password), something the user has (such as a mobile device or smart card), and something the user is (biometric data like fingerprints or facial recognition). By requiring multiple factors, MFA significantly reduces the risk of unauthorized access, making it a crucial component of modern cybersecurity.
A third-party app, often abbreviated as "3rd party app," is software application that is created and provided by a developer or organization other than the manufacturer of the device or the provider of the platform or operating system. In other words, it's an application that is not developed or directly supported by the company that produces the hardware or software platform on which it runs.
A SaaS-connected app, or Software as a Service-connected app, refers to an application that is designed to integrate with or leverage the capabilities of a Software as a Service (SaaS) platform. SaaS is a cloud computing model where software applications are hosted and provided to users over the internet on a subscription basis. SaaS applications are typically accessed through web browsers and do not require users to install or maintain software locally on their devices.
A SaaS-connected app, in this context, can have several meanings:
- Integration with a SaaS Platform: It could be an application that integrates with a SaaS platform to extend its functionality or provide additional features. For example, a customer relationship management (CRM) SaaS platform might have SaaS-connected apps that add email marketing, analytics, or e-commerce capabilities.
- Complementary Services: It might be a standalone application that offers services that complement a SaaS platform. For instance, a project management SaaS might have a SaaS-connected app for time tracking or expense management.
- Mobile or Desktop Clients: It could also refer to mobile or desktop applications that are designed to work with a specific SaaS service. These apps may provide a more user-friendly or specialized interface for accessing the SaaS platform on different devices.
In any case, SaaS-connected apps are built to work seamlessly with SaaS platforms, allowing users to leverage the benefits of both the SaaS service and the additional functionality provided by the connected app. This integration can streamline workflows, improve productivity, and enhance the overall user experience within the SaaS ecosystem.
SSO is an authentication process that allows a user to access multiple applications or systems with a single set of login credentials (usually a username and password). Instead of requiring users to remember and enter separate usernames and passwords for each application or service they use, SSO enables them to log in once, and then they can access multiple services or resources without the need to repeatedly authenticate themselves.
Here's how SSO typically works:
- The user logs in to an identity provider (IdP) or an SSO system.
- Once authenticated with the IdP, the user is issued a token or session cookie that represents their authenticated state.
- When the user tries to access other applications or services that are integrated with the same SSO system, the token or cookie is used to grant access without requiring the user to log in again.
SSO offers several benefits, including improved user experience, enhanced security (as users can have stronger and more complex passwords since they only need to remember one set), and simplified identity and access management for organizations.
Popular SSO protocols and standards include Security Assertion Markup Language (SAML), OpenID Connect, and OAuth, which facilitate the secure exchange of authentication and authorization information between the identity provider and the service providers.
“Shadow IT” is the set of applications that employees utilize without obtaining IT approval. Given the ever-growing list of apps available, Shadow IT is increasing exponentially. With more businesses moving their data onto Cloud platforms, the biggest risk is posed by connected third-party applications.
SAML stands for "Security Assertion Markup Language." It is an XML-based open standard for exchanging authentication and authorization data between parties, particularly in the context of web-based single sign-on (SSO) and identity federation. SAML enables the secure sharing of user authentication and authorization information between an identity provider (IdP) and one or more service providers (SPs) or applications.
Here's how SAML typically works in a single sign-on scenario:
- User Initiates Login: The user attempts to access a service or application (the service provider) that requires authentication.
- Service Provider Redirects: The service provider redirects the user's browser to the identity provider, where the user is asked to authenticate.
- User Authentication: The user enters their credentials (such as a username and password) on the identity provider's login page.
- SAML Assertion: Once authenticated, the identity provider generates a SAML assertion (an XML document) containing information about the user's identity and permissions. This assertion is digitally signed to ensure its integrity and authenticity.
- Response to Service Provider: The identity provider sends this SAML assertion back to the user's browser, which then forwards it to the service provider.
- Access Granted: The service provider validates the SAML assertion's signature and checks if the user is authorized to access the requested resource. If everything is in order, access is granted without requiring the user to log in again.
SAML is commonly used in enterprise environments and web applications where a single sign-on experience is desired, allowing users to access multiple services with a single login. It's also a critical component in identity federation, where multiple organizations trust each other's identity providers to enable access to shared resources.
SaaS Configuration and Posture Management (SCPM) and SaaS Security and Posture Management (SSPM)
SaaS Configuration and Posture Management, often abbreviated as SCPM and SaaS Security and Posture Management (SSPM) refer to a set of security practices, tools, and solutions designed to assess, manage, and improve the security configuration and posture of Software as a Service (SaaS) applications and cloud services. It focuses on ensuring that organizations using SaaS applications have a strong security posture and that these applications are configured correctly to mitigate security risks.
Here are key aspects of SCPM and SSPM:
- Security Configuration Assessment: These tools assess the security configuration of SaaS applications and services. They check settings, permissions, access controls, and other configuration parameters to identify vulnerabilities or misconfigurations that could lead to security breaches.
- Policy Enforcement: These solutions enforce security policies and best practices for SaaS applications. This includes ensuring that data is encrypted, access controls are in place, and compliance with industry standards and regulations is maintained.
- Risk Mitigation: SCPM and SSPM help organizations identify and mitigate security risks associated with SaaS usage. This may involve identifying and remediating issues related to data exposure, excessive permissions, or weak authentication mechanisms.
- Continuous Monitoring: SCPM and SSPM tools provide continuous monitoring capabilities to detect any changes or deviations from security policies in real-time. They can alert security teams to potential security incidents or compliance violations.
- Automation: Automation plays a crucial role in SCPM and SSPM by automating security configuration checks, remediation actions, and policy enforcement. This helps organizations streamline security management processes.
- Reporting and Analytics: SCPM and SSPM solutions offer reporting and analytics features that provide insights into the security posture of SaaS applications. This information helps organizations make informed decisions about security improvements.
- Integration: SCPM and SSPM tools often integrate with other security solutions, such as Cloud Access Security Brokers (CASBs) and Identity and Access Management (IAM) systems, to provide a comprehensive approach to cloud security.
Overall, SCPM and SSPM are essential for organizations to maintain a strong security stance as they increasingly rely on cloud-based SaaS applications. It helps them proactively address security issues, reduce the risk of data breaches, and ensure compliance with security standards and regulations in the cloud environment.
An Identity Provider (IdP) is a trusted entity that manages and authenticates user identities and provides authentication services to other applications, services, or systems. The primary role of an Identity Provider is to verify the identity of users and supply information about them to service providers (SPs) or relying parties, allowing users to access those services without the need to create and manage separate accounts for each service.
Identity and Access Management (IAM) is a framework of policies, technologies, and processes that ensures the appropriate individuals or entities (such as employees, customers, partners, or devices) are granted the right access to the right resources at the right time and for the right reasons within an organization's digital environment. IAM is a critical component of cybersecurity and plays a central role in safeguarding an organization's sensitive data, applications, and systems.
CASB stands for "Cloud Access Security Broker." It is a security solution or service that acts as an intermediary between an organization's on-premises infrastructure and cloud service providers to ensure security, compliance, and data protection when accessing cloud-based applications and services.
CASBs are designed to address the unique security challenges that arise with the adoption of cloud computing. They provide several key functions and capabilities, including:
- Visibility and Monitoring: CASBs offer visibility into an organization's cloud usage, allowing IT teams to see which cloud services and applications employees are using. This visibility helps in assessing the security risk associated with cloud adoption.
- Data Protection: CASBs help protect sensitive data by enforcing policies related to data encryption, access control, and data loss prevention (DLP) in the cloud. They can identify and block attempts to share or store sensitive information in unauthorized ways.
- Access Control: CASBs enforce access controls and authentication mechanisms for cloud services. They ensure that only authorized users and devices can access cloud resources.
- Threat Detection and Prevention: CASBs use threat detection techniques, such as anomaly detection and behavior analytics, to identify and respond to security threats in real-time. They can also block or quarantine malicious activities.
- Compliance and Governance: CASBs assist organizations in meeting regulatory compliance requirements by providing reporting and auditing capabilities for cloud usage. They help ensure that data stored in the cloud complies with industry regulations and internal policies.
- Secure Configuration: CASBs can assess and enforce security configurations for cloud applications to reduce the risk of misconfigurations that could lead to data breaches.
CASBs can be deployed in various ways, including as on-premises appliances, cloud-based services, or hybrid solutions. Their primary goal is to enable organizations to safely adopt and use cloud services while maintaining control and security over their data and operations in the cloud.
Stop wasting time on access reviews
Get Zygon's powerful and versatile workflows set up in minutes!
Get in touch