In March 2020, the enterprise business landscape was turned upside down almost overnight. Within two weeks, thousands of businesses closed, working remotely became the norm, and malicious actors seized on widespread fear and panic to step up attacks on increasingly vulnerable business systems. Poorly structured or monitored identity and access management is a common toehold for cyberattacks on a good day. When you throw a global crisis like a pandemic into the mix, you might as well just leave the keys in the lock.Identity governance and administration (IGA) is a critical component in reducing identity-related vulnerabilities and creating policies to manage access compliance, two things we need now more than ever as we navigate the uncertain waters of post-COVID-19 enterprise business security.
What Is Identity Governance and Administration (IGA)
At its essence, IGA is about increasing security and lowering risk by providing visibility into who has access to what systems, applications, and resources and why. IGA sets the stage for creating and managing the policies, processes, and standards for your company’s identity management functions.
Giving control back to the business takes the onus off of IT to make business decisions while ensuring operational efficiencies and consistent results. IT owns the IGA platform and manages the technology, while business leaders and designated stakeholders own the decisions about who gets access to what. The individuals in charge of making decisions from the business side will vary depending on the organization, though managers or business system owners often fill these roles.
Where IGA Fits Within the Business
IGA gives leadership and the business the ability to meet four main business objectives, including the following:
Provide lower-friction access to authorized business users
User productivity can have a big impact on the company’s bottom line. IGA gives users access to the systems and applications they need to ramp up quickly and stay productive, even when their roles and responsibilities change. IGA also takes pressure off of IT by automating processes such as access requests and fulfillment, while maintaining secure policy enforcement that adheres to compliance requirements.
Wasting precious resource time on redundant administrative tasks is not money well spent. IGA automates many of the operational processes that bog down IT staff—like access certification, access requests, and provisioning—which frees up IT effort for higher-value work and empowers users to take control of their productivity.
Mitigate risk and increase security
Malicious or unauthorized use of credentials is one of the top vulnerabilities companies face. IGA’s centralized visibility features combat the threat of misappropriated access by detecting risky user populations, policy violations, and inappropriate access to entitlements.
Improve compliance and audit performance
IGA automation tools are a game-changer when it comes to compliance and auditing. From ensuring strict adherence to government privacy requirements to streamlining access certifications, IGA makes compliance less of a headache with automated, repeatable processes that are audit-ready all the time.
Identity Governance and Identity Administration: Better Together
Now that we know “why” IGA, let’s look at “how.” Once upon a time, identity governance and identity administration were two discrete categories of identity management. As government regulations expanded and insider theft and cybercrime became more prevalent, enterprises began implementing identity governance initiatives in droves, often in conjunction with provisioning solutions.
This coupling proved to be so popular that in 2013, Gartner merged two of its Magic Quadrants to create one overarching Magic Quadrant: Identity Governance and Administration (IGA). And the rest, as they say, is history.
While IGA now works as a single initiative, when you dig deeper, there remains a very distinct division in terms of which processes and responsibilities fall under governance and which fall under administration.
The role of governance in IGA
- Access review: A manager or application owner typically verifies user access is correct, and revokes access or changes entitlements as needed
- Analytics and reporting: Logs activity and generates reports to satisfy compliance requirements and provide documentation in case of a security event
- Segregation of duties (SoD): If configured to enforce policy, SoD can prevent one person from having access to multiple high-risk systems; otherwise, a notification is triggered when an SoD policy has been violated, prompting an access review. For example, if a person who creates or inputs invoices can also pay the invoices, an SoD violation notification will be sent.
The role of administration in IGA
- Access request management: Automates workflows for user access requests and approvals
- Entitlement management: Defines what the entitlement is and the workflow or automation that facilitates provisioning/deprovisioning within the business system
- Provisioning: Automates user provisioning and deprovisioning in response to changes in role or status
- Role-based management: Manages access to systems and applications as defined by a user role
The Brave New World of IGA
Data security has always been a top concern for enterprise IT, but in a world rocked by the fallout from a pandemic, the role of IGA in securing business systems has become much more integral. IGA provides essential advantages in this new landscape, including the following:
Centralized visibility—who has access to what and why—lets you react quickly or even automatically to issues such as access creep, policy violations (e.g., segregation of duties), and lifecycle events. This high level of visibility helps you understand why an event or action occurred so you can respond with appropriate workflows or policies. These responses might include initiating access reviews and certifications, updating roles, retiring roles, and even generating compliance documentation.
IGA brings consistency to otherwise complex business processes. Consistency increases security and reduces risk by ensuring the business always knows who has access to what and who is responsible for adding and removing that access. IGA can automate access reviews and certifications, access requests and approval, and password management. This results in processes that are more accurate and efficient, and helps ensure they adhere to cybersecurity strategies, corporate policies, and audit and compliance documentation requirements.
Because ownership of IGA initiatives falls to the business instead of IT, the systems are designed with business users in mind. This means the technology will be more accessible and user-friendly than a tool intended for use by a technical audience. Taking a business user-focused approach increases security and mitigates risk by providing tools that are clear and straightforward with dashboards that make metrics easy to track and analyze, so security vulnerabilities and policy infractions are caught and remediated quickly.
As we continue to work our way through an unfamiliar business future, it’s important to stay aware of increased security threats and reduce risks wherever possible. Implementing IGA as part of your broader security initiatives will provide peace of mind that you know who has access to company resources and that you also know why. This information is crucial for maintaining a secure environment and documenting compliance and audit data that you may need in the unfortunate event that a security breach or incident does occur.