An employee's digital identity is subject to changes as they move within the organizational ladder. The process of applying access-related modifications to user accounts tends to become laborious and time intensive, the intensity of which is directly proportional to the organization's headcount. To streamline user identity management, organizations implement identity governance and administration.
Deployed in the cloud, on-premises, or in hybrid environments, IGA is a digital user management framework that administers and monitors user access across an organizational network. One of the integral functions of Identity and Access Management (IAM), IGA ensures that users promptly receive the necessary permissions to access applications and data contextually on the basis of their roles and responsibilities. According to Gartner, IGA "provides administrative control of digital identities and access rights across multiple systems for multiple user types — members of the workforce, partners and machines."
As the name suggests, IGA is the combined deployment of two functions:
Identity governance is defined as the process of outlining and implementing policies required to manage user permissions within an organization. The core functions adjoining identity governance include:
Organizations can build meaningful counter-measures and preventive controls by gaining contextual knowledge about their IT environments. Analytics and reporting facilitates the seamless flow of contextual information by recording user activity happening across an organization's IT environments and parsing it in the form of reports and other analyses. One of the common ways for IGA to perform analytics and reporting is by leveraging user and entity behavior and analytics (UEBA), a continuous monitoring tool that leverages AI- and ML-coded algorithms to track, capture, and parse user activity.
How UEBA works: A UEBA solution defines a particular period of time as a baselining or learning period, where the solution applies ML capabilities to identify the baseline behavior of users, endpoint devices, servers, and bots. Post the learning period, the solution identifies anomalous events that go against the user or machine's baseline behavior, and then proceeds to notify security teams.
According to Gartner, entitlement management is defined as a "technology that grants, resolves, enforces, revokes and administers fine-grained access entitlements (also referred to as 'authorizations,' 'privileges,' 'access rights,' 'permissions' and/or 'rules')." Entitlement management ensures that the major functions constituting an access life cycle, such as the review, delivery, modification, and expiration of access privileges, are automated.
Access management must be implemented in a supervised environment. Access certification ensures that when a user receives access privileges, the handover happens under the authority of a higher official present above the organizational ladder (such as a manager, for instance).
Segregation of duties (SoD) refers to the collection of policies and controls that enable leadership to delegate tasks that embody a process. For example, adjoining sub-processes of user provisioning, such as creating the identity profile (which includes setting up usernames, email accounts, and credentials), assigning a group to the user, and delivering birthright access can be delegated amongst technicians belonging to diverse departments. Using SoD, organizations can distribute bulk tasks among multiple employees within the workforce, thereby improving collaboration and reducing human errors in the process.
Identity administration pertains to the IGA capabilities that facilitate user management. Some of the features of identity administration include:
Similar to entitlement management, identity life cycle management automates the end-to-end processes that contribute to the life span of a digital identity, such as:
Workflow orchestration complements identity life cycle management, wherein the series of processes belonging to each department of the identity life cycle are automated using predefined workflows. For instance, the automation of user creation constitutes orchestrating a series of steps which include:
With workflow orchestration, organizations can holistically fill the automation gaps within their identity and life cycle management processes.
IGA solutions must ensure that a request-and-approval-based framework is applied for access delivery. They also must ensure that a dashboard is kept in place so that users can also request access for specific applications and resources on an ad-hoc basis. By streamlining access requests, IGA upholds an optimal digital experience for users.
IGA offers out-of-the-box integration with user management platforms such as directories, identity providers, and automation tools like RPA solutions to ensure seamless cross-platform knowledge and functioning, thereby enabling deeper context for authorization and federation of user identities.
Being a cybersecurity discipline, organizations can develop their IGA frameworks by applying a combination of internal policies, processes, and commercial IGA solutions. Some of the recommended steps include:
Policies lay the groundwork for any framework. Organizations must establish fine-grained policies and processes that include access management protocols, stakeholders involved, the scope of the framework, and access request and approval workflows.
Organizations starting on their IGA journey must enforce the PoLP, ensuring that users are strictly provisioned with a functional set of privileges required by their designation. By enforcing the PoLP, IT organizations can standardize the practice of context-based access delivery, which is integral to any IGA strategy.
With integration forming a critical component of IGA, the enablement of cross-functional working environments and technologies within the IT environment paves the way for seamless collaboration between disparate departments within an organization. For example, to expedite user life cycle management, it is essential to establish a collaborative relationship between the HR teams and IT teams, as the former has contextual information about user attributes, while the latter can implement attribute-based changes within the network.
IGA automates user life cycle management. IT ecosystems must deploy solutions that can orchestrate bulk administrative tasks in a controlled manner, i.e., automation workflows must be approved by a supervising authority before their implementation.
Similar to IGA's cross-functional capabilities, organizations must ensure that their IT and security teams can gain end-to-end visibility over user activities spanning across diverse environments within a single, unified console.
Employees, stakeholders, and managers must be educated on IGA processes so that the framework gets imbibed in the day-to-day operations and cultural setup of the organization.
Although IGA forms a major part of the IAM strategy and the usage of the two terms can be interchangeable, both differ in scope and function. While IAM is focused on securing the network from identity-based threats by applying authentication, authorization, and continuous monitoring, IGA is leveraged to streamline the logistical areas of identity management by orchestrating user creation, modification and deletion, and enhancing the visibility of user activity.
On the surface level, IGA may appear to be a operational strategy that only boosts IT workforce productivity and efficiency. But IGA's functionalities can enhance an organization's security posture in a myriad of ways: