Organizations embracing digital transformation are taking a hard look at Identity Governance and Administration (IGA) solutions which are becoming critically important amongst Identity and IT Security professionals. IGA is an area that provides operational management, integration, security, customization and overall support for an enterprise IAM program. Besides, IGA combines the entitlement discovery, the decision-making process, and the access review and certification of access governance with the identity lifecycle and role management of user provisioning. So nowadays, what the enterprises critically need is a consistent framework to operationally manage and govern their rapidly expanding digital ecosystem. At its core, the goal behind IGA is simple – to ensure appropriate access, when and where it is needed.
IGA is considered as much more than a technology. It is also perceived as an ongoing means of governance through a set of controls, processes, and actions related to the determination and enforcement of appropriate access throughout the organization’s environment. This is a continuous process of grooming, review, decision making, documentation, and enforcement for how access privileges are issued.
IGA Main Components
IGA consists of multiple elements, each solving a specific piece to the puzzle and often originating from its own product category. IGA programs can look to each of these elements separately, and bring a set of point products from multiple vendors together to address the broader IGA problems, or they can look to vendors that have fleshed out their offerings to include these elements as part of their IGA offering. These elements can be described as follows:
- Identity Lifecycle Management/User Provisioning – Automation of the identity lifecycle process through the creation, updating, and cleanup of user accounts and their corresponding information across multiple target systems.
- Access Governance – Consists of two essential elements: Entitlement Management / Role Management (it is related to Collection and organization of current entitlement state across multiple target systems) and Access Review and Certification. That relates to presentation of current entitlement state, facilitation of review process, capturing access decisions made, and facilitation of attestation that the new access state is appropriate.
Identity Lifecycle Management
Today’s organizations are more connected than ever before. As the number of applications, systems, and resources have increased, so have the number of identities and user accounts. Creating, maintaining, and securing identities is a complex and costly effort. The complexity is often due to the sheer volume of identities. But, the complexity of managing identities is also compounded by the dynamic nature of an identity.
As a subject’s relationship with the organization changes the attributes and privileges associated with the identity must be updated. These dynamic changes are commonly referred to as the identity lifecycle. All identities go through a similar lifecycle which can be described in three basic steps: Join, Move, and Leave.
• Join: This phase involves the creation/registration of identities.
• Move: This phase handles the changing of identity attributes and elements that define the relationship such as group memberships, roles, entitlements, and permissions as the identity’s relationship changes over time.
• Leave: This phase involves the termination of the relationship with the identity. It could also relate to archiving of some information and deletion of other information.
Another point of focus with identity lifecycle management is the goal of gaining administrative leverage. Keeping the data consistent across systems is the only way to manage all the connected systems as a common whole, rather than a collection of silos. The data may be represented and persisted differently from system to system, but the job of the provisioning infrastructure is to deal with these differences, transform the data accordingly, and ensure that the relationships between the systems is preserved.
User provisioning technologies help organizations manage and enforce access policies. Access policies bind identities to entitlements. An access policy determines what systems, resources, and information a user can access. Furthermore User provisioning technologies employ a variety of techniques to assign and enforce access policies including Rules (Rule-driven policies determine access rights and entitlements according to a given set of attributes on a subject’s identity record), Roles (Users are assigned to roles based on a given set of attributes on their identity record. Each role has a set of associated permissions and entitlements) and Workflow (Workflow driven access policy management is used when rule or role driven policies are not available or when a human needs to make a policy decision).
The last phase of the provisioning process is fulfillment. Once the lifecycle event has been processed and access policies have been applied, the provisioning system knows which connected systems to provision the user to, what attributes to synchronize, and what entitlements to assign.
Access governance provides the needed “relation” between compliance, the access management policies, and the critical business systems that need them. It enables better control and produces intelligence so that key decision makers can have a better understanding of the state of access and how it is being utilized in order to provide greater insight for making better decisions. Access governance also provides a way to hold end users accountable for the access they use, it holds managers accountable for the access they approve and administrators accountable for the access they manage.
Access decisions are all about the entitlements. Entitlements are the “what” in the question of “who has access to what. Entitlements represent capabilities in business systems that in turn help the business achieve its varied missions. To use entitlements, enterprises first have to know they are out there – in every business system, application, and platform. But simple awareness is not enough.
Access Review and Certification
Usually the access review phase of access governance is of a great importance and is the most time and labor intensive. Everyone who has access to important systems and resources, such as those containing data that have regulatory implications, must be certified at reasonable intervals. This includes employees and nonemployees alike, regardless of location and business role.
Identity Governance and Administration is a unique combination of technology and processes with impact at the organizational level. It leverages components such as Identity Lifecycle Management and Access Governance to support compliance with regulations, internal controls, and audit pressure and is a powerful means to improve security and reduce enterprise risk.