Five Key Identity Governance Features That Your Identity and Access Management Solution Does NOT Support
Since the start of the COVID-19 pandemic, identity management has taken center stage as the key enterprise security practice for enabling remote workforces while protecting company data and IT services. Though much of the media hype has focused on evolving technologies in enterprise identity and access management (IAM)—such as enabling passwordless and multifactor authentication—it is often overlooked that identity governance and administration (IGA) is experiencing its own renaissance not only due to pandemic-related access requirements, but also in support of recently-enacted compliance regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
To be clear, IGA encompasses all the processes for establishing policies, monitoring their status, and remediating any violations in regard to granting access to business IT resources, whether they are hosted on-premises or in the cloud. This is fundamentally different than IAM practices that perform the actual authentication and authorization processes for each individual application, system, or IT service. At a most basic level, it is easiest to think of IGA as centrally defining and orchestrating all the processes performed by one or more IAM solutions. While there is some feature crossover between commercially available IGA and IAM platforms, the two often operate best when working together through integration, and IAM alone lacks key functionality that is normally only available in an IGA solution. Listed here are five core features that are typically exclusive to IGA platforms that substantially improve access security effectiveness and an organization’s ability to meet regulatory compliance objectives.
- Automated Onboarding – Day-to-day operations required for adding new users to a wide variety of IT services (both on-premises and in the cloud) is often time-consuming, error-prone, and inconsistent if performed by purely manual processes. By leveraging automation, organizations can grant access to predetermined IT resources based on specific user attributes, such as their job function (i.e., role), physical location, or work requirements.
- User Self-Service – Today’s tech-savvy workforces generally prefer to perform access enablement tasks themselves and without having to interact with an IT support help desk. Self-service features included in IGA solutions enable users to initiate access requests, set/reset credentials (i.e., passwords), and perform approval tasks. As an added benefit, self-service capabilities reduce the management efforts of IT administrators, freeing them up to perform more critical tasks.
- Orchestration of Certification Campaigns - Access to business IT services often must be approved by the designated owner of that service. IGA solutions initiate workflows that prompt stakeholders to evaluate access requests and identify issues, such as a segregation of duties violation. Solutions may also provide guidance on recommended actions or the level of risk associated with authorizing access.
- Automated Offboarding – When a user is no longer associated with the business (such as following a termination), it is essential that all of the user’s access accounts are immediately disabled. Unfortunately, most organizations fail to keep track of all granted access across all local, web, SaaS, and business-hosted services, and many departed user accounts are simply forgotten about and left active indefinitely. With automated offboarding, ALL accounts associated with a user are simultaneously deactivated with a single action.
- Continuous Auditing – Critical to meeting regulatory objectives is the ability to provide “proof of compliance.” Typically, this information is collected during periodic audits, which can be costly and time-consuming. Also, during periods between official audits, identity and access controls may drift from established requirements, causing the business to eventually fail a compliance audit and have to initiate reactive remediation. IGA solutions mitigate this problem by continuously monitoring policy enforcement processes across the identity and access ecosystem. Detected issues can then be proactively resolved in near-real time and before the execution of official audits.