A CISOs guide to IGA-II: How does Identity Governance and Administration differ from IAM?

I. Introduction

The confluence of remote work, device proliferation, and attacker sophistication has put identity security at the forefront of protecting us from the everyday threats companies, and individuals face.

The focus on managing access, related identities, and privileged accounts have increased, given the expanded attack surface and exposure from compromised accounts. Gartner recently published their top Security and Risk Management Trends for 2022, and identity threat detection and response was one of them. Given this importance, two interrelated areas within the identity space need to be well understood- Identity and Access Management (IAM) and Identity Governance and Administration (IGA). This blog will examine the relationship between IAM and IGA while providing practical insights for leveraging them appropriately in your organization.

II. What is IAM?

Identity Access Management (IAM) is a set of technologies, processes, and policies to ensure that the right users have appropriate access to data and resources in your environment. It’s sometimes also called identity management (IDM) and has become an essential concept within the cybersecurity, data management, and privacy domains.

IAM identifies, authenticates, and controls access for people using technology resources. Further, IAM ensures secure resource access across an organization and helps meet compliance mandates.

Identity and access management defines and enforces user identity, their role in an organization, what groups they belong to, and what fine-grained permissions have been allocated to access corporate resources. Further, IAM provides mechanisms to protect identities utilizing technologies (digital certificates, network protocols, passwords, etc.) that enable this protection.

a. IAM consists of two main components:

• Access controls: This involves user authentication and authorization to ensure the right users have access according to their context, i.e., location, device, role, and more.
• Lifecycle management: This involves correlating a user’s job role, department, device, etc., to their approved privileges based on pre-defined criteria from HR and system owners.

b. IAM primary functions include the following:

• Unique Identity: A distinctive identity for a user in an organization
• User access: A process to authenticate and authorize an individual to access systems and resources.
• Access Services: A set of services that gives users access to digital assets like servers, content, applications, products, devices, etc.
• Identity Federation: A system that depends on federating identities to perform user authentication without requiring a password. It consists of systems sharing user access and logging in after authenticating against participating systems in the federation.

c. IAM provides many benefits to organizations, such as:

• Securing systems, devices, and resources from unauthorized users and attackers.
• Protecting business and customer data via fine-grained access policies.
• A unified and cost-effective approach to scale access policies
• Meeting regulatory compliance requirements

III. What is IGA?

Identity Governance and Administration (IGA) is a vital element of an organization’s IAM architecture that provides capabilities and frameworks that allow organizations to mitigate identity-related risks. This is achieved by enabling policy-based centralized user identity management and access control orchestration and working with other IAM processes to automate workflows and meet compliance requirements. This helps companies streamline policy management, user provisioning, access governance, password management, and monitoring user access. Having effective identity governance not only reduces your attack surface but also enables and automates compliance activities. Business drivers for improving IGA capabilities include providing a competitive advantage to business scaling, faster integrations with partners and customers, and a reduced total cost of ownership. Effective IGA is key to improving IAM, which enables businesses to deliver better services tailored to customer and partner requirements.

a. IGA consists of two main components:

IGA offers deeper visibility into a company’s identity landscape and security posture to help them take immediate steps toward maintaining security and compliance. It comprises two key components:

• Lifecycle management correlates a user’s role, location, department, etc., at the privilege level. This enables you to provide better provisioning and deprovisioning of permissions for new joiners, leavers, and movers.
• Identity governance: It allows you to monitor access and certify the authenticity and accuracy of a user’s access at various levels (role, group, policy, permission, etc.). You can also investigate when and why a user was provisioned and by whom. In addition, you can enforce segregation of duties and limit toxic combinations with the insights mentioned above.

b. IGA primary functions include the following:

• Perform role mining to implement effective role-based access controls.
• Enhance operational efficiencies so low-risk administrative tasks are automated while high-risk activities impacting security posture are reviewed and approved promptly.
• Streamline access certification tasks and help minimize churn in audit-related activities.
• Ensure regulatory compliance with government and industry standards.

c. IGA benefits include:

• Secure access for users to applications and systems with lower friction so they can get up and running faster.
• Automating operational processes to help reduce costs on IT staff for access requests, certification, and provision/deprovisioning.
• Centralized visibility to document, understand, and action on access sprawl risks.
• Codify and maintain security rules while providing the necessary evidence to prove adherence to compliance regulations.

IV. How do IGA and IAM work together?

IGA is an integral part of the IAM ecosystem. It allows companies to both define IAM policies and enforce them. In addition, it also connects the dots between IAM features and functions to ensure end-to-end compliance requirements are met. Consider both IAM and IGA capabilities as mechanisms to help you scale while mitigating potential risks and reducing your attack surface.