The Business of IGA and AuthorizationOren Harel January 3, 2018
As the number and value of collaborative business models increase, identity access management (IAM) becomes more difficult for IT security professionals. Adding to the challenge are the complexities of the perimeter-less cloud, the BYOD trend and other new and emerging technologies, not to mention the need to improve the customer experience.
At the same time, organizations are increasingly seeing the business value of, and the need for, successful IAM, particularly in terms of risk management. Not surprisingly, their escalating security and privacy concerns and renewed the focus on corporate oversight, combined with new or changing government-mandated compliance regulations, are making governance, risk management and compliance (GRC) a top priority for IT — and a strategic objective for the organizations. They want to meet their compliance obligations. However, they want to do so without harming their business agility.
For IT professionals, it’s a lot to juggle and without knowing what policies you already have in your organization, proper management and administration of access rights is not possible. As a result, there are too many risks, such as forgetting to revoke outdated access entitlements, or of the inconsistent application of access policies across disparate departments or locations within a company. There is also too much at stake if those access policies fail or change, including high-cost non-compliance penalties.
To effectively meet business objectives, compliance requirements and all the other associated needs, IT must have strong, consistent controls over who has access to critical applications and data — and they must be able to prove them. That’s where identity governance and administration (IGA) comes into play.
What is Identity Governance and Administration?
IGA represents the convergence of identity management and compliance. It oversees the process of assuring the right to authorize user access and ensures proper execution according to established protocols and business standards.
“User provisioning allowed identities to be tied to accounts and coordinated coarse-grained account life cycles with global identity life cycles. Access governance pierced the veil of accounts to reveal the entitlements that represent the privileges that users actually possess.” Brian Iverson, Gartner
IGA tools are used to collect and correlate the various identity and access rights data that exist throughout an organization. The data can then be used to help organizations define, enforce, review, certify, recertify, and audit their IAM policies; map IAM functions to compliance requirements, and audit user access to support compliance reporting. Simply put, IGA adds the “governance” level to the discipline of IAM.
IGA: Where Access Policies Begin, Evolve and Comply
IGA is not just a system of checks and balances for identity access management (IAM) or a tool for automating processes, including authorization. Rather, it is the first stage of policy lifecycle management.
In simple terms, IGA is the source of information about already existing access policies or, more precisely, the information used to create those policies. It addresses, defines and tracks what data needs to be protected, who can access specific data, who approves that access and if the access is appropriate for the restorer’s job function or role. It also defines what the data can be used to do, if there are any time restrictions or other qualifications associated with the access, and if access privileges need to be changed for any reason.
The Business of IGA
IGA defines the “business” for authorization because it brings the required logic that connected identities to what functions and data they should access. Having that logic written in “business” policies makes it more accessible and understandable to the diverse stakeholders involved in IAM projects, from HR to the C-suite. It also enables organizations to enforce policies and map governance functions to compliance requirements, enabling internal auditors to detect issues in real-time. Usage analytics and other features help reduce certification fatigue and the associated “rubber stamping.” That makes it invaluable for verifying access policies for compliance audits and re-certification.
In addition, IGA tools can be used to automate the processes involved in authorization, reducing operational overhead. Automating authorization processes not only speed up authorization decisions. It helps companies be more responsive to changing data access needs as it expedites the identification of new or changing requirements for audit and regulations.
Some IGA tools also enable rapid application on boarding by saving application owners time and resources in managing and governing access. Equipped with the ability to clean up the metadata of role and entitlements, they can improve the data quality and ownership of resources.
In essence, IGA is both a compliance and business enabler. The right stakeholders get the right access to the right data — in accordance with regulatory requirements, so they can do their jobs, the business can run smoothly and compliance obligations are met.
Policy-based IGA takes IGA to the next level by making your policies and the connections between identities and data within your organization visible. Policy-based IGA makes the correlation between identity and access rights clear and apparent, enabling true end-to-end user visibility. Policy-based IGA makes it easier to understand what you have in place in your organization by bringing the logic behind the definitions, authorizations, entitlements and access requirements that you have today to light.