This essay is written by Graph Identity, a startup company with a mission of helping you know who has access to what in your organization. Learn more about our platform at graphidentity.com.
You may have started observing a new acronym within our industry called Identity Governance and Administration, or IGA. There are enough acronyms already, so many of us have found this new development confusing and in need of further explanation. While some may assume you know everything about the industry and magically understand every last detail about what this term means, we’re all about the basics and will make no such assumptions. We’re here to help explain this to you in a fair amount of detail, which should hopefully help eliminate some of the confusion and perhaps even clarify several of the underlying fundamentals in identity and access management.
Identity Governance and Administration (IGA) began going mainstream in 2013 when Gartner first introduced the Magic Quadrant for Identity Governance and Administration, which consolidated two separate Magic Quadrants from prior years. Separate reports had previously been issued for Identity Governance and Identity Administration. These reports are very popular–the majority of the people in the identity management industry read them, and they contribute to millions of dollars in purchasing every year.
As the identity and access management industry has grown and evolved over time, the needs of your organizations have naturally led Identity Governance and Identity Administration product directions to begin merging into more complete solutions. Based on this, a new term came about, which is Identity Governance and Administration (IGA). While one term is simpler than two, its underlying meaning groups together a large number of concepts within the industry. These fundamental concepts are very important, and we’ll go into further detail to begin introducing them.
The core functionality of most products is identity administration. This set of functionality includes most of the heavy lifting, including administration of accounts, passwords, access requests, access provisioning, and entitlement management.
Identity Lifecycle Management
The main reason that most products in this category exist is to make it easier for you to manage the lifecycle of an identity. All identities need to be created somehow, maintained over time (for example, job title changes when you get promoted), and retired when people leave your organization.
It seems easy to manage this on a small scale, but it’s very challenging to do on a large scale. Many mid-sized and large organizations have over 10,000 people and hundreds of systems. It’s not feasible for a team of people to manually maintain all of the changes to identities, so identity governance and administration products are implemented to make this easier to do.
Connectors for Data Collection and Fulfillment
In order for an identity governance and administration system to work, it needs a lot of data about your people and their access. Most systems collect data through “connectors”, which are simply integrations with other systems to read and write data from them. In this case, the data needed is very specific: identities, their attributes, and access.
Connectors read data to collect information about who has access to what in your systems. They also write data to manage identity lifecycle events like creating new users and granting them access. Connectors don’t need to read and write data to an entire system; they just need visibility into wherever the system’s users and access data are stored.
Many identity governance and administration products have complex connectors that take significant amounts of time to implement. Despite the complexity, it’s important to remember at a basic level that connectors are nothing more than reading and writing data.
Nobody wants to remember dozens of different passwords and change all of them every 90 days, so identity governance and administration products help you manage them. Rather than logging into multiple systems to manually change passwords, you can log into one (the IGA system), and it will synchronize your password to all of the other systems.
Access Request Workflows
When someone needs access to something, they need a way to request it. A simple way to make a request is walking over to someone’s desk and asking for access, but that’s a problem because the request isn’t approved or documented anywhere. E-mail requests are a little bit better, but they’re hard to find if an auditor asks to see them.
The best way to manage access requests is within an identity governance and administration system that’s specifically designed with workflows to manage access requests, approvals, and fulfillment of those requests. Access request workflows can get complicated, especially if multiple approvers are involved. An IGA system also helps route requests to the right people and keep them organized if manual action needs to be taken to grant the access once it’s approved.
Most people in your organization will use an identity governance and administration system strictly for requesting access. Many of the other features are for more specialized people like information security analysts and auditors. Because more people use this part of the system, a lot of work is put into building good interfaces and features.
Once access requests are approved, the access has to be granted somehow. The simplest way is for a person to look at the request and then grant the access in the requested system. This method is hard to sustain in large organizations, so identity governance and administration systems can help to automate the process.
For automated provisioning to occur, a connector (discussed earlier) has to be implemented first. Once this integration is in place, the foundation has been built for automating the process of granting access (provisioning). Most IGA systems are able to automate provisioning across multiple systems once they are integrated.
Application Entitlement Management
In order for people to make requests for access and have it granted to them, identity governance and administration systems need to know what types of access (or, entitlements) are available for people to request. Application entitlement management is a set of features in the IGA system that allow you to add, edit, and delete entitlements and other information used to describe them (titles, descriptions, owners, risk level, tags, and other helpful data).
A secondary set of functionality that is quickly becoming a requirement is identity governance. These features provide most of the intelligence within IGA systems, including segregation of duties, access certification, role engineering, role management, logging, analytics, and reporting.
Policy Enforcement and Segregation of Duties
Segregation of duties is the desire to prevent a person from performing a combination of risky activities–for example, initiating and approving a wire transfer of money from your company to their own bank account. Identity governance and administrations that have this functionality provide the ability to create rules that prevent defined types of access (entitlements or roles) from being granted to the same person. Many products also perform discovery of violations based on these rules to help you know when a segregation of duties conflict needs to be remediated.
In practice, segregation of duties is very difficult to implement and enforce because you need to have a lot of information about the specific business functions that entitlements allow people to perform, as well as a broad business knowledge across systems of which actions should not be combined. The ability to execute segregation of duties varies significantly across IGA systems and is largely dependent on the applications your organization uses and the level of business process understanding you have.
Access certification (or, access review) is the process of reviewing the access people have within an application or platform and either confirming it’s correct or removing it. The most basic way to do this is through spreadsheets or screenshots of user lists within the application. Many identity governance and administration systems provide a way to perform access certifications through a user interface so that results can be easily captured, acted upon, and archived as audit evidence. This process can also be combined with access provisioning (discussed earlier) to automatically remove access that you say should be removed during the access certification process.
Application Entitlement Discovery
For large organizations with lots of applications and people, it becomes difficult to identify the types of access (entitlements) that exist within applications and how that access is granted to people. Application entitlement discovery is a feature offered by some identity governance and administration systems to help you discover entitlements, either through roles or directly from your applications. In practice, this feature is loosely defined and difficult to implement within an IGA product. It’s better if you know your applications and the entitlements within them so that you can tell the IGA system rather than having the system help find them for you.
Role Discovery and Engineering
Many organizations prefer to manage access through roles instead of assigning entitlements directly to people. Roles get even better when you combine different types of access across multiple applications so that people can request most of the access they need through a single role. Although roles are a good idea that can save a lot of effort over time, the hard part is building the roles in the first place.
Several identity governance and administration systems provide features for role discovery and engineering, which is simply a process for helping you figure out what types of access should be included within a role. This is usually done through patterns, where the system finds similarities in access among users with common characteristics (having the same job title, for example). Role discovery and engineering features aren’t a replacement for good knowledge of your business and people, but they do make a lot of the heavy lifting of building roles easier when implemented well.
Role Modeling and Simulation
One of the challenges with managing access through roles is that you can grant or remove a lot of access to a lot of people all at once. If you assign a new type of access to a role that has 1,000 users in it, all of the users will be granted this new type of access. That works fine when it’s what you are intending to do, but sometimes managing access gets complicated. Knowing what the potential effects of an action are before you actually take the action is nice to have and helps avoid serious mistakes that impact large groups of people.
Many identity governance and administration systems have features that allow you to model changes to roles and simulate their effects before taking action. As you might have predicted, this is difficult to do and unfortunately won’t prevent all of the possible things that can go wrong. That said, it’s better to have role modeling and simulation features than not so that you have at least some ability to see what’s going to happen when you make a change.
After roles have been created, you frequently need to modify and update them. This includes adding and removing users in roles, as well as changing the types of access granted through roles. Identity governance and administration systems typically provide user interfaces and workflows to help manage the process of maintaining roles so you can keep them up to date and make sure they represent the access that your people truly need.
Configurable Logging, Analytics, and Reporting
Lots of activity related to identity and access management happens within your company’s systems every day. People log in to applications, access information, and perform all sorts of transactions. Identity governance and administration systems with a highly complete set of features will capture information from various log files and perform analytics and reporting to help summarize and interpret this activity for you. In practice, this set of functionality overlaps quite a bit with log management systems (Security Information and Event Management [SIEM], if you want to be precise).
Identity Governance and Administration (IGA) is an important product category in the overall market for security technology. Many of the concepts we described in detail have been offered in identity and access management products for quite a while, so the main change to get used to is simply the new term used to describe this category of products. However, it’s important to keep in mind that there is a ton of room for expansion and improvement within IGA products. In many ways, the new IGA term is a metaphor for the exciting new innovations in the industry that will continue well into the future.
We hope this post was able to help clarify the meaning of IGA, related terminology, and some of the features offered by existing products in the market. If you’d like to have early access to our platform, we’d be happy to have you. Let us know by signing up here.