What is Identity Governance and Administration?

With the various identity governance tools on the market, it's not easy to assess what they offer compared to a full-function identity governance and administration (IGA) architecture. In reaction to a security directive, too often, teams take a narrow approach to managing user entitlements or fulfilling their organization's separation of duties requirements.

IGA goes beyond the visibility of entitlements, which is often taken as a snapshot at any point in time. Instead, it takes a holistic and integrative approach to its management. When built on a robust identity life cycle management infrastructure, IGA brings together critical components of an organization's identity and access management infrastructure to ensure that only the right people have access to sensitive information.

What defines a complete Identity Governance and Administration Solution?

A robust IGA solution distinguishes itself by offering the following benefits:

• Delivers comprehensive view of accounts and resources – IGA needs to hold the identity, entitlement, and risk information of each resource being managed, as well as the identity and role of those accessing it.
• Protect against rubber-stamping approvals – with a focus on guarding against unvetted approvals of permission requests, an effective IGA solution includes workflows designed specifically to inform the information and business owners, not IT admins. To raise the level of inspection of the request, it needs to offer all the relevant information about the requester and the resource designed for a quick read with effective productivity and risk indicators.
• Robust attestation – offers accurate reports that confirm continuous compliance rather than just reporting snapshots in time. When needed, a well-designed IGA infrastructure can provide analytics that confirm actual access by specific groups of users. The design of the report should be quick to review and simple to generate and include in attestation reports. While this level of attestation offers confidence for security teams, it requires that access governance has tight integrations with the identity life cycle and access management components of the comprehensive IGA environment.

What specific value does a complete IGA environment have over other solutions?

While identity governance and administration manage entitlements and deliver strong attestation for the security auditors, it has the potential to be a foundational component of an organization's identity and access management infrastructure:

• Entitlement management is the fundamental element of any organization's least privilege strategy. Least privilege security helps protect against internal threats as well as limit damage when someone's credentials have been compromised and exploited. When done correctly, it can be used to guide and invoke identity life cycle actions rather than work independently of it.
• One of the steps of onboarding resources on a governance platform is defining their risk and risk criteria. Proper risk definitions of sensitive resources provide accurate information to the approvers and reviewers. They can also be consumed by the risk service to direct adaptive access management actions. Too often, criteria used for session-based access controls for potential authentication and authorization actions are limited to the user's context (geolocation, IP range, device ID, et.). Factoring in the risk of the resource itself offers a more granular and effective approach to adaptive access that can increase security while optimizing the user's experience. By limiting the number of times a user is interrupted for multi-factor authentication, friction is reduced, and the user's experience is optimized.

What is NetIQ doing to make their IGA solution more intelligent?

While it’s most important to establish a solid IGA foundation, as described above, NetIQ is continually pushing the envelope to make governance automation more encompassing and effective in helping information owners protect their data. Near-term identity governance and administration development directions within identity and access management infrastructures include:

• Beyond providing the best information possible in a format that approvers and reviewers can quickly understand, the next generation of IGA brings together least privilege best practices and organizational policies to automate entitlement analysis. The automated elevation of risk scores of their sensitive information, as well as the users accessing them, highlights points of concern for review and potential security actions.
• The intelligence-based automation scenario described in the previous bullet is best augmented with behavioral analytics of actual usage. This type of analytics can guide focus on specific identities and resources to reassess the risk they perpetrate on the organization.
• While traditionally IGA hasn’t included governance of root access to systems, a more formal approach to securing access to server hosted data and executables is necessary. In that system administrators can potentially bypass various security mechanisms, the importance of securing root privileges is obvious. Beyond the ability to delegate and govern different levels of administration, these superusers have so much granted access that advanced monitoring of their system-related actions offers potential valuable forensic information.

A well-built IGA environment isn’t easy to implement. Getting buy-in at the executive level and the various business owners can be a long and uneven process. Pulling in the information owners to properly onboard their resources takes investment, as does keeping in touch with them for changes in their environment that require updates. But the value of this type of security investment pays huge dividends. It allows organizations to be more agile in their digital business operations while keeping their risk low.

Why should I invest in Identity Governance & Administration?

Once you understand the comprehensive nature of IGA, the natural question is whether this level of investment is needed for your environment. While each organization may have unique requirements, here are some common considerations that may guide the depth and breadth of management:

While almost every organization needs to protect its financial and HR information, they may or may not have other types of sensitive data worthy of governance as well:

• Customer information – this type of information varies widely. Organizations can be subject to various state or federal regulations even if they are collecting cookie information or social identities to personalize content. There are other worldwide mandates as well, such as the General Data Protection Regulation (GDPR). GDPR requirements merit an IGA level of protection because once a personal profile or financial information is retained, there will likely be a need for least privilege security. There is also coordination that needs to take place between the retailers and their service providers (PSPs) and industry partners. Unless these operations are small, it’s hard to imagine them meeting privacy mandates without a mature identity governance solution.
• Intellectual property – whether in the form of patent information, technical or business core competencies, or other trade secrets, a breach of them can pose a serious risk to the organization. Whether or not organizations automate their entitlement processes, a careful review of valued secrets is likely needed before developing a governance strategy.
• Patient information – the healthcare industry’s digital transformation has forced providers to automate their entitlement management and attestation of their regulated information. The move to electronic healthcare records (EHR) and other protected health information (ePHI) has resulted in stringent, concrete, and punitive privacy government protections. It’s an industry plagued with the highest costing breaches compared to any other. Beyond monetary loss, health record breaches are detrimental to patient trust because they include their most sensitive information. Information spanning both health and financial information can be used to conduct fraud.
• Financial services – as another highly regulated industry, financial services are subject to a series of regulations designed to prevent malicious collusion and violation of privacy. Privacy is needed to protect against fraud or other types of theft. It’s a safe assertion that every financial institution needs automated governance and would benefit greatly from a solution directly involving data owners.

Where do I learn more about upgrading to an IGA solution?

If your organization is looking to upgrade to a full IGA solution, this buyer’s guide may help you identify your decision criteria. Much of the criteria is taken from NIST’s least privilege principles defined in their zero trust guide.

KuppingerCole’s Leadership Compass explains the capabilities that make up IGA as well as walk through the list of vendors that offer solutions for it.

As part of its identity and access management platform, NetIQ offers a mature IGA solution.