Identity Administration or Identity Governance? Where to Begin?

Managing User Identity has evolved significantly over the last decade from being purely a function of Identity Administration and now transitioning into Identity Governance.

What is Identity Administration?

Identity Administration is the part of identity management and access management which involves creating, modifying, or deleting identities and granting privileges/entitlements based on user role or group as part of managing user access to resources such as systems, networks, and software. g privileges/entitlements to resources in order to protect data security.

What is Identity Governance?

Identity Governance (IG) falls under the broader heading of Identity and Access Management (IAM) and involves the orchestration of policy-based user identity management and access controls during the access request and access certification process, also called provisioning, to meet regulatory compliance requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). To comply with the requirements, many organizations choose Identity Governance and Administration (IGA) solutions to help manage user access, including privileged access, that streamline data privacy and security processes.

How is Identity Governance Different from Identity Administration?

While identity administration  incorporates automation that streamlines the provisioning process, identity governance goes beyond that to incorporate access governance as part of orchestrating the entire identity lifecycle to protect data security and privacy while maintaining compliance with regulatory and industry standards’ requirements. Most organizations use identity governance solutions to streamline access management and identity management and identity management tasks. 

Identity Administration is a great way to reduce your operational overhead because it helps automate manual processes. For example, zero-day provisioning of accounts and access have always been in high demand and Identity Administration alleviates those concerns. However, due to the limited functionalities of existing Identity Management tools and associated poor user experiences, Identity Administration is being reduced into the tactical function of handling day to day operational tasks; with no tangible business ROI, it is eventually falling off the radar of senior executives.

Identity Governance offers a holistic approach driven by risk analytics and focused on improving  security and compliance posture. Identity Governance employs several techniques to provide preventive/detective controls, reporting and dashboards, data access governance, improved user experience and contribute towards reducing threats to acceptable level.

Identity Governance products enable organizations to enforce policies, map governance functions to compliance requirements and in turn, support compliance reporting. Several government-mandated compliance regulations, including SOX and HIPAA requirements, can now be easily enforced using Identity Governance functions such as SOD analysis and access remediation.

Where do Identity Governance and Identity Administration Fit in an Organization?

Identity governance and identity administration, collectively referred to as IGA, help manage data security and privacy requirements by monitoring user access, including privileged access, across the organization’s interconnected on-premises, hybrid, or cloud infrastructure to ensure compliance with internal controls during the provisioning process, such as when users request access to resources. To mitigate risks arising from the access request, access review, and access certification process, many organizations use governance solutions that provide documentation to all internal stakeholders. 

  • Who is accountable to protect company brand and reputation – CEO
  • Who is responsible to prevent breaches and exposure – CISO
  • Who is responsible for staying compliant by meeting regulatory requirements – Compliance Officer
  • Who is responsible to improve user experience, increase productivity of the IT workforce – CIO

Typically the CISO, CIO and Compliance Officer all directly or indirectly report to the CEO, making the executive team and the board accountable for the above functions.

Why is Identity Governance and Administration (IGA) Important?

IGA, as part of identity governance or identity management, monitors access requests to enterprise data and systems while also ensuring that, as part of access management, the administration of entitlements during the provisioning process aligns with an identity’s role. IGA protects data security and privacy by creating workflows that limit user access to “least privilege necessary” so organizations can maintain compliance with internal controls. 

An organization’s focus on managing risk, staying compliant and preventing breaches has to be separated from the day to day tasks of provisioning/de-provisioning. Which is why Identity Governance needs to stay nimble in an organization with the ability to identify new requirements for audit, regulations, and attack vectors, while having the ability to use standup features and solutions quickly. Think of it as your innovation center placed under the Chief Information Security Officer (CISO) organization.

As I mentioned before, traditional Identity Administration is not meeting key business requirements and is being relegated to an operational cost center causing the loss in visibility from the executive branch and therefore ending up with no clear ownership. To overcome this challenge, the new development of Identity Administration functionalities, such as application onboarding, should remain in a centralized organization, such as Application Center of Excellence (COE), while being complemented with a strong governance framework to review while recommending changes. As the function becomes operational, it should be handed over to managed services organization.

Why Start with Identity Governance?

To strengthen the organization’s cybersecurity posture, an enterprise should start with a privacy policy that sets access controls, including authentication, authorization, access reviews, and privileged access management. Using IGA tools, the business can create an access governance monitoring process that mitigates the risk of privilege misuse. 
Identity Governance has brought in the paradigm shift in a number of ways. Let’s look at some examples:

  • Speed to Market: An Identity Governance solution can be  delivered in a matter of days from what used to be months of tool deployment and upgrades, with the help of new age cloud based IGA solutions
  • Compliance and Audit: Reports are mapped to various industry regulations (PCI, SOX, HIPAA etc.). This is a game changer for compliance champions and internal auditors who can now detect issues in real-time.
  • Efficient Access Reviews: Managers no longer go through “certification fatigue” that often results in rubber stamping. Usage analytics, outlier analytics, SOD analysis and many other intelligent features help in reducing burden upfront. Micro certifications and event-based certifications provide more  focused, low volume certification cycle.
  • Rapid Application Onboarding: A wizard-based interface saves application owners time and resources to manage and govern access. They are also enabled now to clean up the metadata of role and entitlements through campaigns to improve the data quality and ownership of resources.
  • Quantifiable Outcomes: These drill-down dashboards are customized for different personas in a new way to look at identity metrics. HR user can view onboarding/offboarding metrics, application owners can view number of user account and entitlements per application and auditors can now look at SOD violations in critical applications.

Identity Governance has expanded the reach and penetration within organizations to unimaginable extents with Identity Administration. More importantly, the elusive ROI with traditional Identity Administration is now available with a click in Identity Governance solutions.

For those of you inspired by blog and are looking to kickstart your Identity Governance program, I highly recommend you review the next-generation Identity Governance platform Saviynt offers.