What is identity governance and administration (IGA)?

Why is IGA important?

IGA is fundamentally a business or industry response to regulatory compliance pressures and litigation.

Broadly speaking, every business is responsible for its actions and liable for its mistakes. This certainly holds when referring to storing, using and accessing sensitive data, such as personally identifiable information. A business faces legal jeopardy when a security incident occurs.

Proper governance and administration prove what was done, why it was done and how it was done. That documented proof forms the cornerstone of the organization's defense against any legal jeopardy, demonstrating its actions are indeed aligned with stated business goals, regulatory requirements and legislation. If a mistake or oversight occurred, the business identifies it and changes policies or alters system configurations to limit future dangers.

As a simple example of what happens without such governance, consider a business in which every employee has equal and unrestricted access to all organizational resources and there are no established policies or processes outlining the use of those resources. Further, no logs or records of that resource usage are generated. If data theft or loss occurs, the business has no way of understanding what happened, when it occurred, why it took place or who did it. That's gross negligence.

However, sound policies, well-considered workflows, comprehensive organizational methodologies -- zero-trust security posture and role-based access control (RBAC) among them -- and thorough record-keeping underpin a strong governance framework. That identity and access framework employs IGA approaches, such as software-based tools and services.

A brief history of IGA

The ideas of identity governance and identity administration have existed in some form for decades. In fact, the importance of identity begins with the first use of user passwords in the 1960s. Decades later, the emergence of strong compliance regulations -- the Health Insurance Portability and Accountability Act (HIPAA) in 1996, 2002 Sarbanes-Oxley Act and General Data Protection Regulation (GDPR) in 2016 among them -- forced business and technology leaders to address and prove, objectively and on an ongoing basis, their commitment to protect user access rights.

IBM formalized the term with the release of its IBM Security Access Manager for Enterprise Single Sign-On circa 2005. The tool managed security policies across multiple systems, fundamentally encapsulating the modern IGA approach. Other IGA tools followed, each designed to manage user access and provisioning across the enterprise through a centralized mechanism.

What are the features of IGA tools?

Although each IGA service possesses unique strengths, the tools integrate with IAM processes and make extensive use of workflow automation to streamline permissions, speed both access provisioning and deprovisioning, and provide detailed reporting.

Among the numerous IGA services currently available in the market are the following:

• Bravura Identity.
• Broadcom Symantec IGA.
• ForgeRock Identity Governance.
• IBM Security Verify Governance.
• ManageEngine ADManager Plus.
• Microsoft Entra ID Governance, formerly Azure Active Directory Security Governance.
• Omada.
• One Identity IGA suite.
• Prove Identity Network.
• SailPoint Identity Security Cloud.
• SAP Cloud Identity Access Governance.

Other common features of effective IGA tools include the following:

• Analytics. IGA services often couple activity logs and policy enforcement with activity analytics and reporting to identify and highlight risky or suspicious behaviors, such as unauthorized user access attempts. Analytics also better informs security improvements and incident remediation.
• Auditing. For every business resource or application, IGA tools speed a review of user access rights and actions. Auditing, with its ties to automation, enables rapid response, such as rights revocation, when security issues arise.
• Automation. IGA tools help administrators manage automated IGA-related workflows, determining the proper access for every user, handling additional access requests, and provisioning or deprovisioning as desired. Avoid manual provisioning efforts whenever possible.
• Entitlements. A more granular means of control than simple administrative authorization to an application, entitlements specify a user's freedom within that application, such as permitting access to data but denying the right to change or delete data.
• Integrations. Sound governance involves visibility -- the ability to see information about users and access across the organization. Seek IGA services with a variety of useful software connectors that let the IGA tool integrate with Active Directory and other enterprise software that manages information about users, applications, authorization and access. Also, consider the use of federated identity management.
• RBAC. Though certainly not a new idea, RBAC ensures user access depends on that user's underlying organizational position. This prevents unauthorized access and limits data breaches.
• Segregation. A variation of entitlements, features such as SoD prevent a single user from obtaining a particularly dangerous set of rights. For example, a user may access data but may not copy or transfer that data to another application or storage resource. Instead, in an effort to safeguard the data, that right requires additional authorization.
• Support. IGA tools often integrate with a help ticketing system. Here, users make access requests and log security issues, speeding remediation.

Benefits of IGA

IGA provides an important dimension for any broader IAM environment. Its series of benefits includes the following:

• Risk reduction. Consistency -- the right steps are taken for every action, every time -- is an idea as old as any manufacturing floor, but the same need for consistency translates directly to IT administration. IGA eliminates manual or ad hoc processes prone to error or omission. This reduces security and compliance risks and improves business governance.
• Streamlined identity management. IGA practices and tools use comprehensive policy and automation to establish and provision new user identities. They also control and configure passwords, permissions, resources and services, while provisioning and deprovisioning as employees move through or leave the organization.
• Remote management. Modern work environments include remote access challenges for organizations. IGA tools help administrators protect off-site users, resources and services.
• Activity monitoring. As job requirements and tasks change, IGA tools provide a central platform for access requests and approvals. For example, a developer involved with a FinOps team requests and is granted additional access through IGA tools. In another example, monitors employing IGA tools detect and track a user attempting to access an unauthorized resource.
• Reporting and auditing. Increasingly comprehensive analytics and detailed reporting help administrators quickly identify, evaluate and mitigate problems. IGA's centralized data and reporting also provide detailed auditing to ensure regulatory compliance.
• Enterprise growth. Centralized policies and automated workflows are required to scale IGA across the entire enterprise. This comprehensive control over resources, services and user rights is more consistent than manual provisioning and ad hoc processes -- all while mitigating risk.

Misconceptions about IGA

Identity governance and administration is often complex, as is its relationship with IAM. Following are some common misconceptions about IGA for business and technology leaders to consider:

• IGA is only needed on-premises. Early expressions of IGA technology took root on-premises. However, they have since migrated to cloud and software-as-a-service providers due to their capabilities, including certification, access requests, provisioning, reporting and identity management.
• IGA and IAM are the same. IGA is a subset of IAM, building on fundamental IAM features to provide stronger administration of digital identities and enhance auditing and reporting, while aiding in compliance obligations.
• IGA cannot handle concurrent workloads on-premises and in the cloud. Today's IGA tools operate cross-domain to unify cloud and on-premises resources simultaneously.
• IGA reduces risks due to human error. Though IGA and IAM provide solid frameworks that strengthen security and enhance compliance, IGA cannot guarantee security or prevent all breaches. For example, IGA cannot stop a bad actor with stolen credentials -- due to, say, a phishing attack -- from gaining unauthorized access and stealing data. However, IGA limits that attacker's actions and generates records of what happened.
• Unregulated businesses don't need IGA. Security and business governance are critical needs even with relatively light regulatory obligations. IGA technologies manage digital identities across enterprise resources and services to protect valuable data for every business.
• Small businesses don't need IGA. It's the same as for unregulated businesses: IGA always benefits business security and governance. Indeed, small businesses often must validate adherence to security and compliance standards as a requirement to work with other businesses. For example, a larger, regulated business requires assurance that a smaller business meets its same standards before reaching an agreement.
• Identity governance is only a technology issue. While IGA is deployed and operated by IT, the policies and limitations IGA oversees must be guided by well-considered business decisions. In effect, IGA only works with strong collaboration among business, technology and operational professionals.