Identity Governance & Administration

What Is Identity Governance & Administration (IGA)?

Identity Governance & Administration (IGA), also known simply as identity governance, is both a policy framework and set of security solutions that enable organizations to more effectively mitigate access-related risks and manage identity chaos within their business.

IGA automates the creation, management, and certification of user accounts, roles, and access rights for individual users in an organization. This means companies can streamline user provisioning, password management, policy management, access governance, and access reviews within their business.

Considered part of Identity and Access Management (IAM), identity governance offers organizations increased visibility into the identities and access privileges of users, so they can better manage who has access to what systems, and when. Identity governance empowers organizations to do more with less, enhance their security posture, and meet increasing auditor demands, while also scaling for growth.

What Is Identity Governance & Administration (IGA)?

What Does Identity Governance Do?

Identity governance provides automation capabilities for creating and managing user accounts, roles, and access rights for individual users within organizations. With IGA, organizations can easily leverage a more secure, strategic, and streamlined approach for provisioning and deprovisioning, user lifecycle management, compliance and governance, password management, access certifications, and risk insight.

Identity governance also enables companies to:

Improve organizational security and reduce identity-related risk
Leverage role-based access for intelligent, visible role management
Streamline certification processes to comply with increasing auditor demands

Ensure compliance with government regulations and industry standards
Boost operational efficiencies to empower the business to do more with less

View Webinar

What Are the Benefits of IGA?

Improving Security and Mitigating Risks

Overseeing appropriate access through the right IGA framework goes a long way towards bolstering an organization’s risk management. A good outer perimeter used to be the most effective way to mitigate risk, but today companies are faced with the constant threat of insider attacks. Phishing and other social engineering activities can provide threat actors with user credentials that are virtually undetectable when they fall into the wrong hands. Identity Governance & Administration ensures that users are operating within well-defined access policies and are not overprovisioned.

IGA also ensures that users have the right access privileges required for their job. Without it, bulk approvals for access requests, frequent changes in roles and departments, and the lack of suitable processes for access reviews contribute to excessive access privileges—magnifying risk throughout the business. One study found that 50 percent of organizations indicate identity governance and access management programs are the most effective security tool to protect against insider threats, while 75 percent of organizations that use IGA solutions saw a reduction of unauthorized access incidents.

Read the Study >

Adhering to Compliance Requirements and Enhancing Certification Processes

The increasing number of federal regulations and industry mandates that organizations face today means there is also more auditing, compliance reviews, and reporting to be completed by each business. While this can be a very manual and time-consuming process, organizations that use IGA solutions can easily automate data collection, reporting, and the review process.

Regulatory compliance, industry mandates, and security frameworks like SOX, HIPAA, PCI-DSS, GDPR, NIST SP 800-53, COBIT or the ISO 27000 series have become increasingly stringent and more complex in recent years. And organizations across every sector face more auditing, compliance reviews, and mandatory reporting.

Identity Governance & Administration automates data collection, reporting, and access reviews, and ensures access to information is strictly controlled. IGA also enables companies to prove they are taking actions to meet compliance requirements and industry mandates.

Increasing Operational Efficiencies

Identity Governance & Administration empowers organizations to do more with less. Many security teams are understaffed and overextended, but are expected to manage and protect increasing numbers of devices, data, users, and systems. By using IGA programs to automate and streamline access management, organizations can boost operational efficiencies.

One study found that nearly half of all organizations view operational efficiency as a driver for IGA and IAM programs. Leveraging IGA for automated user lifecycle provisioning, implementation of role-based access, and periodic user access reviews and certification saves time and streamlines the entire identity governance process.

Key Elements of an Effective IGA Strategy

Developing an effective Identity Governance & Administration strategy requires a number of key aspects. Below are three of these essential items:

Automating Provisioning Around the User Lifecycle

Automating provisioning should be based on the user lifecycle within each organization, starting with the user's first relationship as an applicant or employee, and conclude when the user separates from the company. In between these events are multiple changes and access requirements that must be managed closely. Automating provisioning around the user lifecycle enables employees to be productive on day one, decreases reliance on IT resources, and increases security by reducing risk associated with manual provisioning mistakes.

Leveraging a One-Stop Shop for User Access

An effective IGA strategy also requires a centralized portal to complete access requests and approvals. Providing a one-stop shop for users to request access ensures employees go through proper channels, and reinforces that proper approval and fulfillment policies are followed. Another advantage of a one-stop shop is the consistent audit trail of requests and approvals, providing organizations with an updated status of each access request.

Taking Advantage of Automated Micro-Certifications

Since the time between provisioning and a review process can be fairly lengthy, it is important to have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. This can be done through the use of micro-certifications. When an access event is triggered where an employee may have access other than what is expected, or gains access through an outside process, commonly referred to as out of band, a manager or business application owner is alerted and can perform an access review immediately.

Why Do Companies Need Identity Governance?

The chaos that results from supporting countless devices, applications, and systems with access to key data is harder to manage than ever before. Security teams find themselves struggling to keep up with the increasing demands of the business, with industry mandates, and with regulatory compliance. Here are a few key reasons why IGA is essential for organizations today:

Reducing Access-Related Risks

IGA solutions take a proactive approach to mitigating access risks, reducing the exposure of sensitive data by limiting access, reducing overall risk in the environment. IGA solutions enable a robust approach to managing and governing access by focusing on least privilege access, eliminating excess privileges, and granting access to only those who absolutely need it in order to do their jobs. IGA also terminates orphaned accounts, and monitors segregation of duty (SoD) violations.

Adapting to Business Changes

Organizations grow and change continually, and IGA adapts to ensure those changes are more efficient and less risky. Individual changes, like promotions, transfers, and layoffs can quickly be addressed based on roles, and larger institutional changes, like mergers and and acquisitions or corporate reorganizations, can be streamlined through automated provisioning and approvals.

Meeting Regulatory Compliance

With regulations like GDPR, SOX, HIPAA, and others emphasizing data privacy, industries are focusing on meeting regulatory compliance and industry mandates more than ever before. Identity Governance & Administration policies help ensure sensitive information is protected and demonstrates companies are taking action to meet regulatory compliance. An effective IGA solution automates required periodic reviews and attestation of access, leveraging built-in reporting capabilities to meet relevant government and industry regulations.

What Is a Role-Based Approach to Identity Governance?

A role-based approach to identity governance means identifying and grouping common access privileges together across individual users ahead of time so that they can be easily used to mitigate risk and improve efficiencies. Think of a role as a collection of access privileges typically defined around a job title or job function.

Using roles, organizations can have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs, and what access to grant and remove. Roles also allow organizations to more quickly and accurately perform business-friendly, accurate access reviews and certifications.

Embracing a role-based approach simplifies identity governance especially as an organization grows or changes—whether through individual changes across the user lifecycle, seasonal additions to the workforce, or more institutional changes, like mergers and acquisitions.

Key Role of Self-Service Password Management and Voice Biometrics Authentication

Protecting access to data within the business is essential, but the increasing costs and security challenges associated with assisted password resets has continued to rise. Ineffective or manual password management is a significant burden to organizations, resulting in increased costs and security risks across the business. Developing an effective strategy for enterprise-wide password management requires consideration of the following elements:

Self-Service Password Management

Companies that use strong self-service password management and enforce robust password policies can significantly reduce reliance on IT resources and decrease potential access risks. With an integrated set of tools for automated password management, organizations can leverage a convenient and secure password management approach in the organization.

Deploying multiple authentication methods should include a full suite of out-of-band channels, including mobile app, SMS/text messaging, telephone DTMF, voice biometrics, facial recognition, touch-ID, one-time PIN, and challenge and response question and answer.

Voice Biometrics Authentication

One highly secure alternative for quickly and accurately verifying an individual’s identity is voice biometrics authentication. With voiceprint identification technology that instantly recognizes voice patterns, organizations can verify individual identities of users quickly and accurately. Many organizations are moving toward using secure voice biometric authentication that is fast, convenient, secure, and cost effective.

Voice biometrics lowers support overhead and enhances security by requiring users to verify their identity with 'something they are.' This means they use a unique characteristic of themselves, like their voiceprint, and differs from 'something they know,' like a PIN or password, or 'something they have,' like a smartcard, as an authentication factor.