1. What is IGA?
In general, Identity Governance and Administration (IGA) is a framework of policies to manage Access Permissions and Identity Lifecycle so as to mitigate cyber risks, comply with regulations and increase operation efficiency.
First, the major two components for IGA are Access Permission and Identity Lifecycle.
The management of Access Permissions corresponds to the Governance part in IGA. The goal here is to ensure each identity within the organization is having the right permissions, where the right permissions usually mean 'least privilege' practice. Furthermore, identity structures in an organization are usually dynamic, meaning people come and go, and moving from one position to another. Hence, the permissions assigned to each identity should be assessed dynamically as well.
The management of Identity Lifecycle corresponds to the Administration part in IGA. Identity Lifecycle deals the creation, modification and deletion of an identity. In the context of IGA, it is about integration with source and target systems to fulfill these functions. More specifically, it is about delivering the flow of data using various connectors from source systems (e.g. HR platform) to target systems (e.g. Active Directory).
Second, the above two components are usually addressed with a framework of policies. In other words, IGA is policy-based centralized orchestration of access control and identity lifecycle management. Policies are set of rules, regulations, and guidelines to ensure identities are properly managed and access to sensitive resources is granted only to authorized users. Policies also help organizations comply with regulatory requirements.
Third, the result of proper IGA are lowered cyber risks, regulatory compliances and increased operation efficiency. Let's check this out with more details.
2. Benefits of IGA
With proper IGA implementation, it comes with some essential benefits for organizations. Considering that the organization complexity has increased dramatically due to the results from supporting numerous devices, applications and systems, the access to key data is becoming harder than ever to manage.
2.1 Lowering Access-Related Risks
Recent studies have shown that a majority of security breach is due to abused privileges accessing sensitive data. IGA solutions take a proactive approach to reduce the exposure of sensitive data by limiting user access with a robust approach focusing on least privilege access, which has been proven as one of the most effective strategies in reducing security risks.
2.2. Complying to Regulatory Requirements
With regulation protocols like GDPR, HIPAA, PCI and so forth, compliance to those requirements have become a crucial part of organizations. Being compliant means not only that the access to sensitive information is strictly controlled, but also that organizations can prove those actions are taken. Organizations can receive audit request at any time and an effective IGA solution makes the required review and certification of access more friendly and effective.
2.3 Increasing Operation Efficiency
Organization structures are dynamic and it's growing and changing continuously. IGA solutions can make those changes more efficient and with less friction. For example, identity provision and de-provision tasks can be designed and automated. When a user is moving from one role to another, role-based policy can quickly identify the permission that need to added and removed for the user. Also, these operations can be executed in bulk instead of single target.
3. IGA System Architecture
Above is a typical deployment of an IGA platform within an organization. HR system and External Identity Registry are acting as the Authoritative Sources to propagate identity data into IGA platform through connectors. The UI and APIs provides means for user and external services to interact with the IGA platforms. Policies lie in the center managing identity lifecycle and entitlements. IGA can also integrate with third-party ITSM to manage identity-related business processes (e.g. access request approvals, certification campaigns and remediation tasks). Also, the IGA platform is further connected to Enterprise Directory (AD) and multiple applications via different connectors to propagate and receive data.
4. Essential Functions of IGA
While the needs of each organization is different in the context of IGA, there are certain aspects shared in many organizations, which are usually the core functions of IGA.
4.1 Identity Lifecycle Management
Identity Lifecycle management deals with the state of identities through various lifecycle phases (creation, modification, deletion and etc.). Enterprise identities usually comprise of complex data structures with numerous attributes.
Identities can be different types as well: business-to-employee (B2E), business-to-business (B2B) or business-to-consumer (B2C). Each type will have its own characteristics such as attributes, lifecycle states and policies.
Beside human identities, modern IGA solutions should be able to deal with non-human identity type as well. This non-human type identity could include applications, devices, service accounts, organizational units and etc. Lifecycle management for non-human identities is crucial as well.
4.2 Synchronization and Reconciliation
This capability provides functions to keep identity data consistent across all connected systems.
First, synchronization provides means to feed data into IGA platform. For example, when onboarding a new hire, the employee is usually added in an authoritative HR source of the organization. This authoritative HR source is connected to IGA platform which should provide means to receive the new hire's data.
Second, once the new data is fed into the IGA system, it should be able to process that information and generate new data and reconcile (push) that new data to the connected target systems, based on defined policies. Continuing on the new hire example, once the new employee's data are received in IGA, some birthright attributes and roles should be added to the employee and then propagate to the enterprise directory.
4.3 Workflow Automation
While there are certainly tasks in IGA that must be done manually, many processes can actually be automated.
Consider this scenario, suppose there is a defined policy that every project must have at least one project manager. Then one day, the only project manager on project A leaves the company. What should the IGA system do? On one hand, deleting or archiving this manager would violate the policy defined, but on the other hand, the IGA system just can't refuse to delete the manager, or even postpone deleting it.
The usual solution is to still delete the user and accept the fact that there is a policy violation, and start a remediation action to get the system back to state of compliance. The remediation is usually done by human, but IGA system has a responsibility to track and monitor the progress of this task, and provide support to let participants finish the task.
The above is just one example of workflow automation. The primary goal of IGA should still be automation of the management and policy processing, not just automation of human-based workflow.
4.4 Entitlement Management
Entitlements are fine-grained permissions assigned to identities, granting the identity access to a particular resource. Entitlements are directly used for policy enforcement. In simple words, it's about: Who has access to What?
On one hand, entitlement is treated as object with comprehensive attributes (title, description, owner, risk level, tags and etc.) and it also has its own lifecycle (creation, assignment, detach, deletion and etc.), which is managed by IGA solutions. On the other hand, when entitlements are assigned to users, the relationship between entitlements and users should be manageable as well.
4.5 Policy and Role Management
Policies are the central piece of IGA and are usually expressed on the concept of Role. Simply put, A Role is a group of entitlements. In the context of IGA, it usually means grouping of application-specific entitlements such as LDAP groups, application privileges, account attribute values that match a specific access control list.
When assigning entitlements to users with roles instead of direct assigning entitlement, the added extra layer will make entitlement management more effective.
4.6 Access Request
Access request is a process for controlled, user-driven assignment of roles or entitlements to users.
When a user is provisioned, the user is usually assigned with some birthright roles and entitlements, and in almost all cases, that won't be enough. Depending on the specific position of the user, some further specific entitlements are needed to be assigned to the user. This is usually implemented as request-and-approval process through some self-service user interface.
The access request process may not as straightforward as it looks. When an access to a resource is requested, it might result in a chain of approvals happening in a specific order. Nevertheless, different resources have different risk levels and even the same resource could have different access privileges (e.g. read vs. modify), and therefore, the request-approval workflow could be different as well. Furthermore, separation of duties (SoD) policies should be considered as well during the approval process for security and compliance purpose. For example, the person authorizing a paycheck should not also be the one who can prepare them. Things like this should be clearly defined in the policy set of IGA platform.
4.7 Access Certification/Attestation
Access privileges in organizations tend to accumulate and grow. When an employee joins a firm, he will start with some initial entitlements. Then when the employee is promoted or switching position within the firm, he will be assigned new roles and entitlements, so that his account can function. However, removing unnecessary privileges from the employee's previous position is crucial as well, which could be easily forgot. As time goes on, users within an organization will start to accumulate all kinds of unnecessary privileges. This will be difficult to manage and risky to security breaches as well.
There are two types of certification: Certification Campaigns and Microcertifictions.
Certification Campaigns aims at certification of all roles that a large group of users have. During a Certification Campaign, a designated set of certifiers (usually managers of the organization) are tasked with reviewing and approving/rejecting access rights for the group of users or resources. The campaign has a fixed duration, usually in order of weeks. Campaigns are usually repeated based on a regular schedule (e.g. annually).
In contrast to Certification Campaigns, Microcertifications are designed to be shorter, more focused, and more specific in scope. This is usually certification of role assignments of access granted to a single user, done by a single certifier. Instead of periodic access review in Certification Campaigns, Microcertification is often triggered by key events in the identity lifecycle (e.g. change to a new position/role).
4.8 Auditing
A core feature of IGA platforms is the capability enabling organizations are compliant to regulations, not only to implement it but also to prove it with evidence. This requires more than just logging which are records of data for diagnostic purpose. Auditing capability requires recording of operations and events in a systematic way and generate well-structured, business-relevant data.
As almost every operation is recorded in Audit trail, which are usually kept for long time, the amount of generated data could be huge. Storing and querying such data is another challenge.
4.9 Analytics and Reporting
Analytics and Reporting in IGA is to gain insights into user behavior, access patterns and compliance risk through analyzing identity data, summarizing and extracting relevant information, providing reports and visual diagrams. Identity analytics dive deep into the data, considering the data in context, using complex models to extract useful information.
Analytics and Reporting can be put into two parts. The first part is responsible for processing data, generating reports, detecting situations that require attention. The other part is about triggering actions based on the result, bringing attention to suspicious operations, suggesting improvements and etc.
One important outcome of analytics and reporting is about Risk. The information extracted from the identity data needs to be converted into actions to take effect, and a good approach to convey this to the IGA team is by attaching identified items with different risk levels so that IGA team can quickly identify and prioritize the tasks.
5. IAM vs. IGA
Although the term IAM and IGA have been out there for long, there is no authoritative definitions on the two and the relationship between the two. Sometimes you will see people say IGA is a subset of IAM while other times IGA is said to be a separate area from IAM with some overlapping. In a general sense, there are definitely some common parts between IAM and IGA, such as identity management, authentication, access control and etc. However, it would be more interesting to see the difference between IAM and IGA.
On a high level, IGA is about identity management in a broader scope, which can be seen by its name - Governance and Administration. And these Governance and Administration are mainly focusing on two components: Identity Lifecycle management and Access Permission management. Then ,IGA Features like Synchronization/Reconciliation, Workflow Automation, Access Request, Entitlement Management and so forth are all revolving around those two components.
IAM, by its name, is about Identity Management and Access Management. Identity Management involves the creating, maintaining and deleting identities as well as defining permission and roles for each identity. This part is similar to IGA. However, IAM platform does NOT usually have comprehensive entitlement management capabilities, access certification, policy management, analytics and reports. Nevertheless, the Access Management part is more about access enforcement, meaning Authentication and Authorization. Things like complicated authentication journeys with SSO, MFA, FIDO and integration with other system are frequently seen in IAM.
In an enterprise setting, usually both IAM and IGA will be implemented. Although there are some overlapping between the two, it would still be a big win for the enterprise to adopt two platforms and fulfill their functions. It would be great if there are products out there covering both IAM and IGA without overlapping, but the reality is that due to historic development reasons, products in the market right now are usually categorized as either IAM or IGA.
6. Sum Up
In this post, we looked at what IGA is and why IGA is important. Then, we took a peek at a sample architecture of an IGA platform in an organization. After that, we explored some core features that an IGA platform should have. Finally, we took a comparison between IGA and IAM to see some of the similarities and differences.