IAM 101 Series: What Is Identity Governance and Administration?

What is Identity Governance and Administration (IGA)? 

Identity governance and administration (IGA) enables admins, security teams, and internal auditors to manage and reduce the risk that comes with excessive or unnecessary user access to applications, systems, and data.

As the digital world continues to evolve, IGA is now mission-critical to secure every organization. Yet few know what it is. With new data privacy and security regulations constantly emerging, organizations must now balance risk and customer experience while achieving regulatory compliance. Having the right identity governance and administration solution in place can play a crucial role in achieving this balance, keeping workforces productive, and enterprises secure. To fully understand what IGA is and why it’s become such a priority, we must look at how the need for it emerged in the first place.

The Early Years: User Provisioning and Mounting Regulations

To understand IGA, it’s important to understand what provisioning is and how user data was initially stored. User provisioning is the process that ensures that user accounts are created with the proper permissions. IT administrators use provisioning to monitor and control access to systems and applications. 

In the early years of the digital age (1980s - early 90s), user provisioning was rather straightforward as it focused solely on users (employees) within an organization. Access to users outside an organization, like customers or citizens, was not common. Additionally, there weren’t as many systems within an organization to manage access to, making the provisioning process relatively manageable. 

During this time, servers housed user accounts and identity data centrally on on-premises systems within the enterprise. However, in the mid-late 1990s as the .com market rapidly took off and external user access to systems and applications became ubiquitous, more sensitive user data such as name, address, social security number, country code, email address, bank account number, etc. were collected by global organizations. The need to protect this personally identifiable information (PII), the systems and applications that hosted this information quickly became critical. To address these requirements, new regulations were enacted that mandated stricter security protocols for user access permissions, required improved controls and policies to prove to auditors that the protocols had been implemented. 

The Rise of Identity Governance Regulations

Introduced in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was created to provide stronger data privacy and security provisions for safeguarding medical information. As physicians later moved to digitized health records, the HIPAA Security Rule was issued as a best practice for securing sensitive digital information and establishing national standards to protect individuals’ electronic personal health information. This rule required appropriate administrative, physical, and technical safeguards to ensure the security of patient data. 

In 2002, Sarbanes-Oxley Act (SOX) was introduced to bolster stronger trust and security around the financials of publicly traded companies. SOX imposed even more regulatory protocols regarding electronic records. It mandated the joint responsibility of auditors and management for the detection of fraud and external threats, requiring stringent record keeping, audits, and controls. Noncompliance with SOX can cost organizations up to $25 million in fines, criminal and civil prosecution, and prison sentences of up to 20 years for those found in breach of the mandate.

In 2006, the PCI Council (formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa) created a body of security standards known as the Payment Card Industry Data Security Standard (PCI DSS). Every merchant that accepts credit card payments must be in compliance with PCI DSS. PCI DSS includes requirements for security management, policies, procedures, and other critical protective measures. Failure to comply with PCI mandates leaves businesses vulnerable to the negative impacts of data breaches, such as fines, fees, and lost business.

With these new regulations and stricter protocols, organizations began to feel the strain of ensuring and proving compliance. This pressure only intensified in the mid-2000s as the market saw a massive increase in enterprise user demand for access to cloud-based applications and systems. As a result, this created a larger provisioning problem. Existing user provisioning solutions only supported internal user (employee) populations. They were not equipped to handle the growing numbers of users, accounts, systems and applications while trying to continue to meet regulatory compliance requirements. The need for a solution that supported user provisioning and management for internal and external systems and applications thus emerged. 

Turning to Identity Management as a Possible Fix

As traditional provisioning solutions struggled to keep up with increasing identity demands and regulations, many organizations turned to identity management (IDM) solutions to address these challenges. With the digital landscape evolving at a rapid pace as the introduction of cloud and software-as-a-service (SaaS) applications and solutions began sweeping through the enterprise landscape. The transition to these technologies meant that internal user identities were now being used to access new external cloud-based applications and systems outside of the enterprise network. The result was a tangled web of access to internal and external systems; a disorganized mass of accounts for workforce, consumers, and partners; and varying levels of access across multiple environments. 

Because of these new and ever-growing challenges, identity management solutions were unable to meet compliance regulations to ensure user access was reviewed, allowed, and/or revoked periodically. As a result, organizations would manually create and review user access certifications via spreadsheets distributed by email to business line managers annually or biannually for review and approval. Yet, with the exploding number of internal and external user identities, systems, and cloud applications, this process was no longer a scalable or viable option. With pressure mounting on organizations to achieve regulatory compliance, a new approach was needed.

The Emergence of Identity Governance and Administration

With a new approach, the existing user provisioning market morphed into identity management. In parallel, the genesis of identity governance came about due to the growing number of compliance regulations. Over time, both the identity management and identity governance markets merged into one market: identity governance and administration (IGA). IGA solutions address the needs of regulatory compliance through identity governance and user provisioning requirements through administration. In addition, identity governance and administration addresses user access privileges for both on-premises systems and applications, as well as cloud-based applications and systems, bridging the gap where previous solutions fell short.

Today, identity governance and administration helps organizations address common business challenges throughout their network and users. Benefits include better access compliance through certifying the appropriate level of users’ access and enhanced business productivity by providing this access to the right resources at the right time. IGA also benefits security and risk management by allowing organizations to govern user access with policy-based controls and minimizing operational inefficiencies by streamlining business processes.

In addition to helping overcome business challenges, Identity Governance and Administration supports a number of underlying use cases. These use cases include;  access requests (users requesting access to systems and applications), access approvals (managers approving user requests), access reviews (managers confirming user approvals or revoking user access), and role optimization (reviewing and updating role definitions).

 

Identity Governance and Administration Blog.png

 

ForgeRock Identity Governance and Administration

The ForgeRock Identity Governance and Administration solution is an integral part of ForgeRock’s comprehensive identity platform. It allows you to establish policies for user access rights and continuously monitor their proper implementation from a centralized location. Through a periodic access review process — tied to a powerful workflow engine to ensure closed-loop remediation and built-in risk management and reporting — you can strengthen your security posture and automatically drive regulatory compliance.

Learn more about identity governance and administration and ForgeRock IGA by watching the webinar The Evolution and Modernization of Identity Governance or contact us today.