What Is Identity Governance and Administration?
Identity Governance and Administration (IGA) is the ability to manage and reduce the risk that comes with excessive or unnecessary user access to applications, systems, and data.
Users want to have easy and rapid access to all the applications they need to do their jobs. As a security-conscious organization, you need to balance requests for immediate application access with security and reduce the risk associated with this process as much as possible.
Many organizations leverage manual processes or scripts to grant immediate access to users. However, they fail to implement proper monitoring and governance controls on access to determine whether users should continue to have access. When auditors ask for proof of proper detective and preventive controls, organizations often resort to legacy processes that involve spreadsheets, emails, and other manual processes. The worst-case scenario is when a security team is triaging and they have to rely on searching through emails and spreadsheets in order to understand the chain of events.
There is a better way — a centralized solution that allows you to perform a periodic review of access by users, managers, or application or data owners. The solution should also enable you to set policies on access, risk, and Segregation of Duties (SoD) violations so that reviewers can make informed decisions about whether access is still valid or not. Finally, you need to be able to audit and report on this data so that you can address regulatory or audit requirements. Gartner calls this category Identity Governance and Administration.
ForgeRock Identity Governance allows you to do all of this through a simple-to-use web interface. It can also perform prevention and detection policy checks for Segregation of Duties (SoD). Identity Governance integrates into workflows within ForgeRock’s industry leading identity management platform, so you can take immediate remediation actions. This ensures that unnecessary access is immediately revoked without any additional work on your part.
Reduce Risk and Improve Regulatory Compliance
Understanding and measuring risk is the first step toward reducing it. The biggest internal risk for any organization comes from the number of sensitive applications and the volume of users who have access to applications and their entitlements. You likely have many applications, each with hundreds, if not thousands, of user entitlements. Each entitlement may have varying degrees of risk.
Identifying high-risk entitlements and automatically tagging them as such allows you to gain an understanding of your overall risk posture. ForgeRock Identity Governance platform, with real-time synchronization, allows you to view all entitlements currently under management. Administrators can tag entitlements with a risk score, giving you a clear picture of the overall risk of a given system or user.
Once you understand the risk level of current access and entitlements, the next step is to reduce risk by removing unnecessary access. Traditionally, this has been accomplished by manual reviews of access in spreadsheets by managers or application owners. The ForgeRock Identity Governance platform, with its flexible access review and scheduling process, sends notifications to the appropriate reviewers to verify user access. When the review or certification is complete, the integrated workflow engine can kick off appropriate workflow or provisioning processes to revoke high-risk, unnecessary access from the user. You can reduce your overall organizational risk by performing this access review on a regular basis for high-risk entitlements and for all user entitlements on an occasional basis.
Performing these access reviews is not just a security best practice to reduce risk, it is also mandated by many regulations like Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Global Data Protection Regulation (GDPR). With integrated auditing and reporting, Identity Governance allows you to prove to your internal and external auditors that you are following the regulations and security best practices and have the necessary reports they need for verification.
Create Exceptional User Experiences
Reducing risk by tightening security often means organizations force users to take on additional security and compliance burdens. Instead, this has to be carefully balanced with user control and empowerment. If managers are required to perform user access reviews too frequently and repeat the same tasks without understanding the context, this could easily lead to a poor user experience and employee disgruntlement. If managers continue to perform certifications without understanding what they are reviewing, they may approve entitlements without paying close attention to them. This can impact your security posture, result in regulatory fines, and — even worse — expose your organization to a breach.
Identity Governance reduces user friction during the certification process by prompting only for certification of high-risk entitlements on a regular basis. It leverages risk metrics on the user role, entitlements, and even the certifications themselves, presenting reviews with only the most critical information. Managers can sort reviews by risk level and work on high-risk items first, maximizing time and resources on understanding why users are marked as high-risk.
Risk may not be the only criteria for a certifier when deciding on whether a user should continue to have an access grant. Understanding what that access allows the user to do and why it is marked as a high-risk entitlement is also critical to making an informed decision. Identity Governance allows you to enhance the entitlements data with a rich identity glossary that translates cryptic technical language to business-friendly terms. This allows certifiers to make their allow or revoke decisions with ease and confidence.
Improve Security and Business Agility
Many organizations have security policies that govern which users should have access to systems based on their roles and responsibilities. Security-conscious organizations also set policies on which user roles should not be granted access to sensitive systems. The challenge is ensuring that these policies are enforced reliably and regularly across the entire organization. Many organizations lack the necessary tools to find out when violations occur or to reliably remediate them.
ForgeRock Identity Governance, with its powerful policy enforcement engine, allows you to define your security policies and then evaluate those policies during account creation, update, or delete operations. This ensures that the user provisioning process follows established security policies.
Identity Governance also enables you to periodically run policy check scans. These regular checks protect you by quickly detecting any unwanted or excess access. By tying policy checks to our powerful workflow engine, Identity Governance allows you to define a predetermined mitigation action. That action can be as simple as removing access immediately, notifying an administrator to take corrective action, or sending user access to a manager or application custodian for review. This improves security by preventing policy violations during access grant, detecting risk, and responding by taking appropriate corrective action.
Organizations are constantly evolving to handle business demands arising from initiatives like digital transformation, cloud migration, or mergers and acquisitions (M&A). Securing key corporate assets during large-scale, critical evolutionary phases is key to securing your business, as well as improving business agility.
With its industry-leading identity and relationship lifecycle engine, ForgeRock enables you to easily and seamlessly restructure your organization during these transformational events and helps you quickly onboard new employees from M&As, while keeping their relationships intact. ForgeRock Identity Governance adds an additional layer of security to business agility by allowing you to quickly scan for security policy violations from a central location.
Get An Overview of the ForgeRock Identity Governance Solution
Learn how ForgeRock can help you manage and reduce the risk that comes with excessive or unnecessary user access.
Read the latest report from KuppingerCole on a complete Identity Fabric strategy for IAM.
Follow this step-by-step guide to installing and evaluating ForgeRock Identity Governance.
Identity Governance provides a simple web interface for users requesting access to systems and applications. Based on the request type and risk score of the entitlement, access can be automatically provisioned or sent for additional approvals through the workflow engine. IT administrative teams are no longer burdened by the task of having to add or manage user access. Instead, Identity Governance brings access requests closer to business users. This reduces friction because users and their managers are now in control of what access they need and when. It also improves the overall security of the organization because instead of spending valuable time and resources supporting hundreds or thousands of account modifications, IT can now focus its energy on implementing centralized policies that govern how a request should be routed for appropriate approval through the workflow engine.
Identity Governance provides you with the ability to perform access review or certifications on a periodic schedule, based on events, or even ad hoc. Regulations like Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and Global Data Protection Regulation (GDPR) require that user access is regularly reviewed by users or custodians who need to confirm that access should continue. The traditional method of performing this task using spreadsheets and email is both laborious and time-consuming. ForgeRock simplifies this process. Identity Governance allows you to perform this task from a web interface and ties it to a flexible workflow engine. You give application and data owners control over who should have access to their systems.
ForgeRock Identity Governance allows you to define security policies that can be enforced as prevention controls during provisioning of accounts or as detection controls for periodic scans for the purpose of discovering rogue access. These policies could be a simple check to verify data integrity — for example, making sure a new employee is assigned the correct title and location information. Identity Governance security policies also provide oversight for more complex Segregation of Duties (SoD) checks, such as ensuring that a developer does not have access to the production environment without having a support ticket assigned. This allows you to stay compliant with both organizational and regulatory policies.
Role Lifecycle Management
Every organization that relies on a role-based access control (RBAC) model for security and access needs to periodically review the current role definitions and update them in accordance with changing business needs. Identity Governance’s role lifecycle management capabilities provide a logical process for performing this review and creating, updating, or deleting roles as appropriate. Roles can be assigned to owners, so that any changes to role definitions are approved by them as required. Roles can also be augmented with risk scores to ensure that high-risk roles are reviewed with greater scrutiny. If a user is granted a high-risk role, access can also be routed for additional approvals if needed.
ForgeRock Identity Governance allows you to augment account entitlement data with additional information and to translate IT terminology into business-friendly, human-readable language. Identity Governance also allows you to set risk scores on entitlements so that you can use risk levels during provisioning workflows. More importantly, you can take them into account during access reviews or certification processes to ensure there is no unauthorized access escalation. Identity Governance also allows you to designate appropriate owners for provisioning approval workflows. This helps ensure that the right users are getting the right entitlements.