What is Identity Governance?
The primary job of identity governance — also known as identity governance and administration, or IGA – is to allow organizations to manage digital user identities and access privileges so that they can prevent inappropriate access and comply with a complex web of laws and regulations that vary by region. In short, it allows organizations to see what users have access to which resources.
The need for this control over user access is why identity governance is so important. Employees and contractors need to access applications and data to do their jobs, but too much access — also known as overprovisioned access – is risky. You want recruiters, for example, to have access to human resources systems, but probably not payroll data. Access control is similarly important, or more so, when provisioning contractors or partners. Third parties may not use security practices that are consistent with those of the organization. For example, they may connect from unsecured networks or use weak passwords that make them vulnerable to compromise. It's critical to ensure that user access is strictly limited.
How identity governance makes this possible is by providing visibility into every user's role and entitlements – in other words, the resources they are authorized to access. By gaining this visibility, IT and security teams can monitor access requests and control them, expanding or revoking permissions as needed. With identity governance, organizations can implement the right controls to streamline and simplify access for legitimate users, minimize the risk of unauthorized access, and maintain regulatory compliance.
Why identity governance has had to modernize
Today's workforce conducts more business over the internet than ever before. Employees access applications in the data center and various clouds while connecting from any number of locations and networks. These advancements have created an explosion in identity data, overwhelming risk and security professionals with an enormous number of user identities, roles, and entitlements that need to be continuously managed.
A traditional approach to identity and access management (IAM) that relies on integrating disparate solutions to manage identities, access, and governance can no longer support the complexities of today's enterprise. The root of the problem for today's security and risk professionals is that existing identity and access management and governance solutions are slow, complicated, and built on legacy concepts, often requiring manual processes for assigning permissions. They simply weren't designed to manage ever-changing roles and entitlements that are a reality today.
Modern identity governance helps organizations automate multiple processes, such as account and entitlement provisioning, access requests, and enforces segregation of duties policies. It helps security and IT teams stay ahead of the volume and velocity of access changes they face every day.
Automation is the answer to addressing identity governance in the hybrid world, in which people are connecting from everywhere to applications and resources that may be in a public cloud, private cloud, or on-premises data center. A solution based on artificial intelligence (AI) and machine learning (ML) can correlate and analyze massive amounts of data, spot anomalous behavior or suspicious access requests, recommend access, and automate existing IGA processes so that business processes become self-driving.
Segregation of Duties
Segregation of duties is a key component of the Sarbanes-Oxley Act. It is based on the principle that any one person should be prevented from having privileges sufficient to misuse systems on their own, and its purpose is to reduce the risk of erroneous or fraudulent activities that could damage the business.
Identity governance helps organizations enforce segregation of duties policies with strong access controls based on a user's role and the context of any access requests. Such role-based access control (RBAC) and attribute-based access control (ABAC) ensure that certain roles cannot be conducted by the same user.
How modern identity governance protects enterprises from noncompliance
The task of security and risk teams has become increasingly difficult in the face of an expanding array of government and industry regulations:
- The Federal Information Security Modernization Act (FISMA)
- The Sarbanes-Oxley (SOX) Act of 2002
- Health Insurance Portability and Accountability Act (HIPAA) of 1996
- The General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- And Dozens More Countries with Similar Regulations Drafted or Enacted
Most of these regulations have to do with protecting a consumer's privacy and data by regulating the collection, use, and sharing of personal information. Some laws regulate how and where consumer data may be stored and for how long. Maintaining compliance becomes complicated when a cloud service's data storage is outside of the consumer's region, as laws such as GDPR apply to organizations operating inside and outside the EU.
Organizations are facing increased regulatory scrutiny, and noncompliance fines for large enterprises can amount to millions of dollars. A global insurance provider was recently fined $10 million for failure to comply with Sarbanes-Oxley regulations designed to ensure the proper identification of existing customers and their pension funds. The U.S. Department of Health and Human Services, during an audit for HIPAA compliance, fined a Tennessee-based management company $2.3 million for a breach caused by compromised administrator credentials.
To help protect against unauthorized access and the compromise of sensitive data, the U.S. Government's National Institute of Standards and Technology (NIST) recommends adopting a Zero Trust approach. In general, Zero Trust restricts access rights to the minimum necessary to perform job functions. This restriction is known as the principle of "least-privilege." If User A is only authorized to access Application B during certain hours, there is little chance that User A could move laterally on the network to look at sensitive data and resources to which the user has no access privileges.
However, the explosion of user identities makes it even more difficult to ensure least-privileged access, especially today when many employees work remotely, often using unmanaged devices.
About ForgeRock Identity Governance
Focused on addressing enterprise and large enterprise IAM requirements, ForgeRock Identity Governance combines identity management, access management, and identity governance within a single, converged solution. It enables organizations to secure user access, maximize employee and contractor productivity, and strengthen security – all to protect data and maintain regulatory compliance.
ForgeRock Identity Governance combines three primary components: Access Certifications to accelerate access decision-making with AI-informed recommendations; Access Requests to provide users with a 24/7 self-service portal and to automate application access; and Segregation of Duties to ensure regulatory compliance when and where you need it.