What is Identity Governance?

The primary job of identity governance — also known as identity governance and administration, or IGA – is to allow organizations to manage digital user identities and access privileges so that they can prevent inappropriate access and comply with a complex web of laws and regulations that vary by region. In short, it allows organizations to see what users have access to which resources.

The need for this control over user access is why identity governance is so important. Employees and contractors need to access applications and data to do their jobs, but too much access — also known as overprovisioned access – is risky. You want recruiters, for example, to have access to human resources systems, but probably not payroll data. Access control is similarly important, or more so, when provisioning contractors or partners. Third parties may not use security practices that are consistent with those of the organization. For example, they may connect from unsecured networks or use weak passwords that make them vulnerable to compromise. It's critical to ensure that user access is strictly limited.

How identity governance makes this possible is by providing visibility into every user's role and entitlements – in other words, the resources they are authorized to access. By gaining this visibility, IT and security teams can monitor access requests and control them, expanding or revoking permissions as needed. With identity governance, organizations can implement the right controls to streamline and simplify access for legitimate users, minimize the risk of unauthorized access, and maintain regulatory compliance.

How modern identity governance protects enterprises from noncompliance

The task of security and risk teams has become increasingly difficult in the face of an expanding array of government and industry regulations:

• The Federal Information Security Modernization Act (FISMA)
• The Sarbanes-Oxley (SOX) Act of 2002
• Health Insurance Portability and Accountability Act (HIPAA) of 1996
• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• And Dozens More Countries with Similar Regulations Drafted or Enacted

Most of these regulations have to do with protecting a consumer's privacy and data by regulating the collection, use, and sharing of personal information. Some laws regulate how and where consumer data may be stored and for how long. Maintaining compliance becomes complicated when a cloud service's data storage is outside of the consumer's region, as laws such as GDPR apply to organizations operating inside and outside the EU.

Organizations are facing increased regulatory scrutiny, and noncompliance fines for large enterprises can amount to millions of dollars. A global insurance provider was recently fined $10 million for failure to comply with Sarbanes-Oxley regulations designed to ensure the proper identification of existing customers and their pension funds. The U.S. Department of Health and Human Services, during an audit for HIPAA compliance, fined a Tennessee-based management company $2.3 million for a breach caused by compromised administrator credentials.

To help protect against unauthorized access and the compromise of sensitive data, the U.S. Government's National Institute of Standards and Technology (NIST) recommends adopting a Zero Trust approach. In general, Zero Trust restricts access rights to the minimum necessary to perform job functions. This restriction is known as the principle of "least-privilege." If User A is only authorized to access Application B during certain hours, there is little chance that User A could move laterally on the network to look at sensitive data and resources to which the user has no access privileges.

However, the explosion of user identities makes it even more difficult to ensure least-privileged access, especially today when many employees work remotely, often using unmanaged devices.