Get started Bring yourself up to speed with our introductory content.

A broader definition of identity governance

The definition of identity governance has evolved to include a tool that could prove challenging for enterprises to implement.

Several vendors are using the term "identity governance" to describe their products. Is this an emerging product...

set? Is it mostly to help with compliance gaps, or does it have broader applicability?

In an age of high-profile data breaches, protection of digital assets has become increasingly important. Amid an escalating number of security incidents -- Verizon alone reported more than 1,300 incidents with confirmed data loss in 2013 -- compliance with numerous industry regulations has become a challenge for many organizations. When the threat of lawsuits and fines loom – as well as the potential damage to an organization's reputation and stock price -- identity controls become critical for restricting and auditing access.

A major pioneering effort in identity governance originated with the Identity Governance Framework, a project of the Liberty Alliance that has been defunct since 2009. It attempted to standardize the treatment of identity information with protocols such as SAML and LDAP. The framework also focused on rules to govern the exchange of data between applications, both internal and external, to an organization. Some of the vendors currently selling identity governance products are founders of the initiative, including CA Technologies and Oracle.

However, the term "identity governance" has evolved to represent a convergence of compliance and identity management, including the centralized provisioning of users, granting granular access to digital assets, and auditing that access. Unlike previous technologies, which only created or deleted users, identity governance tools document and enforce access policies, offering enhanced auditing capabilities to meet compliance goals and reduce risk.

The successful implementation of an identity governance product requires a solid user and data classification structure within an organization. There should be well-defined organizational units with clearly outlined roles and policies. Data governance rules should also be clearly documented. Otherwise, attempts at deployment are doomed, usually resulting in a project that never ends because there's no solid foundation for governance.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you! (All questions are anonymous.)

This was last published in May 2014

Dig Deeper on Privileged access management