One of the key components of identity and access management is identity governance, which centralizes and orchestrates control of identity management and access.
In a nutshell, identity governance is about the "what," while IAM is the "how." That is, identity governance is about doing things like determining and automating privilege assignment to users based on roles -- i.e., "Mary is a level-one accountant, and level-one accountants get access to the following resources … ." In contrast, IAM is about ensuring that the users get only the privileges assigned to them: "Here's how we ensure that all approved users gain access to these resources."
To put it in technical terms, identity governance products streamline and automate the definition, enforcement, review and audit of identity access management. They also help ensure an organization complies with all necessary laws and regulations, such as the Sarbanes-Oxley Act and HIPAA.
Identity and access management is among the top five 2019 cybersecurity initiatives, according to a recent TechTarget study. This means identity governance is a top concern too.
What identity governance tools can do
Identity governance tools typically include the following functionality:
User provisioning. This is the process of ensuring that new users, or users moving to new roles, are both given the privileges they should have and are stripped of those that no longer apply. Identity governance tools typically automate the process of user provisioning, thereby reducing the amount of routine administrative work cybersecurity professionals and application and business owners must do.
Self-service enablement. This refers to enabling users to submit their own access requests and track the approval process. Often, these identity governance tools include automated workflows for account registration, profile management and password or username recovery.
Privileged account governance. This refers to simplifying the process of overseeing privileged accounts (i.e., those of the superusers who have the ability to modify the entire access structure). It's critical to include the governance of privileged accounts and administrators in the same framework as the identity governance of more typical users, so the same ability to automate workflows and permissioning should apply. However, because privileged account access carries a greater risk, there should be proportionately greater controls built into the automation.
Access certification. This refers to assisting business owners in conducting their access reviews, certifying that only people who should have access to specific resources do have access. This doesn't sound like a hard problem, but in large or complex enterprise organizations, the business owners need business context and risk-based prioritization to confirm that the right individuals do or don't have access. In other words, it's hard to tell whether Bob Smith should have access unless you know Bob's current role, what other resources he has access to and how much risk you're exposing the company to by granting Bob that access.
Policy automation. This refers to automating labor-intensive processes such as the aforementioned access reviews and certifications to make sure that they align with business and cybersecurity policies.
Role-based access management. This refers to the ability to assign users to particular access profiles based on roles and to fine-tune them based on other factors. Access might include "birthright" access rights -- for instance, to the corporate email system -- and fine-grained access based on functional roles ("Level-one accountants can access …"). This also enables the ability to implement hierarchical and inheritable access permissioning -- i.e., "All accountants can see X, therefore all level-one accountants can see X."
Reporting and dashboarding. Part of identity governance is the ability to provide customized dashboards indicating access by user, resource, entitlement and certification.
Integration with IAM tools and other systems. Identity governance tools integrate with traditional IAM tools, such as Microsoft, NetIQ Identity, Okta and Ping Identity.
Identity governance vendors include CA Technologies, Crossmatch, Fischer Identity, IBM, Identity Automation, One Identity, Oracle, ProofID, RSA Security, SailPoint Technologies and Simeio Solutions.
Criteria for selecting identity governance tools
If your team is looking into identity governance, answering the following questions will make choosing the right tool easier:
Which IAM products does your identity governance tool need to integrate with? Typically, a company will standardize on an IAM vendor; the identity governance tool should integrate cleanly with that provider.
Will your identity governance tool distinguish between cloud-based and on-premise resources? Often, companies have different policies for resources that are on the cloud and on premises. Does the tool detect location of resources and apply the appropriate policy?
Are the analytics and dashboarding customizable? One of the benefits of an identity governance tool is that it pushes business decisions to business owners -- but that requires the ability to present information in the right context for those business owners. Can the dashboards be customized for the context of specific users?
The bottom line is that identity governance tools can reduce the manual requirements and overhead associated with setting up workflows around user identity and access management. Consider investing in one if your organization is large, complex or both.