What is Identity Governance & Administration (IGA)?

What is Identity Governance?

Identity Governance & Administration encompasses the processes for granting and managing access rights. Identity Governance is about understanding what access is 'right'. That naturally means something can also be 'wrong' -- access rights that deviate from the desired situation.

Identity Governance starts with defining what 'right' means for your organization: who should -- for what reasons -- have access to which applications and data? This must then be embedded and modeled in Identity Governance processes, so that the correct situation is approached as closely as possible.

These processes can be supported by tools focused on the administration and facilitation of the whole. This allows you to demonstrate to auditors or your accountant that you not only comply with internal policies, but also with laws and regulations regarding information security or privacy.

With the right setup, your organization gains more insight into and control over, who has rights to which applications and why. Identity Governance helps you stay 'in control' and demonstrably comply with compliance requirements and standards.

Why is Identity Governance & Administration important?

Today, it is essential that you have a grip on -- and insight into -- who has access to which applications and data. You must be demonstrably 'in control'. This means you must be able to prove that all access rights of all employees are based on conscious decisions and policy, rather than chance. There are several reasons why this is becoming increasingly important. We highlight the most important ones below.

Security

Identity Management and Identity Governance are essential components of a modern security strategy because they can help keep your applications and data safe. With Identity Governance, you can ensure that every employee has exactly the right level of access rights at any given time. That means: access to all applications needed to work productively, and nothing more.

Over-authorization
What we very often see at our clients is so-called 'over-authorization': employees who have more rights than necessary based on their function. This usually occurs when employees change jobs. They receive the additional rights that come with their new function, but there are no triggers to revoke unnecessary rights. This can also happen when new employees join and receive the same rights as a colleague with a more or less comparable function. This is caused by the lack of proper validation processes and the fact that control currently relies too heavily on IT administrators. Because who then checks the checker?

What are the security risks?
Suppose an employee moves to your competitor, but their access rights are not revoked. That ex-employee still has access to company data and a data breach or corporate espionage is just around the corner. Over-authorization can also bring financial risks. Suppose an employee from financial administration who books invoices is promoted to a position where they must approve or reject invoice payments. When old rights are not revoked, abuse is a real possibility.

Vulnerability of IT systems
A particularly sensitive category of rights is that of IT employees because they often have admin rights on applications. With the current IT dependency that many organizations have, unauthorized access to IT systems can have a direct impact on organizational continuity. It is no coincidence that hackers primarily target the IT systems of their intended victims.

Compliance

Identity Governance & Administration can also help you comply with laws, regulations and internal policies. Organizations increasingly need to comply with laws and guidelines such as GDPR, Cybersec, BIO2.0, NIS2 and BBN 1, 2 and 3. An important aspect of legislation is that your organization must be able to demonstrate that you are 'in control'. Also, organizations must comply with internal information security policies, for example when your organization is or is becoming ISO 27001-certified.

A modern Identity Governance system records all rights and all changes to them. Certification is the process by which a responsible person can evaluate the authorizations of employees from that data at set times (for example during audits) and revoke or confirm them.

What is the difference between Identity Management and Identity Governance?

At FuseLogic, we have been delivering Identity Management solutions since 2007. In the early years, hardly anyone talked about Identity Governance. Everything fell under Identity & Access Management, including things like Privileged Access Management and Identity Governance & Administration. Over the years, the market has further professionalized and the terminology and solutions have evolved accordingly.

What we now see in the market is that the technically oriented side is often called Identity Management. The focus and direction from the business side of the organization is called Identity Governance & Administration. However, these are not watertight or universally accepted definitions; confusion about this still arises from time to time.

Identity & Access Management

Identity Management today primarily refers to the operational processes around the technical/infrastructural handling of accounts, including things like provisioning and access management.

Provisioning is not only about creating accounts, but also about modifying or deleting them. This is necessary because there can be a very large number of users who do not all have the same access rights. And in addition to having different access rights, those rights also frequently change per user. For example, an employee can start as an intern and end up as a department head. These changing access rights of a user are called the 'identity lifecycle'.

Access management checks who the user is, what the context (history, device, ...) of this user is and whether this user has the right to access an application or data.

Identity Governance

Identity Governance focuses on broader policies and compliance with rules and regulations. It is about being able to demonstrate that the employee in question is also entitled to those rights, for example based on the nature of the work they perform in the organization. To prove this to regulators, you essentially need to maintain a log of all granted, modified and revoked rights including timestamps.

Certification -- also called attestation or access review -- is an important component of Identity Governance & Administration. This is the process of asking managers and application owners whether the rights are still correct. This is a regularly recurring process during, among other things, external audits and auditor statements.

Identity Governance objectives and policies

Before you get started, it is important to determine what objectives you want to achieve with Identity Governance and how you will realize them. This requires vision and policy, but also very concretely translating a logical vision into IAM processes that the organization can work with. A complicating factor is the hybrid IT environment at many organizations. From integration with legacy systems like an AS/400 to a mix and match with cloud, apps and websites: Identity Governance covers all applications and data, wherever they run.

Concrete objectives for Identity Governance

The objectives for Identity Governance depend on factors such as the type of organization, the risks in your specific situation and external factors such as laws and regulations. A selection of the questions, challenges and objectives we have encountered at our clients:

• Helping determine what the desired situation is: 'when and how is access to applications and data under control?'
• Setting up governance processes that quickly show results and thereby visibility and buy-in within the organization.
• Reducing chance by administering the desired situation and optimizing processes to approach that situation and demonstrate it.
• The most efficient process of human action to bring under control a situation that is so dynamic that static identity models no longer apply.
• Designing request and approval processes that can be quickly set up by the organization itself with maximum self-service and workflows to evaluate requests.

From 'as-is' to 'to-be'

There are two important challenges in setting up Identity Governance. The first is determining the 'to-be' and the second is getting from 'as-is' to 'to-be'. From experience, we know that the problem is not so much in choosing or building a platform to view the 'as-is'. But how do you determine what the desired situation is? What is your starting point and how do you translate that into the system you will use? It starts with determining the guiding principles for your organization.

Auditability

If you want to demonstrate that you are 'in control', you must set up Identity Governance in a way that makes it audit-worthy. Governance in its purest form means: processes against which policy is checked. This means that granting and revoking access must follow a predetermined process and must be testable against policy. You must make decisions about what access is desired and undesired, but also about the approach, the roles you define and the different steps in the process. The core of this is grant and revoke, meaning the principles of when and on what grounds access is approved or denied.

Auditor requirements and expectations

To elaborate further on auditability: an auditor is essentially only interested in evidence that the access granted was not by chance or arbitrary. For an auditor, you therefore 'only' need to demonstrate that the process was followed.

Strategic choice: your Identity Governance approach

How can you ensure that Identity Governance & Administration is set up in a way that best fits your organization? It starts with making a number of strategic choices regarding approach. There are several ways to answer the 'who, why and what?' question about access rights. This is one of the most important choices, because each option impacts the speed of implementation -- and thus time to value --, flexibility and manageability.

Traditional: role mining

Role Mining starts with the 'what'. It maps out which people currently have access to which information. This method often seems to deliver quick results initially, but then becomes slower and often gets stuck. A major cause is that all the exceptions to the rules over the years have polluted the system and structure used.

This methodology is poorly suited for a pragmatic 'start now, expand later' approach like FuseLogic uses. Role mining requires data from the existing situation that actually only becomes available when applications are connected. This makes role mining not a one-time project but a process that must be repeated again and again, becoming increasingly complex.

This approach is a poor fit for modern dynamic organizations and is, in our view, essentially outdated.

Traditional: Role-Based Access Control (RBAC)

RBAC starts with the 'who' question through an inventory and theoretical approach to people, the roles they fulfill within the organization and the possible grouping of roles and permission sets. Creating a role is based on a common characteristic of the population of people for whom the role is intended.

The following challenges arise:

• With human selection of the role to assign, the assignor and reviewer of roles must recognize the right population, which is more difficult in organizations that are increasingly 'knowledge'-oriented and less 'process'-oriented;
• With automatic selection of the role to assign, the assignment rules are complex (combinations of department codes, function codes, employee types, etc.) and this automation becomes extremely sensitive to organizational changes. Our view: RBAC is not an automation method -- although it is often seen as such -- and the gains in the assignment process are lost in the effort required to manage the role models. At the bottom line, it actually delivers no gain, but it does prevent the process of delivering value quickly.

RBAC was developed in a time of more static business processes with a predictable and long-lasting relationship between certain groups of employees and the tasks they perform, such as factory processes. Today, many organizations are heavily knowledge-oriented and less process-oriented. They increasingly collaborate in changing teams, projects and matrix organizations. This dynamic quickly leads to a major effort to continuously adjust and maintain roles and permission sets, something whose impact is often underestimated. One of the other disadvantages of the RBAC approach is that organizations quickly get bogged down in very theoretical models that business people no longer recognize.

Innovative: Reasons for Access

This unique approach developed by FuseLogic starts with the reasons 'why' people need access to certain business resources. This reason can lie in the type of work (sales, HR, finance, etc.) and/or the role an individual fulfills within the organization (for example, whether or not they have a management position), enrollment in a study program, participation in a project or a specific cost center.

Essential is that it is simultaneously investigated whether these reasons can actually be derived from source systems such as an HR system, project system, CRM system or student system. Maximum automation based on existing data provides unprecedented acceleration and predictability. Rights are automated as much as possible, but also immediately adjusted or revoked when functions change or employment ends.

An important advantage of this approach is rapid value creation: it is possible to deliver value to the organization from day one. It does not require a predefined complete vision of the application landscape or determining employee populations with the same application needs. This approach is very pragmatic: start with what is currently available, and expand it later. By not taking the employee population as a starting point but working from the data (attributes), the authorization model remains flexible.

In this way, Identity Governance follows the dynamics of the organization rather than the other way around and the terms and results are always recognized by the organization.

Identity Governance solutions

Have you defined your objectives, policies and the approach to follow? Then it is time to determine which solution you will use to set up Identity Governance for your organization. Do you choose the solution from Omada, Oracle, ForgeRock, Nexis 4, SailPoint, MicroFocus or Okta?

The solution is not the starting point

Identity Governance is primarily about gaining and maintaining control over 'who has access to what, and why'. The solution you choose must make that possible, but is never the starting point. Our more than 18 years of experience in Identity Governance has taught us that it is not about the number of features and functions the solution offers. More features means more choices about configuration and more complexity in setting up the solution.

Speed of value creation for the organization

What matters to us is the speed at which value is delivered to the organization. When you achieve results quickly, enthusiasm and buy-in grow, which is essential for continuing to improve and optimize over time. Automation of the identity lifecycle helps simplify internal processes, accelerate access to applications and minimize the workload for reviewing requests.

Support for legacy and cloud applications

A future-proof Identity Governance solution must support both legacy and cloud applications out of the box. After all, Identity Governance encompasses all applications and data, wherever they run. A 100% cloud identity solution is perfect for your current and future hybrid IT landscape.

Different tools or integrated solution

You can use different tools for Identity Management, Identity Governance, and Customer Identity Management. With every additional solution you introduce, you increase complexity and workload on the IT department and raise the total cost of ownership (TCO).

One of the reasons FuseLogic has chosen a partnership with Okta is that Identity Governance can simply be enabled as an add-on to an existing Okta Identity Management implementation. Through this integration, all settings are smoothly carried over and all identities are managed within a single central environment. The benefits: maximum speed, improved efficiency and control over costs.

FuseLogic's approach: Identity Governance at the speed of business

Identity Governance projects can become a multi-headed monster. With long lead times, often overruns and consequently a major impact on the organization and costs. Based on more than 18 years of experience, we have developed best practices to accelerate Identity Management and Identity Governance projects.

Fast start...

Our proven approach offers a fast start where your organization achieves a certain level of demonstrable control within 30 consulting days, including opportunities for further optimization. We achieve this by starting with a concrete plan of action, not with a large collection of features and functions. This allows us to simplify Identity Governance for our clients into an understandable, manageable and achievable process.

... Leads to fast results and more buy-in

We do not start with theoretical models, but look for usable attributes in your data to quickly connect the first applications. Speed leads to enthusiasm and more buy-in.

Vision, mindset and solution combined

We deliver Identity Management and Identity Governance solutions with a cloud mindset. We have the knowledge and expertise to set the right priorities and ensure -- with limited involvement from your organization -- fast delivery of a concrete solution that you can build on. Based on 18 years of experience, we have a proven standardized methodology and approach.

Automation of the joiner-mover-leaver process

With intelligent automation, access rights to applications and data can be automated as much as possible for granting and revoking. For joiners, movers & leavers but also for project-based work: access to business applications and information is granted or revoked as automatically and dynamically as possible.

Automation also simplifies auditability, because it becomes easier to demonstrate that cause X (the 'why') results in effect Y (the access). Through this automation, it also becomes simpler to regularly review access rights. Application owners and managers do not receive large Excel files via email to check rights, but gain access to a portal where they only need to evaluate exceptions to the policy.

Certification and insight

Because certification is an integral part of the solution, the certification process is simplified. You have full insight into granted rights at any time and can prevent conflicting rights and unwanted permissions.

On time and within budget

Thanks to our unique approach, knowledge and experience, you can go live with the first applications within budget and in most cases within 10-30 consulting days.

Want to learn more?

FuseLogic delivers solutions that maximize the automation of access and control for applications, allowing you to go live within 30 consulting days. This puts you quickly 'in control', with Identity Governance following the speed of business, rather than the other way around.

Discover our unique approach

Find out how we achieve unprecedented acceleration in Identity Management and Identity Governance processes

Download our free solution paper Identity Management at the speed of business.

Discover our fast, predictable Okta implementation based on 18 years of experience and more than 40 successful and rapid implementations.

Get in touch

Would you like to know how we can make Identity Governance more flexible and less complex for your organization too, without compromising on security and ease of use? Contact us today for a no-obligation introduction.