Identity and Access Management (IAM) solutions have been developed due to the increasing complexity of IT environments and constantly rising requirements for the allocation and control of user authorizations. IAM systems focus on the company-wide administration of users and their rights.
Due to the ever-increasing threat situation and the associated stricter regulations, simple IAM solutions are no longer sufficient in many cases. Auditors and accountants demand a comprehensible insight into the allocation of user authorizations. This is where modern Identity & Access Governance Solutions come in.
What is Identity & Access Governance?
Compliance and security regulations require organizations to answer the following three questions regarding user management and permissions:
- Which user has access to which IT resources?
- What can a user do there?
- How can organizations prove this – especially to auditors?
While the first two questions can be answered by modern identity and access management solutions, the proof of assigned authorizations and the associated processes often pose a major challenge. Also, there is the requirement to present identities and their authorizations that can be understood by the business departments or auditors, which often can only be achieved by Identity & Access Governance solutions.
What is the difference between Identity & Access Governance and Identity & Access Management?
The purpose of Identity & Access Management solutions is to manage identities by mapping the “user life cycle”. Identity & Access Governance (IAG), on the other hand, is designed to prove that users have the “proper” rights based on the organization’s policies.
Reasons for Identity & Access Governance
There are numerous reasons why identity and access governance is becoming increasingly important. On the one hand, more and more internal (employees) and external user groups (partners, customers, …) access an ever more complex IT environment via more and more access points (on-premise, mobile, cloud, …) and devices.
On the other hand, the growing threat situation has led to increasingly strict compliance regulations that apply to more and more companies and organizations. These compliance regulations require, among other things, proof of the users and their authorizations.
Identity and access governance solutions have been developed from the business departments and auditors’ perspective to make assigned authorizations transparent, traceable, and easier to administer from their viewpoint and – mostly independent of IT – from their own. Their goal is to implement better and prove business processes and compliance regulations.
Functions of Identity & Access Governance
Identity and access governance solutions are designed to prove that security policies related to users and authorizations are implemented so that users do not have more rights than necessary. Identity and access governance solutions provide the required information for this proof. These solutions offer the functions described below, among others.
Access Visibility
First, it must be made visible who possesses which permissions. Authorizations can be roles (business or IT) or authorizations defined in target systems (e.g., Microsoft Exchange Administrator).
Access Certification
It must be regularly confirmed (“certified”) by a supervisor or responsible person that users need the assigned authorizations for their tasks. Identity and access governance solutions support recertification campaigns, including the users to be certified and their rights according to certain selection criteria (e.g., only certain departments, only certain applications). These campaigns can be centrally monitored and audited, ensuring that users only have the rights they need.
Segregation of Duty (SoD)
Compliance requirements demand the strict separation of specific tasks within the organization. As a rule, the same person should not be allowed to order items and pay incoming invoices. Modern Identity and Access Governance solutions support this through static Segregation of Duty (SoD). Static SoD means the separation of duties controlled by rights.
Role Management
Roles are required by Identity and Access Management solutions for efficient provisioning of rights. The administration of roles also falls into the area of Identity and Access Governance.
Firstly, a lean role model is needed to minimize the number of rights to be recertified and keep them manageable. Secondly, the role management process requires knowledge of the business processes and knowledge of the IT platform.
Risk Management
Certain rights and combinations of rights can pose a high risk for an organization. These can be single highly privileged rights (Windows Administrator, Unix root, Microsoft Active Directory Admin, …) or unusual combinations of rights in a department.
First, the risk is modeled, i.e., it is defined what constitutes a risk. Then it is checked whether risks exist. In the process, corresponding existing risks are uncovered. In the last step, so-called “mitigations” are defined for these uncovered risks. This is necessary because not all risks can be eliminated. Mitigation weakens existing risks by taking appropriate measures. This can be, e.g., stronger control of the corresponding identity or additional approval by, e.g., the CISO.
Identity & Access Governance significantly facilitates compliance
Legal requirements, compliance regulations and internal security policies are the main drivers for identity and access governance. Many of these policies require verification that the right people have the appropriate rights to perform their tasks.
- The GoBD stipulates that “an internal control system must be established that includes both access and access authorization controls as well as separation of functions.
- ISO 27001 requires “that management must review access rights in IT systems at regular intervals”.
- BDSG: The German Federal Data Protection Act requires that “only authorized persons are allowed to access personal data and only those who absolutely need it to carry out their activities”.
These examples make it evident that regulations and compliance requirements focus on business processes.
Identity and Access Governance – Conclusion
Identity and Access Governance is an indispensable part of larger companies due to regulations. Identity and Access Governance can be used alone or in combination with Identity Administration solutions.
