Managing User Identity has evolved significantly over the last decade from being purely a function of Identity Administration and now transitioning into Identity Governance. Let’s quickly look at the definitions:
Identity Administration is the process of managing the lifecycle of identity and entitlements associated with those identities. It uses a combination of tools that provide automated identity administration and manual processes fulfilled by application administrators (e.g. account and access provisioning for a new employee).
Identity Governance is the process of putting checks and balances into place surrounding identity and access (i.e., who received the access, who approved that access, is the access appropriate to the job function, is it being used and what is it being used to do, and at what time?). Essentially, Identity Governance provides the metadata around Identity data. Access reviews, analytics & reports, and preventative/detective controls also complete Identity Governance.
How is Identity Governance different from Identity Administration?
Identity Administration is a great way to reduce your operational overhead because it helps automate manual processes. For example, zero-day provisioning of accounts and access have always been in high demand and Identity Administration alleviates those concerns. However, due to the limited functionalities of existing Identity Management tools and associated poor user experiences, Identity Administration is being reduced into the tactical function of handling day to day operational tasks; with no tangible business ROI, it is eventually falling off the radar of senior executives.
Identity Governance offers a holistic approach driven by risk analytics and focused on improving security and compliance posture. Identity Governance employs several techniques to provide preventive/detective controls, reporting and dashboards, data access governance, improved user experience and contribute towards reducing threats to acceptable level.
Identity Governance products enable organizations to enforce policies, map governance functions to compliance requirements and in turn, support compliance reporting. Several government-mandated compliance regulations, including SOX and HIPAA requirements, can now be easily enforced using Identity Governance functions such as SOD analysis and access remediation.
Where does Identity Governance and Identity Administration fit in an organization?
Who is accountable to protect company brand and reputation – CEO
Who is responsible to prevent breaches and exposure – CISO
Who is responsible for staying compliant by meeting regulatory requirements – Compliance Officer
Who is responsible to improve user experience, increase productivity of the IT workforce – CIO
Typically the CISO, CIO and Compliance Officer all directly or indirectly report to the CEO, making the executive team and the board accountable for the above functions.
Why is this important?
An organization’s focus on managing risk, staying compliant and preventing breaches has to be separated from the day to day tasks of provisioning/de-provisioning. Which is why Identity Governance needs to stay nimble in an organization with the ability to identify new requirements for audit, regulations, and attack vectors, while having the ability to use standup features and solutions quickly. Think of it as your innovation center placed under the Chief Information Security Officer (CISO) organization.
As I mentioned before, traditional Identity Administration is not meeting key business requirements and is being relegated to an operational cost center causing the loss in visibility from the executive branch and therefore ending up with no clear ownership. To overcome this challenge, the new development of Identity Administration functionalities, such as application onboarding, should remain in a centralized organization, such as Application Center of Excellence (COE), while being complemented with a strong governance framework to review while recommending changes. As the function becomes operational, it should be handed over to managed services organization.
Why start with Identity Governance?
Identity Governance has brought in the paradigm shift in a number of ways. Let’s look at some examples:
- Speed to market: An Identity Governance solution can be delivered in a matter of days from what used to be months of tool deployment and upgrades, with the help of new age cloud based IGA solutions
- Compliance and audit: Reports are mapped to various industry regulations (PCI, SOX, HIPAA etc.). This is a game changer for compliance champions and internal auditors who can now detect issues in real-time.
- Efficient access reviews: Managers no longer go through “certification fatigue” that often results in rubber stamping. Usage analytics, outlier analytics, SOD analysis and many other intelligent features help in reducing burden upfront. Micro certifications and event-based certifications provide more focused, low volume certification cycle.
- Rapid application onboarding: A wizard-based interface saves application owners time and resources to manage and govern access. They are also enabled now to clean up the metadata of role and entitlements through campaigns to improve the data quality and ownership of resources.
- Quantifiable outcomes: These drill-down dashboards are customized for different personas in a new way to look at identity metrics. HR user can view onboarding/offboarding metrics, application owners can view number of user account and entitlements per application and auditors can now look at SOD violations in critical applications.
Identity Governance has expanded the reach and penetration within organizations to unimaginable extents with Identity Administration. More importantly, the elusive ROI with traditional Identity Administration is now available with a click in Identity Governance solutions.
For those who got inspired with my blog to kick start their Identity Governance program, I highly recommend you to review the next generation Identity Governance platform that Saviynt offers.