Identity governance and administration (IGA) is the system of record for identity management, access administration, and admin-time authorization.
IGA controls incrasingly have to identify and mitigate access risk across a variety of identities/services that are operating at high volume everywhere, and changing at high velocity. This is exacerbated by IGA transition to cloud and deployment complexity, combined with operational and data quality challenges. Also, IGA capabilities have to align with the growing number of use cases such as nonemployee risk management and business-to-business delegated models. Most current IGA solutions depend on other tools or custom development to fill the gaps.
That is why it is the time to rethink and evolve IGA architecture and operation for continuous, orchestrated, and context-enabled access controls.
An IGA solution typically provides all entities (both human and, by extension, machines) with a unique identifier as they join the organization. This is followed by ongoing access updates as identities change status within the organization, and continues right up to leaving the organization. The IGA solution automates life cycle processes (to assume different personas), provision birthright access, and handle the access requests and certifications needed to continuously manage access risk. IGA solutions require a clear understanding of the available entitlements in relevant business and/or technical systems as well as adjusting user entitlements according to access policies and functional roles.
Technical professionals should not only implement typical foundational IGA capabilities but also evaluate the emerging features that make IGA continuous, orchestrated and context-enabled. These features are increasingly essential to operating modern hybrid IT and/or multicloud environments:
- IGA continuous controls deploy intelligent features to enable smart roles/groups and risk-based access adjustments. These controls use advanced analytics and intelligence from multiple sources (such as identities, entitlements, relationship, configuration files and access/audit logs) to continuously adapt to changes in the environment, to adjust relevant artifacts, and to respond to risk signals.
- IGA orchestrated coverage extends traditional capabilities by supporting centralized IGA policy management and policy deployment in target systems/platforms to establish access guardrails. This enables decentralized policy enrichment at the edge in target systems/platforms.
- IGA context-enabled admin-time authorization extends provisioning capabilities to dynamically determine the entitlements, roles and policies and assign required permissions to user accounts. This enables use cases where permissions vary by relationship or other contextual attributes such as B2B or B2B2C use cases.
This is dependent on formalizing three sets of processes in addition to techncial features and functionality, including: IdOps, AccessOps and PolicyOps:
- Identity operations (IdOps) is a collaborative workflow and data management practice that is focused on the integration and automation of identity life cycle management processes and authoritative data pipelines.
- Access operations (AccessOps) aims to streamline the processes associated with the entitlement evaluation for granting access in the target systems based on roles and policies.
- Policy operations processes (PolicyOps) bring governance and life cycle management for access control policies across the enterprise.
Technical professionals can enhance their IGA solution increamentally in four steps as shown below:
As part of this effort, security and risk management technical professionals should:
- Develop an IGA architecture that centralizes data and analytics for identity and access as well as policy management while allowing decentralized edge IGA components.
- Implement native or third-party IGA middlewares for augmenting the IGA tool’s traditional functionality to improve processes and data quality.
- Transform IGA architecture by evaluating emerging features such as advanced analytics (for continuous controls), policy translation/deployment (for orchestrated coverage), and dynamic entitlement services (for context-enabled access governance).
If you are interested to learn more, the following Gartner research report provides further guidance (available to Gartner subscribers):
- Guidance for Identity Governance and Administration, Published 5 July 2022 – ID G00766916