What Identity Governance is (Not)

I often catch articles in my newsfeed that are supposedly about identity governance, but upon reading the fine print, they invariably wind up being about access management. These articles are all missing the bigger picture – access management is essentially the ‘badge reader’ of identity, the granting of access to the proverbial building. But access is just the beginning, and to be honest, without the intelligence that identity governance provides, access management can become a source of exposure for businesses if done in a silo without the identity governance ‘brains’ backing it up.

It bears reiterating, then, what identity governance is, and what it is not.

What Identity Governance is (not)

Identity governance historically has come with a reputation of being this complicated hard ‘thing’ that most companies will never fully need if they have ‘good enough’ access management in place. But access management is no replacement for identity governance. Identity governance and access management are not an ‘either/or’ scenario, despite what your newsfeed may be trying to sell you on.

And here’s why: without identity governance backing up your access management decisions, you’re opening the business up to potential risk the very moment you authorize a user with access to whatever application or data they’ve requested to do their job. You need the identity ‘brains’ to know that the person authenticating in actually should have access to their role and what precisely that access entails. And ideally, that should happen dynamically, at the time of authentication.

This is where ‘governing’ vs. ‘managing’ access is critical. By governing access, you’re putting parameters around a users’ access. In simple terms, governance would say: Yes, they can enter the front door, but they can only access their office, the lunchroom, and the elevators. And no, they cannot enter the finance department or payroll or the executive suite. Managing access without identity governance is essentially opening the door and letting users roam the entire building, ungoverned.

What Identity Governance is

Identity governance is intelligent. It knows ‘who should have access to what’ for every single user across the business. It does this by using context (think user location, attributes, job function, current projects, the device used, etc…) to determine this. That includes both human and non-human users and applies to every single application, piece of data, and infrastructure that your users have access rights to.

Identity governance is enablement. With identity governance backing up every single identity decision made (e.g. “should access to the HR payroll system be granted to Joe in Facilities?”), the business can run full steam ahead, with the confidence that every access decision is scrutinized and fulfilled by the identity platform but also by being documented with a detailed audit trail. Add in AI and ML technologies, and now you have an even more intelligent identity program that learns your organization’s access patterns that no longer requires a human to make such decisions. Instead, you automate these decisions, accelerate delivery of access and increase overall productivity. The good news is that identity doesn’t have to be complex. It can be simple, autonomous and even predictive.

And finally, identity governance is security.  Yes, identity IS security. It’s not just about opening the front door. It’s about opening the door with confidence that the person stepping over the threshold not only belongs there but can walk about the areas of the building they need to, but with guardrails around the areas of the building they do not belong.

To my earlier point, identity governance doesn’t have to be hard. Today’s identity governance has come light years ahead of where it once was or was perceived to be. It’s no longer ‘just’ something businesses use to certify access and to stay in compliance. Identity has become the security foundation of today’s digital enterprise. It can be both your IT wingman and your business accelerator.  Without it, you’re kind of in the stone ages. With it, you can trailblaze new paths with confidence.

This blog originally appeared in Security Magazine.