Identity governance is at the center of most organizations’ security and IT operations strategies. It allows businesses to provide automated access to an ever-growing number of technology assets, while at the same time managing potential security and compliance risks. Identity governance enables and secures digital identities for all users, applications and data.
History and Evolution of Identity Governance
Identity governance originally emerged as a new category of identity management. It was driven by the requirements of new regulatory mandates such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Designed to improve transparency and manageability, identity governance gave organizations better visibility to identities and access privileges and better controls to detect and prevent inappropriate access.
In 2012, identity governance was recognized by Gartner as the fastest-growing sector of the identity management market. In its first Magic Quadrant focused on this market segment, Gartner stated that identity governance “is replacing user administration and provisioning as the new center of gravity for IAM.” Gartner also estimated that growth rates for identity governance would exceed 35-40% per year, based on increased incidences of well-publicized insider theft and fraud.
As more and more customers deployed identity governance and provisioning solutions together, it became clear that the role, policy, and risk models provided by identity governance were foundational to provisioning and to compliance processes. At the same time, it became clear organizations needed centralized visibility over both on-premises and cloud applications, and data files across the organization.
Today’s identity governance solutions provide an integrated set of services that ensure the right access controls are in place to keep organizations secure and compliant, while enabling users to conveniently manage their daily access needs.
Why is Identity Governance Critical to Security?
In a nutshell, identity governance brings three fundamental innovations to identity management:
- Centralized Visibility: Identity governance is designed for enterprise-wide visibility over corporate resources, which it achieves by aggregating and correlating identity data across cloud and datacenter environments. This creates a single authoritative view of “who has access to what.” Once the data is centralized, identity governance solutions enable business and IT users to identify risky employee populations, policy violations and inappropriate access privileges – and to remediate these risk factors.
- Business-friendly User Interfaces: Identity governance solutions are designed to be used by business users, a requirement for effective oversight and governance of identities. Business managers can request, approve or review access data using business-friendly UIs, with clear business context, to help simplify or explain technical data. And they can access business-friendly reports, dashboards and analytical tools, giving organizations the information and metrics they need to strengthen internal controls and reduce risk.
- Consistent Identity Processes Built on Governance Model: Identity governance solutions provide consistent business processes for reviewing, requesting and approving access, and for managing passwords, underpinned by a common policy, role and risk model. This governance foundation means processes are carried out accurately and efficiently, with consistent policy enforcement, role-based access control, risk management and auditability.
What Business Problems Does Identity Governance Address?
Identity governance can help your organization effectively address today’s complex business challenges, balancing four critical objectives:
- Strengthen security and lower risk. Compromised identities caused by weak, stolen or default user credentials are a growing threat to organizations. With the centralized visibility into identity and access data that identity governance delivers, you can promptly detect inappropriate access, policy violations or weak controls that put your organization at risk. Identity governance allows you to focus your time and efforts to address your most critical issues and promptly remediate any issues that are detected.
- Improve compliance and audit performance. Identity governance allows organizations to verify that the right controls are in place to meet the security and privacy requirements of regulations like SOX, HIPAA and GDPR. Getting better control of your identity and access data, including centrally defining policy and risk, and automating your access certification process, means replacing expensive paper-based and manual processes with automated tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier-to-manage access certification effort.
- Deliver fast, efficient access to the business. By giving your users timely access to the resources they need to do their jobs, identity governance enables them to become productive more quickly – and to stay productive, no matter how much or how quickly their roles and responsibilities change. It also empowers business users to request access and manage passwords, reducing the workload on help desk and IT operations teams. And with automated policy enforcement, identity governance allows you to meet service level requirements without compromising security or compliance.
- Reduce operational costs. Identity governance automates labor-intensive processes such as access certifications, access request, password management, and provisioning to dramatically cut operational costs. It can significantly reduce the time your IT staff spends on administrative tasks, because it empowers business users to easily and independently request access, manage passwords and review access.
Where to Start with Identity Governance
Experience has shown that it’s best to start an identity project with a governance foundation – a foundation that will pave the way for centralized visibility and control over identities. Here are three important steps to get your deployment off to a successful start:
- Gain centralized visibility. The starting point for any identity governance project should be to understand the current state of user access by aggregating and correlating identity data across cloud and on-premises resources. This centralized visibility will enable your organization to inventory, analyze and understand the access privileges granted to workers – in short, to know “who has access to what?”
- Conduct a baseline data cleanup. Once you’ve aggregated and correlated your identity data, it’s a good idea to conduct a “data cleanup” access certification on the centralized identity data by launching manager or application owner certifications. These baseline access reviews will help you identify errors and inappropriate access, which can be corrected before you move forward to later phases of the project.
- Invest in building a governance model. Identity governance relies on a set of preventive and detective controls to lower risk and ensure security and compliance requirements are met. A governance model effectively describes who should have access to what (via policies and roles), defines clear oversight and approval processes, and enables automatic enforcement of policies during provisioning, access request, and password changes. By building identity governance policy and controls that can be used by all identity processes, your organization can achieve ongoing, sustainable compliance and reduce the need for after-the-fact remediation.
Common Misconceptions About Identity Governance
The identity management market has many solution categories and the choices change rapidly, leading to some confusion about identity governance. Here are three common misconceptions that every organization should be aware of:
- Myth: Identity governance software must be installed on-premises. While it’s true that the first identity governance solutions on the market were installed on-premises, today there are cloud-based options for identity governance as well. In fact, SailPoint IdentityNow provides access certifications, access request, provisioning, and password management as cloud-based services.
- Myth: Identity governance is not designed for managing cloud applications. This perception is completely false. In fact, identity governance solutions provide rich connectivity options that enable unified management across cloud and on-premises resources. All identity governance capabilities, including access certification, access request, password management, and provisioning, are cross-domain, meaning they can be used for cloud and on-premises applications.
- Myth: If your organization isn’t subject to regulatory compliance, you don’t need identity governance. This is probably the most serious misconception – as it places organizations at serious risk of cyberattacks. In fact, identity governance is a critical component of any security strategy. Because hackers are constantly attempting to steal user credentials, protecting identities is paramount to ensuring cyber thieves do not capture the keys to the kingdom. Even if your organization is not subject to regulatory compliance, you need identity governance to protect user accounts and privileges – and ensure effective access control.
How does our open cloud identity governance platform help your business?
We make it possible for you to see and control access to all apps and data for all users, including non-human ones like bots.FIND OUT MORE
Learn More About Identity Topics:
See How SailPoint Can Help
We’d like to talk about your business challenges and show how our identity platform can address them.