Identity and access management and identity governance and administration are two similar terms used often in the tech world, which can create some confusion. What do they mean? Are they the same thing? How are they different? What can they do for my organization?
First, while the terms are similar, they do not mean the same thing. Identity governance and administration (IGA) is the larger umbrella term. It refers to processes that allow organizations to monitor and ensure that peoples’ identities and security rights remain properly managed, secure, and tracked. IGA spans business, technical, legal, and regulatory concerns for organizations.
While still an umbrella term, identity and access management (IAM) may be regarded as only one component of IGA. IAM more specifically relates to users’ digital identities and access rights as they are defined within an organization’s network, as well as the technology resources that manage such. IAM solutions automate (or facilitate) the creation and ongoing management of user accounts and their access rights (or “privileges”).
Because so much of today’s business processes, activity, and data requires computer capabilities, the distinction between IGA and IAM has only grown more confusing. Traditionally, you might regard many regulatory or compliance efforts as only partially related to IT. In the days of massive rooms containing file cabinets filled with company documents, which employees were designated as keyholders would fall under IGA.
However, now that so much of a business’ activity and resources require IT resources and storage, access control methods have changed. As IAM solutions oversee these network access rights, they increasingly execute IGA.
IAM systems carry out the IT processes relevant to an organization’s IGA strategy. IAM is “in charge” of enforcing the IGA strategy from the moment a user logs into their company user account. Every system, application, resource, folder, or file the user can access within the network is controlled by IAM.
Another way to phrase this would be to say IAM issues your digital identity’s passport and then controls what you are able to access with it.
Here are some of the many components that make up identity and access management.
This oversees creating accounts, provisioning their access, making changes when necessary, and disabling accounts once a user is no longer with the organization. IAM solutions allow organizations to automate these processes.
Once an automated process has been configured, an IAM solution will detect changes in a “source system” (e.g., HR system), such as the creation of a new user. When changes are detected, the IAM solution executes the associated processes and updates the relevant data in all connected systems and applications. This simplifies identity and access management so that information only has to be updated within the “source system”, eliminating the hours of manual effort once required of IT staff.
Facilitating users’ changing access needs to all of their IT resources is one of the most important aspects of ongoing IAM efforts. Automated provisioning often handles much of the work by “reprovisioning” a user every time the IAM solution detects a change in the source system. For instances that fall outside of the normal provisioning configurations, an IAM solution may also provide self-service access request functionality. This allows users to seek approval for other necessary resources related to their job, such as for temporary projects.
Another component of IAM is the management of access rights. Within an organization, there are many different types and levels of access that employees may have according to their roles and responsibilities. Determining who should have access to what is the “access governance” part of IGA. Within an organization’s network, this is enforced through access controls.
Two methods for access control are role- or attribute-based. Role-based access control (RBAC) and attribute-based access control (ABAC) achieve similar results through slightly different methods. With RBAC, users are assigned a specific role within the network, with their access determined according to that role’s standard needs. ABAC operates off of the many attributes that may be assigned to a user’s digital identity instead of just the specification of their broader role.
Authentication and Password Management
Authentication is the process by which a user verifies their identity so that they may access their available IT resources. Most commonly, authentication is carried out by providing usernames and passwords. Once a user has completed authentication, they may access the resources that their rights allow.
IAM solutions, especially cloud-based ones such as HelloID, often enforce access controls in relation to authentication. For instance, an organization may configure access controls or policies that restrict authentication exclusively to normal working hours for security and compliance purposes. If users have no reason to be accessing the network and their resources outside of their normal work hours, access controls may prevent authentication even if the username and password are correct. Alternatively, an access control may simply require an extra verification step for these types of login attempts. This is called multifactor authentication (MFA) and is used as an additional layer of security to prevent things such as data breaches.
Password management goes hand-in-hand with authentication as a user’s password is the most common method of verifying digital identities. Securely storing passwords, complexity requirements, and self-service reset capabilities all fall under password management.
IAM solutions greatly assist in organizations’ compliance management. As mentioned above, IAM systems enforce IGA strategies for digital identities and their access rights within IT networks. Access to systems, applications, and data impact an organization’s compliance. By controlling access and compiling audit logs over various activities, an organization can use an IAM solution to better manage its compliance efforts.
Audit logs are an important factor in conducting access reviews for each digital identity within an organization. These access reviews are critical to ensuring ongoing compliance and that the organization’s IGA strategy has been properly adhered to. The information collected for compliance management also assists the organization in further refining their IGA strategy as well as the IAM solution’s processes that enforce such.
Bringing IAM Components Together
It’s important to recognize that many of the IAM components explained above often overlap. For instance, an IAM solution providing single sign-on (SSO) ties together account management, access controls, authentication, and password management:
- Account Management: An end user requires accounts for the SSO solution and all connected resources based on their current job role. The SSO solution may also provide self-service for a user to request accounts for and access to additional systems and applications.
- Access Controls: The end user may access specific IT resources from the SSO solution’s dashboard based on the rights associated with their digital identity. Access controls may also enforce when and how the end user may access those resources.
- Authentication and Password Management: To access their SSO dashboard, the user must verify themselves at an initial authentication Once authenticated, the SSO solution verifies the user’s identity to all connected systems and applications. While this is typically carried out via secure SSO protocols and tokens, the encryption of credentials for some connected resources is one element of password management.
Ultimately IGA and IAM go hand-in-hand and are critical to every organization. Even without automated solutions or dedicated efforts, IGA and IAM still exist in practice to enable employees, increase security, and reduce the risk of compliance violations.
IAM vs. IGA
IAM is the umbrella term for the structures and processes within an organization that administer and manage users’ access to resources, often through automation (e.g., provisioning). Predominantly for IT resources, these management processes mostly deal with user accounts, network access rights, privileges, and (AD) group memberships.
Identity and access management is important for organizations because enforcing access controls while enabling employees promotes efficiency, security, and compliance.
Manual IAM requires significant time and effort to execute but remains prone to oversights, slow execution, and data entry errors. Manual provisioning also typically requires unnecessary administrator-level permissions for Tier 1 staff, inherently increasing security risks.
Automating IAM allows your organization to increase efficiency and security, virtually eliminate errors and delays, and reclaim significant IT bandwidth. By connecting your HR system to Active Directory (or another directory service), you can create, provision, and manage users/groups; assign role- or attribute-based access; and secure your entire IT environment with rapid process execution over every user’s complete lifecycle—from onboarding to offboarding.
Identity governance isn’t just for large organizations operating in industries with strict regulations. If your organization uses IT resources, digital identities and their access rights must be managed. Users will always need accounts created, provisioned, and updated throughout their employment. When an employee departs, their accounts and access must be deactivated or it contributes to network pollution, lack of insight, and security risks.
Aside from operational benefits, identity governance (and IAM solutions) are critical for security. An identity solution that enforces strict authentication and access controls helps keep malicious intruders outside of your network and systems.
Identity and access management solutions should enable your employees, enforce access controls, increase insight, and assist with compliance efforts.
An IAM solution should automate configurable processes, such as provisioning, provide self-service for simple changes and access requests, and compiled audit logs of tracked management activities.
Cloud resources can present a significant management challenge for provisioning, access control, and security. Cloud-based IAM solutions, such as HelloID, connect to all of your cloud resources to extend traditional functionality off-premise. In addition, cloud-based IAM solutions likely offer single sign-on (SSO) for the connected systems and applications.
Cloud-based IAM solutions are often capable of integrating with both cloud and on-premise IT resources.