Identity and Access Management vs. Identity and Access Governance

Identity and access management and identity and access governance are two similar terms which are often used in the tech world, which can be quite confusing. What do they mean? Are they the same thing? What do they encompass, and what can they do for my organization?

First, while the terms are similar, they do not mean the same thing. Identity and Access Governance (IAG) is the larger umbrella term. It refers to a process that allows organizations to monitor and ensure that identities and security rights are correct, as well as managed effectively and securely. It encompasses everything from business, technical, legal and regulatory issues for organizations. Identity and Access Management (IAM), on the other hand is only one component of IAG. IAM as a term is the technology for managing these user identities and their access privileges for various systems and platforms. There are then many components that make up of the concept of IAM.

Here are some of the many components that make up identity and access management.

• Account Management – This is the management of creating accounts, making changes when necessary, and disabling accounts once the end user is no longer with the organization. IAM solutions allow organizations to automate these processes so that they need only to make a change in the source system and all connected systems and applications will automatically be updated.

• Role Based Access Control/ Access Governance – Another component of IAM is the management of access rights. Within an organization there are many different types and levels of access that employees may have, and employees need to have access to the correct systems and applications to perform their jobs. The primary function of access management is to guarantee that users can only access applications and network resources that are strictly necessary for their work within the organization.

• Compliance Management – This component is used to monitor what is taking place in the IT infrastructure, and making the appropriate changes. All user actions are stored and can be correlated to the access privileges that have been assigned. The relevant data is collected, correlated, analyzed and reported for audit purposes. The findings can also be used to refine IAM rules and to control processes. You can read more about compliance management in our blog post ‘Why organizations need automated reporting’.

• Password/ Authentication Management – This component is used to verify whether a user’s identity matches the person he or she claims to be. This includes traditional methods, such as user name and password combinations that include single sign-on and self-service password resets. It also encompasses more recent authentication methods like biometrics, two-factor authentication and portal SSO.

Overall, it is important to understand the many components of IAM and IAG so as to determine which of them can be helpful to your organization. Many of these components can assist your organization in automating processes and making them more efficient for your employees.