Identity and access management and identity governance and administration are two similar terms used often in the tech world, which can create some confusion. What do they mean? Are they the same thing? How are they different? What can they do for my organization?
First, while the terms are similar, they do not mean the same thing. Identity governance and administration (IGA) is the larger umbrella term. It refers to processes that allow organizations to monitor and ensure that peoples’ identities and security rights remain properly managed, secure, and tracked. IGA spans business, technical, legal, and regulatory concerns for organizations.
While still an umbrella term, identity and access management (IAM) may be regarded as only one component of IGA. IAM more specifically relates to users’ digital identities and access rights as they are defined within an organization’s network, as well as the technology resources that manage such. IAM solutions automate (or facilitate) the creation and ongoing management of user accounts and their access rights (or “privileges”).
Because so much of today’s business processes, activity, and data requires computer capabilities, the distinction between IGA and IAM has only grown more confusing. Traditionally, you might regard many regulatory or compliance efforts as only partially related to IT. In the days of massive rooms containing file cabinets filled with company documents, which employees were designated as keyholders would fall under IGA.
However, now that so much of a business’ activity and resources require IT resources and storage, access control methods have changed. As IAM solutions oversee these network access rights, they increasingly execute IGA.
IAM systems carry out the IT processes relevant to an organization’s IGA strategy. IAM is “in charge” of enforcing the IGA strategy from the moment a user logs into their company user account. Every system, application, resource, folder, or file the user can access within the network is controlled by IAM.
Another way to phrase this would be to say IAM issues your digital identity’s passport and then controls what you are able to access with it.
Here are some of the many components that make up identity and access management.
This oversees creating accounts, provisioning their access, making changes when necessary, and disabling accounts once a user is no longer with the organization. IAM solutions allow organizations to automate these processes.
Once an automated process has been configured, an IAM solution will detect changes in a “source system” (e.g., HR system), such as the creation of a new user. When changes are detected, the IAM solution executes the associated processes and updates the relevant data in all connected systems and applications. This simplifies identity and access management so that information only has to be updated within the “source system”, eliminating the hours of manual effort once required of IT staff.
Facilitating users’ changing access needs to all of their IT resources is one of the most important aspects of ongoing IAM efforts. Automated provisioning often handles much of the work by “reprovisioning” a user every time the IAM solution detects a change in the source system. For instances that fall outside of the normal provisioning configurations, an IAM solution may also provide self-service access request functionality. This allows users to seek approval for other necessary resources related to their job, such as for temporary projects.
Another component of IAM is the management of access rights. Within an organization, there are many different types and levels of access that employees may have according to their roles and responsibilities. Determining who should have access to what is the “access governance” part of IGA. Within an organization’s network, this is enforced through access controls.
Two methods for access control are role- or attribute-based. Role-based access control (RBAC) and attribute-based access control (ABAC) achieve similar results through slightly different methods. With RBAC, users are assigned a specific role within the network, with their access determined according to that role’s standard needs. ABAC operates off of the many attributes that may be assigned to a user’s digital identity instead of just the specification of their broader role.
Authentication and Password Management
Authentication is the process by which a user verifies their identity so that they may access their available IT resources. Most commonly, authentication is carried out by providing usernames and passwords. Once a user has completed authentication, they may access the resources that their rights allow.
IAM solutions, especially cloud-based ones such as HelloID, often enforce access controls in relation to authentication. For instance, an organization may configure access controls or policies that restrict authentication exclusively to normal working hours for security and compliance purposes. If users have no reason to be accessing the network and their resources outside of their normal work hours, access controls may prevent authentication even if the username and password are correct. Alternatively, an access control may simply require an extra verification step for these types of login attempts. This is called multifactor authentication (MFA) and is used as an additional layer of security to prevent things such as data breaches.
Password management goes hand-in-hand with authentication as a user’s password is the most common method of verifying digital identities. Securely storing passwords, complexity requirements, and self-service reset capabilities all fall under password management.
IAM solutions greatly assist in organizations’ compliance management. As mentioned above, IAM systems enforce IGA strategies for digital identities and their access rights within IT networks. Access to systems, applications, and data impact an organization’s compliance. By controlling access and compiling audit logs over various activities, an organization can use an IAM solution to better manage its compliance efforts.
Audit logs are an important factor in conducting access reviews for each digital identity within an organization. These access reviews are critical to ensuring ongoing compliance and that the organization’s IGA strategy has been properly adhered to. The information collected for compliance management also assists the organization in further refining their IGA strategy as well as the IAM solution’s processes that enforce such.
Bringing IAM Components Together
It’s important to recognize that many of the IAM components explained above often overlap. For instance, an IAM solution providing single sign-on (SSO) ties together account management, access controls, authentication, and password management:
- Account Management: An end user requires accounts for the SSO solution and all connected resources based on their current job role. The SSO solution may also provide self-service for a user to request accounts for and access to additional systems and applications.
- Access Controls: The end user may access specific IT resources from the SSO solution’s dashboard based on the rights associated with their digital identity. Access controls may also enforce when and how the end user may access those resources.
- Authentication and Password Management: To access their SSO dashboard, the user must verify themselves at an initial authentication Once authenticated, the SSO solution verifies the user’s identity to all connected systems and applications. While this is typically carried out via secure SSO protocols and tokens, the encryption of credentials for some connected resources is one element of password management.
Ultimately IGA and IAM go hand-in-hand and are critical to every organization. Even without automated solutions or dedicated efforts, IGA and IAM still exist in practice to enable employees, increase security, and reduce the risk of compliance violations.