💡: it's possible to listen to this article! Find the audio at the bottom of the page 🎧
In the past, software was on premise, there weren't many of them, and some didn't even have an Internet connection.
Today, every employee has a large number of applications (it's difficult to give an average, as it depends on the size of the company and the sector in which it operates), and managing access to them is becoming a headache for the IT department.
Cybercrime is very high, and every access granted becomes a gateway into the company if not set correctly.
For example, can you ensure today that there are no open accesses with departed users? Or can you be sure that every user is set up with the right security group and accesses?
What is Identity Governance and Administration?
Identity governance and administration ensure that users have the right mix of access to information system resources (systems, applications and data) in line with their role and business needs.
This makes it possible to improve visibility of privileges, control and manage identities and access, provide traceability of actions and manage user lifecycles.
This is how the IGA works: it centralizes information from several sources (HR, applications, IT), lists rights and then works to ensure that they are respected.
An IGA IT solution supports both SaaS and on-premise software, so rights and access must be finely managed.
What's the background to the IGA?
As I said in my introduction, companies have become highly digitalized, and the Covid period has seen a proliferation of SaaS solutions.
Cyber-attacks are permanent and on the increase, and internal security breaches are multiplying as the number of applications per user increases. IT processes are becoming increasingly complex.
SaaS solutions are easy to install in the enterprise, which can create shadow IT if this practice is carried out outside the IT domain. The rights granted are often very broad, and license management is difficult to maintain.
BYOD, or Bring Your Own Device, is very popular with users, but requires a great deal of expertise on the part of the IT department.
IT budgets are tending to increase, but you have to be a shrewd strategist to balance the needs of users (in the interests of productivity) on the one hand, and the security requirements of IS supervision on the other.
Lastly, on the security front, audits are required in several sectors, and compliance must be achieved. This requires account reviews and a precise vision of the information system at any given moment.
Quickly, what is the purpose of an identity governance and administration tool?
This makes it possible to :
- quickly open and close user accesses
- monitor and control user access
- detect and prevent inappropriate access
- give the right users the right access and rights
- reduce risk, comply
- save process time and have well-structured processes
IAM/GIA, IGA I'm lost in these acronyms!
2 explanations for this torment:
- IT people are in a hurry and don't have time to talk about anything else. Hey, you're throwing me the process in IAM part IGA to automate in ITSM, ASAP! 🙃
- or it encompasses several parts whose specificity we will see 😀
Identity and Access Management (IAM) focuses on the management of user access and identities within an IT system, while Identity Governance and Administration (IGA) concentrates on the management and monitoring ofidentity and access policies at enterprise level. IAM and IGA are often used together to ensure centralized and consistent control of access and identity within a company. IAM provides the technical mechanisms to control access, while IGA defines the policies and processes to determine who has access to what, and under what conditions.
IGA is a branch of IAM = the administrative part, not the technical part.
IAM covers access to servers and applications, authentication, SSO, MFA, Active Directory administration, web access management and identity federation, and administrative functions.
IAM is the invisible part, which enables you to set up the major parameters, while IGA is the visible part, which enables you to manage automations and connections.
Having only the technical part of the IAM is likely to be very difficult to use without the IGA part.
IAM and IGA make it possible to establish a single identity repository and a single application repository.
For GIA, this is the French translation of IAM: Identity and Access Management.
What are the characteristics of IGA?
I'm going to approach this part by including operation with an IAM, because the IGA can't really work without the identity and access management structure.
An IGA can be used to optimize user lifecycles, manage provisioning and deprovisioning, and highlight security vulnerabilities.
To achieve this, the solution needs to connect to your various applications and HR sources.
Connectors therefore play an important role. They enable parameter information to be read and written (sometimes only read, depending on their settings) into applications, so that users can access the right functions with the right rights.
An IGA solution, in conjunction with an IAM, is there to automate processes and ensure the reliability of actions and information.
When the HRIS (or HR source) and all connectors (AD or user directory, Microsoft 365, Google Worspace, Exchange, Salesforce...) exchange information bidirectionally with the IGA solution, account, user and application information is centralized.
When we speak of bidirectional exchange, this means that the solution enables account provisioning at the time of arrivals and account deprovisioning at the time of departures.
The cross-referencing of HR and IT information makes it possible to establish a single user repository and a single account repository.
IGA automates the centralization and cross-checking of information. Then, once everything has been set up correctly, we can move on to the workflows stage to create action sequences in an onboarding or offboarding context.
What functionalities can be found in an identity governance and administration tool?
The main features of an Identity governance and administration tool are :
- checking alignments
- financial review
- highlighting errors or anomalies
- highlight unused licenses
- authorization management
- visibility of provisioning and deprovisioning histories and logs (and other account modifications)
These features are of great interest because they allow you to :
- manage user lifecycles: arrival, movement, departure
- permanent visualization of the match between the job and the safety group
- find in a user file all accesses granted and applications attached to a user
- satisfy employees who have the right access, right from the start
- save time and reduce mental workload for HR and IT staff
- have a better understanding of the workforce at a given moment T
- finer control over licenses, since you can see which licenses are in use and which are not
- know all accounts in the IS (active and suspended)
What advantages does an IGA system have for corporate security?
Companies are required to have a high-performance information system, complying with legal obligations (internal control procedures, RGPD), with a secure, available, reliable IS.
To ensure security, companies need to master the management of access rights and authorizations, among other things.
This involves reconciling users with their accounts. This involves first cross-checking all HR sources and users. Attention needs to be paid to current movements (arrivals, departures, changes of post).
Then, as a second step, all the accounts need to be extracted and linked to users.
We will need to deduplicate and suspend/delete accounts for users who have left.
By the time this work has been carried out, the result will already be obsolete, as user movements, provisioning and deprovisioning will have taken place.
An IGA and IAM have the advantage of automating HR/IT synchronization and providing immediate account review.
Security groups are defined on the AD and imported into the IGA solution, enabling alignment to be verified.
The system must also be able to manage the temporary allocation of rights. This will ensure that no security loopholes are created when granting temporary rights or access.
Other points that facilitate information system security management:
- Restrict access to AD. When using an IGA system, the IT department can restrict those authorized to access the Active Directory to the strict minimum, since account creation and suspension are automated.
- Limit access to the IGA solution. Access can be finely tuned and can be granted to HR, managers or the IT department. Access can be granted for the creation of certain accounts, or only for reading or validating access requests, or even full access to all functionalities.
- Limit the number of security groups. The multiplication of security groups makes them difficult to manage over time. You may want to limit the creation of security groups and 'force' the people in charge of creating accounts to choose from a list of groups.
In a nutshell
An Identity Governance and Administration system, coupled with a more global Identity and Access Management system, will help to ensure several crucial points for the company and its security.
IGA will really be the visible overlay, but it needs its invisible underlay, which will enable the synchronization between HR and IT data needed for automated provisioning and deprovisioning.
An IGA system should help you in your day-to-day management, and ease of use should be a key factor.
