Guest Post: Understanding Identity Governance and Identity Administration in the Cloud

Feb 2, 2023 | Blogs

What is IGA (Identity Governance and Administration)?

IGA combines Identity Governance and Identity Administration. It is a policy framework and set of security solutions that enable organizations to mitigate identity-related access risks within their business more effectively.

Identity Governance and Administration provides automation capabilities for creating and managing user accounts, roles, and access rights for individual users within organizations. With IGA, organizations can easily leverage a more secure, strategic, and streamlined approach for provisioning and deprovisioning, user lifecycle management, compliance and governance, password management, access certifications, and risk insight.

As more and more companies deployed identity governance and provisioning solutions together, it became clear that the roles, policies, and models provided by identity governance were foundational to provisioning and compliance operations.

With the move to cloud environments, two key changes have occurred affecting IGA. First, it became apparent that organizations need centralized visibility of user interactions with infrastructure and data across both on-premises and cloud environments. Secondly the increase in non-human identities in the cloud creates a gap in current identity governance and administration.

Why we need to THINK beyond IGA

Managing entitlements or permissions for your identities is an extraordinarily complex and challenging task that requires more than IGA can currently offer. IGA doesn’t have a good balance between on-premises and cloud permissions, specifically when it comes to non-human identities. This gap in effective permissions of non-human identities is where organizations get into trouble and where CIEM, cloud infrastructure and entitlement management, can help overcome this gap.

Recently Gartner stated, “security and risk management leaders must combine traditional IAM approaches with CIEM to achieve efficient identity-first security management results.” As cloud adoption accelerates, there is an explosion in non-human identities which IGA fails to manage.

Currently, CIEM products enable the following across multi-cloud environments

  • A) Human and non-human account and entitlement discovery
  • B) Multi-cloud entitlement and reconciliation
  • C) Entitlement Enumeration
  • D) Entitlement optimization, monitoring, and remediation

Every enterprise needs to know what their identities can access and what they can do with their access. Managing entitlements or permissions for your identities is an extraordinarily complex and challenging task beyond what IGA and IAM deliver. To securely manage environments, organizations need to take a holistic approach and determine, for every identity, its effective, end-to-end permissions. This approach involves evaluating the policies and access controls directly attached to the identity and mapping out what that identity can do with those permissions across a multi cloud environment. This gap in effective permissions of non-human identities is where organizations get into trouble and where Cloud Infrastructure Entitlement Management (CIEM) is crucial.

Beyond CIEM to include data

Every time you implement a new technology solution into your organization, you introduce a unique identity to the business, with its own set of risks. Due to digital transformation, there are far more non-human identities than human identities, which means your risk profile is increasing, often in ways and areas unknown to you.

In today’s market, CIEM capabilities provide the ability to manage identity and entitlement, policy, and resources, but the ability to manage the risk to data is missing.

Keeping the data view separate from the Identity view is a past mistake that organizations often end up repeating. Separating each component and building the product separately, ends up killing a complete view of identity and access until the data level is reached.

What CIEM products don’t tell you is what kind of data is getting exposed with a given entitlement. If we can view Identity, entitlement, and data together, then it will be easy to decide where your critical access is and how it is getting governed.

Conclusion:

A holistic solution should provide information about Identity and permissions, and importantly what resources and data are being accessed. This will be a complete view that is needed in current multi-cloud, devops driven organizations.

Ranjan Kunwar, Senior Manager Cloud Security | Identity & Access Management (IAM)