The purpose of this article is to share an overview of the field of Identity Governance and Administration ( IGA), a branch of Identity and Access Management ( IAM). I have been a cybersecurity consultant for four years: I worked for two years in the field of IGA solution integration (specifically SailPoint's Identity IQ solution) and have been working for the past two years on developing a reporting and dashboard solution for IAM tools. IGA solutions (specifically SailPoint's Identity IQ solution) and have spent the last two years developing a reporting and dashboard solution for IAM tools.
What is IAM?
IAM is a field of cybersecurity that encompasses issues related to identity management, authorizations (or access rights), and access. The general idea is to give the right access to the right resource to the right person at the right time for the right reason.
The main activities of the IAM
The challenges
IAM is a vast field that is little known to the general public, but has become indispensable due to the recent proliferation of connected devices, access points, and IT users. This exponential growth necessitates professional and organized identity and access management.
The financial stakes
Implementing an IGA solution is a financial investment that ultimately reduces costs in multiple areas.
Better management of paid licenses is enabled by access management: you no longer pay for unused licenses without knowing it. Automating repetitive tasks reduces the amount of human work required on the IS: the solution manages tasks for which a process or policy definition is sufficient.
Productivity costs are reduced. New arrivals have the right access, processes are faster and smoother, information is centralized, and incident response is faster: all of these factors reduce barriers to employee productivity. IT security is a financial issue in its own right: reducing risks means reducing the associated financial risks.
The security challenge
IAM helps prevent intrusions, secure access, track changes to information, and all actions performed in the IS. In addition to limiting malfunctions, it improves the IS's response to attacks or incidents.
A high-performance IAM system helps prevent cyberattacks and minimize their impact by providing a comprehensive overview of access and enabling the revocation of compromised or inappropriate access.
All this without complicating access to resources for those who have a legitimate need for them. IAM solutions strike a good balance between data security, making data inaccessible to most people, and a smooth experience for employees who legitimately need access to that data.
Access policies are automated and clear: this drastically reduces errors and speeds up their remediation when necessary.
Streamlining the employee experience
As mentioned earlier, the employee experience is greatly streamlined thanks to IAM solutions.
Information is centralized in a single repository, making it easier to search for identities and authorizations.
Employees receive the authorizations necessary for their job and have them withdrawn when they are no longer needed: process automation greatly reduces the burden of searching for rights, the risk of obtaining unnecessary rights, and the wait for approval for access rights that are essential to the task at hand.
Access management solutions enable smoother and more secure navigation within IT applications: one example is Single Sign-On, which allows users to access all applications by logging into just one of them. At the same time, it automatically ensures compliance with security policies:password policies and rotations require users to have a password that meets IT requirements and is updated regularly.
The different branches of the IAM
IGA: Identity Management and Administration
IGA is the management and administration of identities and their authorizations (or access rights). The goal is to ensure that IS users have the right authorizations for the right resources at the right time, in accordance with their job, their needs, and company policies.
The big questions facing the IGA and how to answer them
IGA enables you to manage the stages of the identity lifecycle, provide visibility into the identities present in the IS, and keep track of past events.
The IGA also enables the management of authorizations and the implementation of policies for granting and revoking authorizations.
IGA provides greater visibility into the IS: information is centralized, processes are automated, and reports and dashboards enable monitoring of IS developments.
IGA tools are implemented to automatically manage identity and authorization management processes with less risk of human error, greater efficiency, and constant control.
IGA solutions
The IGA solutions used are publisher solutions.
These are very rich frameworks that allow the implementation of the features desired by the customer through their graphical interface and scripts.
There are many IGA solutions available, and publishers offer a range of options: some solutions are less expensive and less customizable to customer needs, but quick to implement, while others are more expensive and offer a wide range of features and settings, including infinite customization thanks to features that can be developed and integrated into the framework.
These solutions can be on-premise or available in the cloud, depending on the publisher and the customer's environment.
A user interface is available and customizable, allowing different stakeholders (users, managers, administrators, etc.) to monitor and manage the status of the IS in accordance with the read rights they have on the IGA solution.
The main areas of focus of the IGA
Identity management
IGA encompasses identity management and identity lifecycle management within the customer's organization. Building a single, centralized identity repository simplifies management and improves anomaly detection.
Events in an employee's life can be detected and triggered within the solution: these include hiring, transfers, sick leave, departures, etc. The detection of an event triggers an associated process in accordance with IT policies (removal or addition of rights, calculation of information, notifications, etc.).
The primary objective of this axis is to store and maintain important identity-related information in the form of a file (last name, first name, job title, contract start and end dates, manager, etc.). This information is read or calculated and stored on the identity.
These attributes can also be written, modified, or deleted from applications using the application write feature. This enables automatic synchronization of identity information between the IGA solution and IS applications.
Authorization management
Authorization management involves reading, analyzing, and writing application accounts for identities in the customer's IS using a connector between the IGA solution and the application. The connector allows application accounts to be read and correlated with existing identities: each account is assigned to the identity it corresponds to. The objects read on the application (accounts, groups, rights, etc.) are stored in the IGA solution: this constitutes the application catalog.
Connectors enable reading and writing in applications. The IGA solution can manage application data updates by writing directly to the application. Writing can be automatic, thanks to processes developed to be triggered by events, or manual, in which case the individuals concerned will be notified by email of the tasks to be performed to ensure that the application in question is up to date, and the solution will remember that the action must be performed until a read from the application confirms that this is the case.
The IGA includes the management of authorizations granted within the company. Compliance policies are defined accordingly.
The definition of roles—sets of characteristics that combine identities and grant permissions—simplifies the assignment of access rights and their subsequent review.
Mechanisms such as SoD (Segregation of Duties) automatically verify the consistency of current authorizations and flag any anomalies. SoD is based on combinations of access rights that are prohibited. The solution detects prohibited combinations and flags or corrects them, depending on what has been decided.
These policies enable the automatic granting and revocation of authorizations, as well as the triggering of alerts in the event of non-compliance.
Analytical intelligenceof analysis
The analytical intelligence component is based on several requirements:
IGA analysis requirements
Data analysis features are available in the form of reports and searches, among other things. Reports and dashboards can be used to track actions or count objects, for example. They can be long and comprehensive, intended for studying figures, or short and concise, intended for traceability and information purposes.
Searches are configured directly from the graphical interface by the customer and provide a quick overview of the identities, accesses, and authorizations present in the solution.
A key focus of IGA is the control of the effective authorization model. Certification campaigns enable the review, revocation, or confirmation of access rights held by identities. Campaigns can be configured in great detail, allowing them to be tailored closely to customer needs.
In the event of a proven discrepancy between theory and the actual solution, it is possible to reconcile accounts, identities, and authorizations manually and then develop the solution by creating rules that take into account the specific cases observed.
These tools, combined with the centralization of identities in a single repository, provide a comprehensive and instantaneous view of the company's data set.
IGA careers
An IGA project may involve creating a solution, but also upgrading, maintaining, or developing an existing solution that is already integrated.
IGA involves fairly lengthy projects: it can take anywhere from a few months to over a year to integrate an IGA solution into an IT system. The IT system must be fully understood, the solution must be customized according to the company's needs and policies, and the application portfolio must be connected to the new solution. Everything depends on the target company: medium or high security requirements, number of users and applications, preliminary consideration in terms of IGA, etc.
IGA is a vast and complex field: the diversity of clients, IS, and available features makes each project different from the last and enriching.
Functional thinking
IGA professions have a functional aspect: discussing with the client, advising, understanding the technical requirements they express, and transferring skills once the solution has been implemented so that it can be used in the best possible conditions. Correcting internal organizational shortcomings, adding best practices, and functional reflection are necessary for the integration of a secure IGA solution.
On the other hand, these professions have a technical aspect: the development, implementation, and integration of a solution that meets the established specifications.
The technical aspect is inherent to cybersecurity professions. While all areas of cybersecurity require functional consideration, IGA stands out due to the complexity and diversity of the features and aspects that must be taken into account before even beginning integration or development.
Change management
IGA requires finding a compromise between the customer's needs and the features available in the chosen solution. One aspect of this compromise lies in change management at the customer's end, i.e., asking the customer to modify their organization and practices for the benefit of the proposed IGA solution. Defining the necessary change, defending it, and implementing it is one of the challenges of IGA (and IAM more broadly).
Integrating an IGA solution into an IT system that has never had one can lead to a few challenges: some customers have never considered certain features or need to completely overhaul their operations to comply with best practices.
Adapting interfaces to what is already being done in the IS and creating processes similar to existing ones is one way to simplify change management for the customer.
The culture of the client company is a determining factor in implementing change in an information system. Some companies operate through obligation: new rules and processes are developed, explained, and defended to the teams, who then have no choice but to comply.
Some companies operate on a proposal basis: the IGA solution is integrated into part of the application pool , with the old processes continuing to exist. The solution is explained and promoted within the company, and then the teams decide whether or not to connect their applications to the solution and use the new processes. This approach is based on the idea that if the solution really does save time and improve security and efficiency, the teams will adopt it of their own accord. There is a whole spectrum of corporate cultures between these two examples.
Publisher training courses
IGA solutions are all different, even if their functional aspects remain similar. This requires training on the publisher's solution used when starting a new project.
Publishers offer training courses to help users get to grips with the solutions and quickly develop their skills. Some publishers also offer certifications at different levels. This saves a significant amount of time when starting a project and is an asset when applying for other IGA projects. For beginners, it provides an in-depth understanding of the challenges of IGA and the solution's features. For experts, it allows them to discover ways to customize the solution and combine its features.
The largest publishers also have active communities and forums that enable continuous knowledge sharing. These are a gold mine for testing functional hypotheses, overcoming technical obstacles, and saving development time.
Marianne Faure
Cybersecurity Consultant
