Tea Towels & Towels: The Differences Between Identity Governance and Access Management
When people talk about identity and access management, they often just cover part of the story. They focus on the A of IAM (identity and Access Management) – i.e. access management, the process allowing users to access all types of tools, systems and applications – and s stop at the door, leaving the window open.
Without the I in IAM – the governance of identities – each access becomes a potential vulnerability. You have checked a box to say that this user is authorized to enter your main door, but you did not give them any rules to respect during their visit; nothing indicates to him that he must pay for the damage caused, or that it is the extinction of the lights at 11:00 in the evening. Without the establishment of identity governance, you cannot answer the question: should he have access, you just know he can do it, and that’s it.
Identity governance is clearly an integral part of the whole IAM process, but often those who think they have an “identity solution” actually only deal with the access management part without touching on the whole problem.
Tied together like the two fingers of one hand
Technology has become so ubiquitous in the corporate world that we now all accept the need to control who has access to our systems. Adopting identity governance can help your organization comply with regulations, reduce costs, improve the user experience and make your employees more efficient. And none of this is of interest if your users’ access is not secure, with access rights aligned with your company’s security policy.
But what do we mean when we use the words “identity” and “access”? The two are closely linked, but are based on very different processes.
In the digital world, identity refers to the unique data and attributes that help distinguish one user from another. These attributes can include function, role in organization, position in the hierarchy, and even parameters such as seniority and location depending on the rules set for configuring identities. This online identity is established when you are registered in a system. Your attributes are collected and stored in the system database.
On the other hand, access decisions answer direct yes / no questions: can this identity access this place? When we enter our password or other identity attribute such as an email address or a user name to gain access, this data is transmitted to the system database, and the answer comes back under form of ‘yes’ this identity is allowed, or ‘no’ it is not.
Without matching identities to access rights, the organization can end up saying “yes” to everyone to access anything. This results in users who have access rights far superior to what they need for their daily work – which means that the rights are overvalued – and if one of these users is hacked, then the window is wide open for a ‘hacker’ who can easily get into all systems.
Set parameters for access and authorization of identity
Governance is no longer a just attractive but not essential component, and having an access management policy is no longer sufficient. Think of it like this: a security badge allows you to enter a building, but doesn’t tell you which floor you need to go to or what doors you need to knock on, or verify that it is of your badge. When your authorization process stops on the yes / no question, you not only let anyone enter your building, but you give them access to all your offices, conference rooms as well as the server room .
Many companies think that they “manage identities,” when all they do is allow access. Even worse, some of them know that they must do more, by developing identity governance processes, but do not take action for lack of time. While many intrusions are the result of hacking into a single user account – an identity whose access was authorized without thought, but which ended up causing disaster.
So we need to have a process with which the identity of the user can be established in order to know whether he should have access or not. The identity is mostly determined by a user name and a password, but today we can add biometric means such as facial recognition and fingerprint reading, and tokens. security to ensure that identity data cannot be duplicated by anyone.
Identity management can however be more complex to implement in larger companies, and it can in this case go through the assignment of identities based on groups such as a department or a site, then the fixing of roles for these groups to determine which accesses should be granted to them.
Once the user identity is authenticated, it triggers access control decision making. If the authentication procedure has established that the user must have access on the basis of the identity data provided, then the process evaluates this data and makes the yes / no decision.
Establishing this process should involve all of the various internal stakeholders with an interest in protecting corporate data and privacy, and that means breaking down the barriers between IT security, technical support, and the teams responsible for compliance and audit, and everyone else who has a say in access rights. A process can then be put in place that covers everything that happens when an employee is welcomed into the organization, changes job or site, or leaves the company.
How automation bridges the gap between identity governance
and access management
Identity and access management helps to establish a digital identity per individual, which can then be maintained, modified and controlled throughout the user’s life cycle. But this can be an extremely laborious and resource intensive process if done manually.
Let’s assume that it is the job of the IT team to authenticate and establish identities for all new hires, and to continue to control access and make the necessary adjustments as these developments evolve. users in the organization, and then close accounts when they leave the company. The technical support person will also have to answer other technical questions, such as helping to reset forgotten passwords or solving more complex access problems, in addition to their other tasks within the IT department. She won’t have time to pay too much attention to identities, and probably won’t be the best person to decide if Marc should have access to approve expense reports – he will simply establish the identity and give him the appropriate access rights.
By bringing all the stakeholders together to set policies and processes in advance, you can make IT life a little easier. The use of automation to answer the yes / no question of access authorization may be based on the rules and policies set on the central access point, thus reducing the workload of the IT team and allowing it to better manage the governance of identities, including decisions authorizing access to certain applications or sensitive data.
Not only that, but automating access governance and access management can increase the security of applications and organizational processes. Users often don’t have the best security attitude – for example, using the same password to access multiple systems – so identity governance can help your IT team track, monitor, and control accounts that have access to sensitive information while protecting this data with secure authentication that goes beyond the tandem username and password.
Both identity governance and access management are critical steps to allow a user to access information securely – but it is the identity governance part that allows you to keep control of your systems and provide your users with the right access at the right time.