Had the privilege of doing a well-received podcast w/ rThreat w/ Daniela Applegate as host, titled Strengthening Your IAM Program with IGA.
I gladly accepted the invite to talk on a subject which i am passionate about at YouAttest. IGA, Identity Governance, is often seen as an afterthought to the functionality of an IAM (Identity Management) deployment. I will highlight some of the key points of the podcast
First of all, What is IGA?
IGA is the process of governance around the functionality of IAM. That is w/ IAM we store the users, create the groups, provide the access and integrate into the workflow the authentication and SSO.
Governance is the process of why and who implemented these actions. And governance is what the compliance measures are looking for – documentation on the who/why/when of identity access control.
Why is IGA often forgotten?
The reason being that as trained engineers, our brains and thus our attention tend toward IAM – the functionality of applying an identity to a process. But governance is key – to both security and compliance – to quantify and thus document who provided these accesses and why the authorization and privileges were allowed.
For engineers, process is often an afterthought – as functionality reigns supreme.
But this doesn’t cut if for compliance – process is paramount. And thus IGA becomes the afterthought when the audit team comes and nags the IAM folks.
What are the Pitfalls of IGA ? Why Strengthening Your IAM Program with IGA is Important?
Strengthening Your IAM Program with IGA. By implementing IGA after the IAM is completed – we can almost guarantee that the IGA implementation will be clunky. This may or may not be the fault of the IGA tool or process chosen – but it certainly the fault of the process is deciding what the IGA solution will be.
The aspects of IGA must be considered when IGA is chosen.
- Identity access request/approval?
- Business and System Managers
- Attestation of key privilege group
- Not just periodic – but at time of change
- Attestation of key security changes
- Periodic Access Reviews
- Delegated to manager
- Business and System Reviewers
- Ability for reviewer to:
- Approve, Revoke or Delegate
- Make notes
How Can IGA Improve Enterprise Security?
Repeatable processes improve security. Processes that can itemize, inspected and audited. This is the hallmark of a good IGA program – full transparency – for the external auditors, for fellow team members and for the admins themselves.
A well governed program also means a well-managed program. Processes are in place which means the admins are not wasting their time going back to obtain change events, logs and screen shots for their auditors. The time that legitimate security personnel spend on gathering these records goes into the hundreds of ours a year. And the compliance work needs to be done – else the product or service may not be marketable. But the hours this security engineer spends on gathering records for an audit are hours NOT researching a incident alert or installing a patch or remedying a vulnerability.
What is the Common Gap in Most IGA Programs?
The biggest mistake of most IGA programs is not to have one lest Strengthening Your IAM Program with IGA. Or not to have thought how the IGA program can be integrated into the IAM program and thus mary functionality and process – and to execute both at the same time.
In this manner – the functionality is executed and security insured by the compliance process being part and parcel of every identity and access modification.
What Advantages does YouAttest bring to the IGA Space?
YouAttest integrates directly into your IAM product to enable a seamless IAM/IGA integration. It can become your access approval, alerting and review system of your identities. Thus making IGA a part of every IAM action – improvinig security and saving hundreds of hours for your security personnel.
YouAttest is automated identity audit tool for Okta, AD and other resources. Cloud based and simple to use – YouAttest provides a quantified platform for your identity audits. Schedule an appointment with a YouAttest identity audit professional. We hope this article helped you understand about IGA and if you feel like we missed out on anything in the the article “Strengthening Your IAM Program with IGA” , please write back to us so we can update it accordingly.