| Definition |
Identity Governance and Administration (IGA) refers to a comprehensive set of policies, processes, and technologies aimed at managing the lifecycle of identities within an organization. It ensures that the right individuals have the appropriate access to resources based on their roles and responsibilities, while also maintaining compliance with legal and regulatory requirements. IGA is often intertwined with compliance auditing and role-based access control (RBAC). |
Access Management (AM) involves the implementation of processes and technologies designed to control who can access what resources, when, and how. AM focuses on ensuring the right individuals can securely access resources and services. It includes managing user authentication, authorization, and access enforcement via tools like Single Sign-On (SSO) and Multi-Factor Authentication (MFA). |
Privileged Account Management (PAM) is a subset of identity management that specifically focuses on securing and controlling privileged accounts, which are accounts with higher levels of access (such as system administrators or root users). PAM tools monitor, manage, and restrict access to these critical accounts, ensuring that only authorized users can perform sensitive operations while mitigating the risks of insider threats or cyberattacks. |
| Primary Goal |
The primary goal of IGA is to ensure identity-related processes are both efficient and secure by enforcing the right access policies throughout the identity lifecycle. This includes onboarding, role-based access assignment, and ensuring compliance across user access permissions. |
AM's primary goal is to provide secure and seamless access to resources by verifying and authenticating users based on their credentials. It aims to prevent unauthorized access through strong authentication mechanisms and access policies. |
PAM’s main goal is to protect and audit the use of privileged accounts. By controlling these high-level accounts, PAM ensures that sensitive systems are not compromised and that any use of these accounts is tracked, monitored, and secured to prevent abuse. |
| Key Components |
- Identity Lifecycle Management: Automating the processes of user provisioning and de-provisioning, ensuring that when someone leaves or changes roles, their access is immediately adjusted.
- Role-Based Access Control (RBAC): Defining roles within the organization and assigning permissions based on job functions and responsibilities.
- Compliance and Auditing: Tracking access and user activity to ensure compliance with regulations such as GDPR, HIPAA, and SOX.
- Self-Service and Access Requests: Allowing users to request access and manage their own profiles within predefined policies.
|
- Authentication: Verifying user identities through passwords, biometrics, or Multi-Factor Authentication (MFA).
- Authorization: Determining if a user has the necessary permissions to access specific resources, often using tools like Access Control Lists (ACLs).
- Session Management: Controlling and monitoring user sessions, enforcing session timeouts, and logging all activity for auditing purposes.
- Federation and SSO: Enabling users to authenticate once and gain access to multiple systems without repeated logins.
|
- Privileged Account Vaulting: Storing privileged account credentials securely to prevent unauthorized access.
- Access Controls: Enforcing the principle of least privilege to ensure privileged accounts only have the minimum required access.
- Session Recording: Monitoring and recording privileged account sessions to detect abnormal activities or potential misuse.
- Audit Trails: Generating detailed logs of all privileged access to systems, applications, and data for compliance and forensic investigations.
|
| Use Cases |
- Automating the process of onboarding new employees and granting them the appropriate access to systems.
- Ensuring that access is compliant with regulatory frameworks like SOX, HIPAA, or PCI-DSS.
- Controlling user permissions and roles across an organization to avoid the risk of over-provisioning and ensure least-privilege access.
- Audit and review user access rights regularly to ensure compliance and proper governance.
|
- Granting employees and partners access to applications based on their roles (e.g., HR staff access to payroll systems).
- Implementing SSO to streamline user access to multiple cloud services and internal applications.
- Enforcing strong authentication methods (like MFA) for accessing sensitive or critical systems.
- Enabling user identity federation across different systems and services to simplify access management.
|
- Securing system administrator access to critical infrastructure such as servers, databases, and network devices.
- Preventing unauthorized access to sensitive data and critical systems by controlling elevated user privileges.
- Monitoring activities of privileged users to detect misuse or breaches, such as using privileged accounts for non-business purposes.
- Automating the process of rotating privileged account passwords to ensure they are never exposed for longer than necessary.
|
| Security Risks Addressed |
- Mitigates the risk of inappropriate access by ensuring that only authorized individuals can access sensitive data and applications.
- Prevents user identity theft or impersonation by providing strong authentication controls.
- Reduces the complexity of managing large-scale access across complex environments, which may increase the risk of human error or mismanagement.
|
- Prevents unauthorized access to sensitive resources by ensuring that only verified individuals can access critical systems.
- Minimizes the risk of account compromise via MFA and SSO technologies.
- Protects user credentials through strong password policies and centralized authentication systems.
|
- Prevents the misuse of privileged accounts by ensuring that only authorized individuals can access and perform sensitive operations.
- Protects against insider threats by monitoring and auditing activities of privileged users in real-time.
- Reduces the potential for a security breach from a compromised privileged account.
|
| Example Tools |
- SailPoint
- Okta Identity Governance
- Microsoft Identity Manager
- IBM Security Identity Governance and Intelligence
|
- Okta
- OneLogin
- Ping Identity
- Auth0
|
- CyberArk
- BeyondTrust
- Thycotic
- Varonis
|
