The Three Branches of Identity Governance

1

In addition to COVID, 2020 has also happened to be an election year. With US elections mostly completed and the US government in transition – whatever the outcome – certainly consideration of government and governance is top of mind for everyone at this time.

Looked at from a certain angle, best of breed Identity Governance & Administration (IGA) works very much like modern forms of government in the world today. There is the governance model itself, which functions like a legislature. There are in-time business decisions and interpretations of the governance model, providing judicial-like functionality. And then there is the execution of both the governance model and in-time business decisions that keep the business running efficiently within the bounds of both functions while also addressing risk and compliance.

Building an IGA program that properly addresses all three functions keeps businesses in check with respect to risk and compliance while providing efficiency, agility and velocity to the business. Implementing IGA without access to all three functions often leads to inefficiencies and can greatly elevate the risk profile of the business.

The Legislative: The Governance Model

Most legislatures of the world create, modify, repeal and ratify laws which govern their constituents. Most legislatures do so through some form of constituent representation. Laws form a model from which justice, safety and well-being can be judged, arbitrated and enforced.

IGA works upon exactly the same principles. Without a codified governance model, nothing exists upon which judgements can be made or rules can be enforced. Codifying how the business should run in terms of permissions, policies, roles and entitlements allowed or necessary, access to applications, valid and certified identities and access and such form the foundation upon which the business expects to not only run but stay safe and maintain health in terms of risk and compliance (the latter of which is really just another form of risk to the business).

Additionally, and ideally, the governance model should be built based on good business representation, including business executives and leadership, application owners, technical subject matter experts (SMEs), and even customer input and representation. This means, ideally, IGA can’t be technically centric. Best of breed IGA must be business centric and business focused in terms of its functions, user interface (UI) and user experience (UX).

The Judicial: Access Requests, Roles, Certifications & Workflows

Judiciaries in the real world often exist to provide flexibility, interpretation and arbitration in light of a body of codified laws. Exceptions exist. Questions about laws arise. Infractions invoke judgements and require remediations.

Central to IGA is the governance model. It provides a basis for judgement. Yet businesses are dynamic. They bend and flex and live and breathe based on changes within the business climate. Individuals who have responsibilities go on vacation or assume maternity or academic leaves. Individuals are promoted or move about in organizations. Identities and access not only undergo broad lifecycle changes such as joining, moving within or leaving the organization, but experience nuance as well such as subtle changes in roles or permissions.

IGA therefore must provide room for the business to judge, interpret and arbitrate in real time. IGA must allow individuals to request, have approved, and receive access to applications or necessary roles and permissions. The business should undergo periodic review and certification of access and the process informed using gathered intelligence, leveraging business terms and a common language. Approvals, notifications, exemptions and exceptions along with captured and recorded reasons and rationale for these business decisions are all part of interpreting and arbitrating identity governance in the context of a running business and in a way that provides efficiencies, agility, and velocity to the business.

The Executive: Enforcing the Governance Model & Executing the Business Decisions

Finally, in the real world, once laws are created and ratified and judgements are made in real time in light of those laws, those laws and judgements need to be enforced. No one wants to live in a “paper tiger” society where justice and safety exist “on paper” but can’t be enforced or insured.

Unfortunately, many IGA systems are “paper tigers.” They can codify a governance model and perhaps even provide some flexibility with regard to paper trail and manual workflows. But in reality, they are incapable of actually enforcing the governance model and the decisions of the business down to and through the actual technology systems and applications upon which the business depends in real time.

A best of breed IGA system provides executive function in terms of broad integration of technology platforms within the business and authoritative automation. These are necessary to ensure identities, access, roles, permissions and entitlements are in line with both the governance model and any in-time judgements that have been made by the business that inform a real-time, risk-free posture to those systems.

Summary

At one time, the technology landscape resembled the wild, wild west, where individuals and business units did whatever seemed best at the time in order to function within the technology platform landscape. These freewheeling, gunslinging approaches resulted in over-provisioned access and permissions, unnecessary privileged and elevated access, and accumulation of access that opened businesses up to immense risk and eventually an avalanche of breaches.

Best of breed, leading edge IGA provides all three aspects of good government to businesses in the form of a comprehensive, up to date, and representative governance model; the ability to judge, interpret and arbitrate the needs of the business by the business in real time; and the ability to actually execute and enforce both the governance model and business decisions in real time to both ensure the safety (through mitigated risk) as well as increase the operational efficiencies, agility, and velocity of the business.

Share.

About Author

Chris Olive is an IT Security Evangelist at SailPoint.

1 Comment

  1. Pingback: Ghosts of Identities Past, Present and Future

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.