Identity Governance and Administration (IGA) has become a critical component of modern cybersecurity and organisational management strategies. In an era where digital identities proliferate and data breaches pose significant threats, experts suggest that IGA provides a comprehensive framework for managing user access rights, ensuring compliance with regulatory requirements, and mitigating security risks.
As businesses continue to navigate complex digital landscapes and face increasing scrutiny over data protection, will implementing IGA become essential for safeguarding sensitive information, maintaining regulatory compliance, and fostering a culture of accountability and transparency within organisations?
Chern-Yue Boey, senior vice president for Asia-Pacific at SailPoint says Identity Governance and Administration (IGA), began with compliance reporting and provisioning employee accounts. Initially a back-office function, it has evolved into a core aspect of identity security.
A study by The Identity Defined Security Alliance (IDSA) revealed that 90% of breaches are identity-related. “There is then a need to ensure that from a cybersecurity perspective, the principle of least privilege access is used as a basis to deploy zero trust security architecture,” posits Boey.
Source: 2023 Trends in Identity Security, IDSA
“IGA is central because it intersects with all aspects of identity security, including access management, privileged access management, and identity risks. It unifies these components, making it critical to the security stack.”
Chern-Yue Boey
What IGA brings to the security table
Boey insists IGA is critical to enterprise security, providing insight into who has access to what. IGA ensures each identity, human or non-human, has only the necessary access to applications and privileges required to perform their tasks, maintaining the principle of least privilege. He goes on to comment that over-privileged identities risk abuse, so they must have just enough access to perform tasks securely.
By centralising and automating the processes of user provisioning, access certification, and policy enforcement, IGA enables organisations to maintain a clear overview of who has access to what resources, why they have that access, and whether it remains appropriate over time.
This not only enhances security by reducing the risk of unauthorized access and insider threats but also improves operational efficiency and supports auditing and reporting needs.
“Modern solutions like SailPoint offer insights into identity data and manage relationships between identities and resources,” says Boey. “This involves handling a vast range of application accesses and requests, both structured and unstructured while comprehending the scope of data access, both present and future.”
As businesses continue to navigate complex digital landscapes and face increasing scrutiny over data protection, experts claim that implementing robust IGA solutions has become essential for safeguarding sensitive information, maintaining regulatory compliance, and fostering a culture of accountability and transparency within organisations.
The evolution of IGA
IGA, originally aimed at efficiency through governance reporting and account administration, is now central to identity security, especially as digital transformation has accelerated and security measures lag.
"This shift is crucial, as 80% of breaches originate from the inside out. The scope of identities has shifted to now include non-human entities like service accounts and bots, as well as outsourced employees. Significant breaches, like Singapore’s Ministry of Education incident, highlight the need to manage third-party entities."
Chern-Yue Boey
AI-driven automation is essential for handling IGA’s complexity. Trends driving this include dynamic access control, where access rights change based on context and adaptive identity, shifting from static role-based to dynamic, policy-based access.
Considerations for integrating IGA into security practices in place
What should CIOs/CISOs need to bear in mind when integrating identity security into existing systems and processes? What about aligning identity management with the organisation’s broader security goals?
Boey offers the following points to consider:
- Programme approach: We should treat identity security as an ongoing programme, not a one-time project, requiring coordination among multiple stakeholders.
- Phased integration: Organisations should implement a prioritised phased approach, focusing on critical applications such as HR systems first.
- Automated discovery: Use AI-driven platforms for automatic discovery, reducing manual effort.
- Speed of integration: Choose technologies with out-of-the-box connectors and AI-assisted onboarding to reduce time and costs, potentially saving millions.
- Streamlined processes: Avoid replicating old processes; instead, optimise workflows to leverage new capabilities effectively.
Given the evolving nature of cybersecurity and regulation, what models/frameworks can organisations adopt for future identity security requirements?
Boey suggests:
- Unified platform: Implement a single platform with a consistent data model and source of truth to integrate all identity data and processes.
- AI-powered solutions: Organisations can use AI for managing and monitoring identities, identifying outliers, triggering workflows, and continuous monitoring.
- Adaptive identity management: Allows dynamic, event-driven adjustments to user privileges, replacing periodic reviews with continuous assessments.
- Identity risk scoring: Evaluating risks associated with each identity, prioritising security efforts based on risk scores.
- Data privacy compliance: Ensures compliance with regulations like GDPR, focusing on system and data access control.
Checking if IGA is right for my business
Any recommendations on how best to assess the value of identity security to the organisation’s cybersecurity program?
Boey suggests that to assess the value of identity security in a cybersecurity program, there are a few key metrics that we can base it on. He starts with access removal time. “This measures the speed of revoking access when employees change roles or leave the organisation,” he elaborates.
“The second is privileged governance. Ensuring proper management and updating of privileged access, including Privileged Access Management (PAM),” he raises point two.
“The third is Multi-Factor Authentication coverage – evaluating how comprehensively MFA is implemented across applications. Effective identity security reduces breach impact and costs, ensuring a unified, secure, and efficient cybersecurity infrastructure,” he continued.