Identity Governance Guide

Remember that intern that had access to your database last summer? Are you confident that their username and password were deactivated now that they have a full-time job at your rival’s business? What about that audit request that came through last week—will you be able to pull the information you need to stay in compliance and avoid penalties?

These very real worries aren’t the fault of you or your IT team. Everyone is doing the best they can with the tools they have. The real issue lies in how difficult it is to stay on top of permissioning, especially when companies are growing, with roles quickly changing.

Here at Lumos, we’ve seen it time and time again—IT teams are buried under repetitive tasks and can’t take the time to set and enforce best practices for security and compliance.

Don’t worry, we’re here to help. With our identity governance tools, your IT team can dot all the i’s and cross all the t’s to make sure your systems are as secure and compliant as possible. We’ve put together this comprehensive guide to identity governance to help you understand this complex topic. We’ll take a look at some identity governance examples, as well as answer questions like “what is an IGA framework?” Let’s get started!

What Is Identity Governance?

Identity governance, also known as identity governance and administration (IGA), is a broad term that covers all of the strategies to manage individual user access within an organization. Imagine you’re a superhero and you’ve got an awesome secret underground hideout for all your training montages and urgent phone calls from the mayor. You need a way to make sure your butler can get in while your bumbling friend (after all, she doesn’t know you’re a superhero) or the evil villain can’t. Identity governance is key here—you could employ a technology strategy like installing a retina scanner outside the door or create a policy with your friend that she is only allowed in certain rooms of your house.
‍

This is, of course, a lighthearted analogy to help illustrate the identity governance definition—there are many types of technology, policies, and processes you can employ to secure your company’s sensitive information.

‍
Although often shortened to just “identity governance,” the full term of identity governance and administration does include an important distinction.
Identity governance relates to activities like:

• Visibility into the current state of user access across your tech stack.
• Role management, allowing you to assign custom access levels to specific users or groups of users.
• Segregation of duties where several people are required to complete a task in order to prevent errors or fraud.
• Analytics and reporting in order to make decisions based on real-time data.

In addition to all of these, identity administration encompasses duties like:

• Account and credentials administration where you’re managing the creation, maintenance, and deletion of user accounts and log in information.
• User and device provisioning to ensure that critical user data like a job title or department is tied to the correct access level.
• Entitlement management processes to make sure only authorized users can access sensitive information.

These activities are all closely related, but essentially, think of identity governance more as “policies” and the administration part as “tasks needed to implement those policies.” In other words, IGA as a whole addresses the core IT functions of authentication, authorization, privacy, data protection, and regulatory compliance.

What Is the Difference Between IGA and IAM?

The main difference between IGA and IAM (identity and access management) is the scope: IGA encompasses a broad range of policies and processes while IAM is more narrowly focused on granting access rights. When comparing identity governance vs identity management, it’s important to note that these concepts are closely related and often the definitions overlap.

What Is Enhanced Identity Governance?

While IGA has many benefits, the next level of identity governance involves security models known as “least privilege” and “zero trust.” These overarching philosophies help cybersecurity professionals get in the right mindset to prevent bad actors from wreaking havoc.

• Least privilege is a concept where you only provide the minimum access that a user needs to do their job. For example, instead of providing a data entry role with the ability to run custom accounting reports, access bank account information, and view every user’s activity, you would restrict that role’s access to only the data entry portions of your accounting platform.
  To put it another way, remember your super sweet superhero headquarters? Well, you would probably set the retina scan to allow your trusty butler, Arthur, to come in (to tidy up, bring you snacks, and give you that sage advice), but might not give him the passwords to your computer just in case he gets captured by your arch nemesis.

• Zero trust enforces a “never trust, always verify” approach to access. Essentially, you should always assume that the person attempting to use your system could be a malicious actor. For example, rather than allowing a user to “log in for 30 days” on your system, you could verify the user’s identity every time they use the system and, ideally, verify periodically while they’re using it.
  Think of it like this: imagine you’re using your supercomputer to crack the identity of the latest villain, The Copycat, attacking your fair city. Engrossed in your work, you’re barely paying attention as Arthur bustles around, cleaning and organizing your weapons. “Oh darn,” Arthur mumbles to himself, “I forgot to grab a cloth for polishing!” He leaves the room, leaving the door slightly cracked. Five minutes later, someone who seems to be Arthur comes back in.

But remember - the door wasn’t shut all the way! The new person in the room didn’t actually use the retina scan to enter, nor did they speak upon re-entering the room. The nefarious Copycat is notorious for shapeshifting! It would be so easy to ignore this, as you’re working away. He was only gone for five minutes! Plus, it may seem silly to have Arthur back out of the room and use the retina scan to enter and provide his spoken secret word that only he and you know. However, it’s the only way you’ll have peace of mind.

As you can tell from the above example, even two different verification methods isn’t enough. After all, The Copycat might be able to copy even the eye structure and pass a retina scan or weasel the password out of Arthur after tying him up in a closet. To fit with zero trust security principals, you’ll need to continuously monitor him to see if he has any suspicious behavior and if he can continue to pass identity checks. He has to constantly earn your trust, and you have to be continually calculating whether he is who he says he is.

To learn more about least privilege and zero trust, you can download our free resource today!

What Are the Identity Governance and Administration Standards?

Unfortunately, there isn’t one single IGA standard that can be applied to all situations; there are, however, many different standards that may need to be folded into your identity governance framework. These largely depend on your industry and individual priorities—like SOX, HIPAA, or NIST SP 800-207. Creating your own framework involves setting specific goals for security and compliance, and selecting the right IGA tools to support your objectives.

Let’s take a look at these three US standards—SOX, HIPAA, and NIST SP 800-207—to understand their purpose.

• Sarbanes-Oxley Act (SOX) was implemented in 2002 by Congress as a response to the Enron scandal. Essentially, this act “requires corporate executives to certify the accuracy of their company’s financial statements; maintain and assess internal controls to prevent wrong, misleading, or fraudulent financial data; and imposes criminal penalties for misleading shareholders and altering documents to impede an investigation.”
  ‍
  SOX compliance affects both the financial side of your business and your IT processes. This act regulates which documents you must store, how you access them, and how long you must keep them. When developing your IGA framework, it’s important to remember SOX and put policies in place to follow this regulation. Even if you’re not required to by law (for example, if you’re not a publicly traded company), it is still considered best practice to follow these guidelines.  
  ‍
  
• SOC 2 is a voluntary set of standards that demonstrates your dedication to a higher level of security. This framework is built on the five “Trust Services Criteria,” developed by the American Institute of Certified Public Accountants. These five criteria are security, availability, processing integrity, confidentiality, and privacy.
  ‍
  
• ISO 27001 is another voluntary standard created by the International Organization for Standardization. This framework was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

• Health Insurance Portability and Accountability Act (HIPAA) “establishes national standards to protect individuals’ medical records and other individually identifiable health information.” In essence, any healthcare provider must safeguard protected health information and only allow access by authorized individuals. IGA processes like entitlement management or role-based management can help healthcare providers comply with HIPAA regulations.
  ‍
  
• NIST SP 800-207 is not a regulation, but it is a set of standards that can help you develop your own zero trust framework. The three core principles of zero trust, based on this standard are:

1. Continuous verification where authentication and authorization are checked on an ongoing basis.
2. Limiting the “blast radius” and setting automated detections to drop access levels based on risky behavior by users.
3. Automated context collection and response to ensure quick action and leveraging of real-time data.

These are just a few examples of the standards and regulations that you may want or need to consider when developing your IGA framework.

What Is an Identity Governance Solution?

Identity governance solutions, like that offered by Lumos, provide the tools and technologies to manage user identities and their access rights within an organization. With the right solution, you can ensure that only authorized individuals can access specific systems, applications, and data—all according to their roles and responsibilities.

With an end-to-end IGA solution like Lumos, you can breeze through access requests and user access reviews. You’ll be able to control and manage access to SaaS, cloud, and internal tools. In fact, you can:

• Set up one-click onboarding and offboarding automations to manage app access and permissions
• Enable employee self-service access requests so that your teams can see and request access to the apps they use in their daily workflows.
• Create automated access reviews, making SOX, SOC 2, HIPAA, and ISO 27001 audit prep quick and simple with audit-friendly reporting.

What Does an Identity Governance Dashboard Look Like?

With Lumos, your IGA dashboards are user-friendly and optimized to fit your workflow! Let’s take a look at a few examples:

• Access Reviews

As you can see from this dashboard, Lumos makes access reviewing a snap. You’ll be able to see what permissions are given to each employee, their last activity, and what department they fall under. Plus, you’ll have a simple interface to approve or deny the access.

• Self-Service Access Requests

Employees can use Lumos to ask for access to any app they might need. Your IT team will receive this simple notification, allowing efficient approval or denial of requests.

‍

• Automated onboarding and offboarding

You can implement Joiner-Mover-Leaver workflows and provision access through direct integrations, your SSO Provider, iPaaS platforms or APIs with the help of this streamlined dashboard.

What Are the Use Cases for Identity Governance and Administration?

‍IGA use cases can be found in almost any industry: from SaaS to finance, healthcare, education, government…the list is endless. In today’s digital landscape, companies across the spectrum need to secure their systems in order to prevent bad actors from wreaking havoc. IGA solutions like Lumos help businesses protect themselves and their customers—as well as save time and money by eliminating repetitive tasks for IT teams.
‍

‍
What Is an Example of Identity Governance?

‍For a practical example of how identity governance can make a big difference, let’s take a look at how Chegg partnered with Lumos. This student-first connected learning platform had a big problem: their support staff was bogged down with repetitive accessing tasks. Additionally, they needed a way to ensure that their access reviews were SOX-compliant.

With Lumos, they found an IGA solution that saved them both time and money. Brian McGuiness, VP of IT Operations at Chegg, noted the quick results: “our support staff now focuses on more complex issues. In our experience, the return on investment was almost immediate.”

‍
These results weren’t just based on a gut feeling—the quantifiable impact from using Lumos was:

• 25% of IT tickets automated
• 99.6% reduction in ticket time-to-resolution
• 30 days to value.
  ‍
  “We were promised a consumer-level tool and Lumos lives up to that,” Patrick Achuff, the Staff IT Systems Administrator noted. “It’s intuitive and easy to use.” With the ability to automate access reviews for SOX-compliance, implementation of self-service access requests, policy-based approval workflows, and automated onboarding and offboarding, Chegg won’t get distracted from their real mission: helping students achieve their best, in school and beyond.

‍How Do I Find the Best Identity Governance Tools?

‍Choosing the best solution for your organization should involve considering factors like comprehensive coverage, scalability, advanced reporting, and more. After all, there are many identity governance and administration vendors and solutions out there promising the world. We’ve put together this short checklist to help you evaluate IGA tools, so you can select the right solution for your business’s unique needs and objectives:

• Will you have comprehensive coverage? ‍

It’s important to look for a solution that covers all aspects of identity governance—including provisioning, deprovisioning, access requests, and more.

• What compliance support does this vendor offer? ‍

You’ll want a tool that helps you comply with the regulations and standards of your industry.

• Can this solution grow with your company?

The only thing you can count on is change—so cover your bases with a solution like Lumos that can accommodate more users and increasingly complex scenarios over time.

• What is the user experience like? ‍

At the end of the day, people want tools that are intuitive and straightforward, so be sure to consider the user interface and experience for both administrators and end-users.

• Are there deep integration capabilities?

It’s vital that the solution integrates seamlessly with your entire tech stack, instead of disrupting your existing workflows.

• Does this solution leverage automation effectively?

Look for a solution that relieves the burden on your IT team, reducing manual tasks and freeing them to focus on more strategic assignments.

• Are analytics and reporting built into the platform?

In order to make data-based decisions, you need easy-to-access information. Be sure that the reporting capabilities are detailed and audit-friendly.

• What level of support does the vendor offer?

You’ll want a true partner like Lumos to help you navigate IGA effectively.

• Is this solution cost-effective? ‍

Be sure to evaluate the tool’s cost compared to the value it brings to your organization.

‍Lumos: Where Compliance Meets Convenience

‍Are you ready to transform how your organization manages user access? With Lumos, you’ll have unparalleled visibility and control over your identity governance. And did we mention that you’ll have the workflow automation power of an IGA tool combined with the visibility and cost management controls of a SaaS management solution? Lumos is truly an end-to-end solution to help your IT team achieve compliance, drive productivity, and manage costs.

‍Simple next steps you can take:

• Explore the nuances of compliance and how IGA can help your team shine by downloading our free IGA guide.
  
• Use our ROI calculator to learn how much time you’ll save by implementing IGA policies.
  
• Book a demo today to see Lumos in action.