Zero Trust is a key paradigm for cybersecurity today, used well beyond the security circles. The goal is building cybersecurity that “never (blindly) trusts”, but “always verifies.” This traditionally meant verifying Who has access to What resource. In the past, the Who typically meant a human with a digital identity being given access to some application within an organization. Once the individual was given access to said application, that individual would be verified via an IAM tool’s authentication capability and then authorized based on policy and permissions while logging the transaction in preparation for an audit. This has been standard practice for many years to handle employees, customers, and partners.
A glimpse into the new world
But what happens when a digital identity represents more than a human individual and extends to machines such as IoT like devices, workloads, Robot (Bot) / RPA (Robotic Process Automation), or other types of identity in the future? What happens when access to the What resource is no longer on-premises but could also reside in the cloud, multi-cloud, or a Docker container running in Kubernetes somewhere? How do you keep up with the growing list of compliance laws and regulations like FERPA, GDPR, HIPPA, CCPA, SOX, and many others? At this point, you quickly realize that you are not in Kansas anymore (Wizard of Oz reference).
IGA sits in the middle of identities and resources
Fortunately, most modern Identity Governance and Administration (IGA) solutions take care of the ever-growing list of different types of Who and regardless of where the What resides. With identities on one side and resources on the other side, IGA sits in the middle handling the Identity Lifecycles Management and Access Governance to resources. Identity Lifecycles Management addresses the joiner/leaver/mover processes and the ability to provision identities, access entitlements, and other identity-related information in the target systems. Access Governance supports the auditing and ensures compliance, such as the review and disposition of user access requests, certification campaigns, and access remediation when violations are found. Access Governance also handles Segregation of Duty (SoD) controls and role and policy management capabilities.
The principle of least privilege
One of the tenets of Zero Trust that fits nicely with IGA is the principle of least privilege by never granting more access than is necessary to get any job or workload done with the benefit of limiting lateral movement across the network. However, this is not easy using a more traditional model, in which managers are expected to know all of the different applications and services, roles, compliance considerations, etc. when an access request is submitted for that manager’s approval or the continual recertification of that access.
AI and Machine Learning capabilities a key differentiator between IGA vendors today
This again is where a more modern IGA solution can come to help through the use of identity and access intelligence using analytics and AI/ML capabilities, supporting a risk-based, just-in-time provisioning (and de-provisioning) of access. This is also one of the key differentiators between IGA vendors in the market today. Identity and access intelligence can assist by evaluating Who has access to What, the compliance policies under consideration, and assess the least privilege, identity risk, and scoring, perform access modeling, anomaly detection or detect identity, role, entitlement outliers, for example. These modern IGA solutions can also recommend whether to approve or disapprove access requests and, even in low-risk cases, automatically grant and revoke access.
To better understand the challenges of legacy IGA and how IGA continues to evolve along with business environment changes, KuppingerCole invites you to join its KCLive Event - Modern IGA Capabilities for Identity-Centric Security to hear from the experts and inform yourself on how to make the best decision possible for your organization.