Digital identity is a cornerstone for enabling business. But digital identity has become a contentious technological space, from which cyber criminals, hacktivists, and nation state actors launch attacks. Specifically, the use of compromised identity credentials is still a primary attack vector for nearly every recent data breach. The breaches at Yahoo, TalkTalk, Target, Sony, the Prykarpattyaoblenergo Ukraine power station, etc., involved leaked and compromised usernames and passwords. In addition to compromised credentials, oftentimes user accounts have more access than is required to do their work. This can lead to further compromise, loss of intellectual property due to industrial espionage, loss of individuals’ private data, financial fraud, loss of revenue, leaks to the press, reputation damage, sabotage, etc.
Identity Governance and Administration (IGA) is a category within Identity and Access Management (IAM) that deals with the creation, maintenance, and deletion of user accounts and attributes, as well as the assignment of entitlements. These provisioning capabilities must not only cover on-premise systems, but must also extend to the cloud.
IGA also includes Access Governance capabilities, in particular the policies that apply to user accounts and the associated permissions. Important examples of such policies include procedures for periodically re-authorizing the existing accounts, managerial attestations of the business need for continuing to allow access to electronic resources, and rules about granting administrative privileges to users who require them to execute their job functions. Managing and enforcing SoD (Segregation of Duties) controls is another main capability of such tools. Lastly, identity governance solutions must also include executive dashboards, reporting, and auditing.
Further areas are managing entitlement models, in particular roles, and the lifecycle of such entitlements. Comprehensive capabilities in this area are another essential element for complete IGA solutions.
What we see less, but consider as an important extension is Data Access Governance (DAG), i.e. the ability to analyze and manage entitlements in unstructured data such as Microsoft SharePoint or file servers. Large portions of sensitive data are held in such repositories. They need adequate protection as well, starting with managing the access to that information.
The IGA market is mature and growing, with a number of major IAM stack vendors including these functions in their suites. Also, there are specialty access governance products that were expressly built for this purpose.
RSA Security is a global cybersecurity company headquartered in Bedford, Massachusetts, USA. In 2006, RSA was acquired by EMC Corporation and has been operating as a division within EMC. Currently, the company offers a wide range of technology and business solutions in such areas as GRC (governance, risk and compliance), fraud detection and information protection, IAM (identity and access management), as well as security analytics and operations. After the acquisition of EMC by Dell was finalized in September 2016, it was announced that RSA became a Dell subsidiary and will maintain its product lines.