An IGA Framework for 2024

Mathew Pregasen
February 6, 2024

Among the many acronyms in security, one that is growing in prominence is IGA: identity governance and administration. Often (incorrectly) conflated with IAM (identity access management), IGA is a framework for how companies should administrate identities and their provisioned access. While IGA is often stereotyped as a “big-company” problem, it’s more a way of thinking about access, and principles strewn in IGA solutions are pertinent to smaller companies.

IGA literature can be frustrating due to its “fluffiness”. It’s really easy to get caught up in the buzzword soup of “visibility”, “governance”, “certification”, or “credential administration”. These aren’t bad marketing terms—after all, they do sell. But sometimes, all this vision talk dilutes the actual picture of what IGA looks like in practice. Today, our goal of exploring the IGA landscape is guided by clarity; we want to establish an IGA framework for 2024 in simple, straightforward terms. We’ll discuss the factors that prompted the emergence of IGA, how to digest IGA solutions, and finally, the core functionalities of a modern IGA framework.  

How exactly did IGA emerge?

Similarly to IAM solutions, IGA solutions tackle how identities are created, managed, and deleted. However, IGA and IAM are not perfect **synonyms. IGA goes beyond identity management; some of its additional responsibilities include policy enforcement and compliance management. Those may be marketing terms, but they translate to tracking how employees use their access.

Taking a step backward, IGA’s predecessor, IAM, was originally necessary because (a) phish-able humans can’t be trusted with broad access and (b) identities are constantly in flux as organization charts change. This gave rise to many centralized identity providers, such as Okta and One Identity. However, modern identities are just the tip of the iceberg. Companies use hundreds of SaaS applications, and some applications are used sparingly (or, worse, not at all). Additionally, some applications have “authenticate once, use forever” bearer-token authorization flows. Together, these factors create a myriad of security weak spots. Accordingly, with visibility into how access is utilized, security teams can identify suspicious changes in behavior, potentially preventing unauthorized access.

With phishing at an all-time high and attacks becoming more sophisticated, IGA is a natural evolution for how security teams can flag and eliminate threats.

How should IGA solutions be framed?

IGA solutions are marketed as two things: automation solutions and compliance solutions.

Automation is the more apt description. From a birds-eye view, IGA solutions aren’t doing anything novel, just assigning access and monitoring access. For decades, that’s work that was already done by CISOs and security teams. The difference is that IGA automates those security practices, a necessary feature as access grows more complicated.

The impact of this is easier compliance. IGA solutions make abiding by (and auditing) government compliance and third-party compliance easier by enforcing internal policies. IGA solutions don’t alter what’s considered within the compliance regime—they simply automate tedious processes, enabling those same folks to focus on more finish-line compliance tasks.

2024’s core constraints

Today’s workforce problems aren’t terribly different from those of half a decade ago, but there are some notable changes that impact the focus of IGA frameworks. Here’s a short list of those core considerations:

  1. Employee turnover. Long gone are the days of decades-long employees. Nowadays, employees shift from company to company. Plus, companies grow. Shrink. Restructure. In short, employee rosters are constantly changing and doing so at a rapid rate. New employees need to safely gain access to work applications and resources in order to work. And, likewise, departing employees need to lose access—otherwise, they’re a walking security risk. (For those who love formal terminology, this subprocess is called identity lifecycle management).
  2. Employees move around. Changing permissions isn’t only an onboarding and turnover problem. Employees often internally transfer to different departments (or just get promoted). These changes in titles also translate to changes in responsibility (and, by extension, access). Otherwise, you’ll end up with entitlement creep where an employee unsafely racks up permissions by moving around an organization.
  3. Access has grown complex. Long gone are the days of simple usernames and passwords. Today, organizations need to enforce alternative authentication techniques such as IGA-governed authentication, pass-through authentication, or SSO. Or, they need to enforce that employees maintain MFA techniques such as authenticator applications or hardware keys. They also need to ensure that underlying passwords are complex and not susceptible to easy attacks. Additionally, tool sprawl has grown—organizations are using more and more products, making access trickier.
  4. Not all SaaS applications are alike. Not only are there more tools in a modern company’s tool chest, but each tool has the same level of integrate-ability or risk. This means a one-size-fits-all policy for accessing all external SaaS apps is not ideal.
  5. IT administrators have busy lives. If you’re an IT administrator, there’s a good chance your calendar looks like a MoMA exhibit. Administrators are busy, so administrative duties in an IGA solution need to be short and simple.
  6. HR solutions exist. Every modern company has an HR solution. After all, employees are only employees because they get paid for their work. The tricky thing is that many HR solutions are attempting to replace identity providers (e.g., Rippling) via optional add-on features. In fact, some companies have an HRIS, an IGA solution, and an IAM product—all with overlapping features. This means that any IGA solution needs to play nice (read: integrates) with other directory-spanning products.
  7. Some regulations are standardized. Some regulatory standards—like GDPR, CCPA, or PCI DSS—are standardized and cannot be altered by organizations. However, they also do not strictly define corporate policies—policies often address the goals of regulations alongside other internal security goals.

Generally speaking, these rules translate to features that are touted by major IGA players. However, instead of comparing specific IGA solutions with one another, let’s focus on what an ideal IGA solution should be able to do.

The core tenets of a strong IGA framework

Tenet 1: Effective management of employee changes

IGA solutions need to support a core set of features regarding the needs of an organization’s employee directory:

  1. An IGA solution needs to be able to automatically provision access to SaaS applications and infrastructure resources whenever employees are added to an HR solution and/or Identity Provider. This may require an administrator view where certain roles could be added to an employee’s profile alongside an employee’s view where the access grants are communicated.
  2. The IGA solutions need to be able to shut off access to an employee should they leave an organization voluntarily or involuntarily. This access might be immediate or after a short delay to provide time to transfer data to other team members. Without deactivating exited employees, organizations are left with orphaned accounts—massive security risks given they aren’t actively monitored by nature.
  3. An IGA solution needs to be able to change access to an employee should the employee be promoted, demoted, or internally transferred within the organization. Otherwise, organizations suffer a problem known as entitlement creep—where a single employee, potentially even a junior employee, gets very permissive access having just transferred around an organization. The IGA solution should be able to communicate these changes to the employee.

Fundamentally, this boils down to an IGA solution that can dynamically manage employee access based on their employment status. It’s also important that administrators can get a birds-eye view of all the access grants being afforded to employees.

Tenet 2: Company policy ingestion and enforcement

Organizations have employee handbooks to ensure that data usage is safe and security practices are being followed. However, organizations cannot blindly trust that employees follow rules, since humans often take shortcuts or are slow to adopt tedious practices. (Additionally, threat vectors can be, on rare occasions, internal.)

These company policies are sometimes solely driven by in-house leadership but are otherwise influenced by compliance standards such as GDPR, CCPA, and SOC II. Granted, it’s not that IGA solutions ingest a text-block of policies and use some AI magic to govern applications; policy enforcement boils down to ensuring that employee access is in accordance with set policies.

Tenet 3: Simplification of identity management for administrators via integrations and alerts

The point of an IGA solution is to simplify identity management and governance. If an IGA solution creates more busy work for administrators than saves time, then it is effectively circumventing its primary value prop.

To address this, IGA solutions need to seamlessly integrate with existing IT infrastructure and applications. Common integrations are with cloud providers like AWS, HR solutions like Workday, engineering management solutions like Atlassian, drive solutions such as Box, and workspace solutions like Google Workspace.

IGA solutions also need to configure alerts for any breaches to policies so that administrators don’t need to constantly login and monitor—these are sometimes marketed as systems health notifications.

Tenet 4: IGA needs to deploy and enforce advanced authentication techniques

Today’s companies use a variety of authentication techniques.

The first technique is to lean on the IGA provider for authentication, such as SailPoint’s IdentityIQ authentication solution. Another example would be Okta, which is slowly ramping up into a fully-fledged IGA solution.

The next technique is to support pass-through authentication such as Microsoft’s Active Directory or LDAP (lightweight directory access protocol) where the IGA solution is still used as the interface for authentication even though it’s just querying an underlying employee directory.

Another common model is Single-Sign-On providers such as Google, where a service provider such as email is also used as authentication on other applications. These are typically governed by SAML, an XML-extension language that defines what properties are shared with the SSO provider.

Of course, it’s important that the most stringent of these is applied to accessing administrative accounts on an IGA solution; otherwise hackers could just exploit a company’s security by hacking their IGA solution access directly.

Tenet 5: IGA needs to be an umbrella application

An IGA solution needs to work with other directory-spanning software such as HR solutions, identity providers, and other point solutions. IGA solutions are designed to be umbrella providers and therefore need to proactively act as a source of truth to unify these moving parts. Practically, this translates to strong integrations where an IGA solutions can trigger write actions in other directory-spanning software.

Tenet 6: IGA needs to monitor application usage

One of the growing acronyms within the IGA space is BDG—behavior-driven governance. Essentially, that’s monitoring how employees use applications and dispatching alerts if that usage contradicts expectations. It’s a model particularly championed by One Identity, an IGA/security solution.

There are a few features that make a BDG-type IGA solution compelling (I might’ve vomited a little after writing such an acronym-heavy phrase, e.g., an AHP):

  • Automatically de-provisioning access to applications if employees don’t use them, where access can be granted again on request. This is a more predictive version of least privilege.
  • Throwing up alerts if an employee suddenly starts using an application or a set of applications in an uncommon way
  • Providing administrators with average access frequency of applications across their entire employee base

Overall, BDG are nice-to-have features of an IGA solution. However, in 2024, they are particularly nice when companies are over-purchasing SaaS applications, especially when many SaaS applications have sensitive data.

Closing thoughts

In 2024, as more organizations adopt feature-heavy IGA solutions, they should care about some core features being present. They could be split into two groups: (i) features that improve security by providing a path to least privilege and (ii) features that streamline management by automatically doing tedious tasks.

The core mantra of IGA solutions is making sure that only the right people can do sensitive actions while keeping the process automated and efficient.

Recommended Posts