IGA and PAM: How Identity Governance Administration Connects with Privileged Access Management
Misappropriation of user identity is one of the root causes of many serious cybersecurity incidents. The threat can appear as a malicious actor impersonating an authorized system user, a hacker creating a fictitious user account, or a legitimate user taking improper actions. In each case, security managers may have trouble detecting the actions of an ill-intentioned user or they discover the problem after the fact.
Identity Governance and Administration (IGA) offers a way to mitigate such identity-based risks. Privileged Access Management (PAM), which manages administrative users, aligns with IGA, reinforcing its effectiveness. Understanding how they work together can help security managers strengthen security based on robust identity management.
PAM reinforces IGA, significantly improving security organization-wide.
What is IGA?
IGA is part of the broader, always-evolving field of Identity and Access Management (IAM). Originally, it was known as User Administration and Provisioning (UAP). While UAP was focused on provisioning system access based on static user directories, IGA takes the process further and makes it more dynamic and granular. Given the complexity of today’s organizations and the systems they rely on; it was no longer enough to grant access based on fixed sets of privileges. IGA undertakes the management of digital identity and access rights across multiple systems and applications.
An IGA solution aggregates and correlates identity and permissions data, which is usually distributed liberally across an organization’s collection of systems and data resources. IGA is involved in governing permissions, granting them, and taking them away while certifying access. As it handles access requests, IGA enables access and identity auditing, reporting, and analytics. IGA manages access entitlements across the identity lifecycle. With these attributes, it’s helpful for compliance with Sarbanes Oxley (SOX) and other regulations like GDPR, 23 NYCRR 500, etc. that mandate controls and auditability of system access.
IGA manages access entitlements across the identity lifecycle.
PAM comprises a collection of processes and tooling that manage access to the administrative back ends of critical systems. Privileged users are able to log into the controls of systems and modify settings, set up or delete user access, and more. Some form PAM, ranging from manual to automated, is absolutely required for any serious InfoSec program. After all, accidental or deliberate abuse of privileged accounts can result in serious business impacts like data loss, systemic disruption, and breaches of privacy. PAM offers a countermeasure.
A PAM solution offers streamlined management of access privileges. It can grant and revoke privileged users’ rights to specific systems. The WALLIX PAM solution, for example, centralizes PAM functions, giving administrators a single point of control over all privileged users. With WALLIX, the privileged user does not know the root password to the system he or she is administering. This greatly reduces the risk of password sharing or of former employees retaining privileged access after termination. WALLIX also records privileged account sessions, which is useful for audit and incident response.
A privileged user does not have to be an employee or even a person. A privileged user can be almost anyone or anything. A PAM solution governs all privileged access by employees, contractors, and employees of third-party vendors. It could even be an automated system, operating either inside and outside the enterprise.
PAM consists of a collection of processes and tools that gives security teams complete visibility and control over who has access to an organization’s most critical systems.
IGA and PAM Together: Mutual Reinforcement
Unifying IGA and PAM enables a central locus of policy definition and enforcement for all forms of identity management. With an integrated IGA and PAM approach, a request for privileged access can be managed within the parameters of the organization’s IGA policies. All access requests and grants are part of a single access control chain. Both basic user and privileged user access becomes more easily auditable.
There are a variety of approaches to achieving the mutually-reinforcing relationship between IGA and PAM. The goal should be to build one authoritative identity store. With APIs, the two solutions can facilitate automated workflows to process all access requests, including requests for privileged access.
Benefits of Unifying IGA and PAM
- A single point of control for provisioning all identity access in the organization.
- Confidence that privileged access sessions will be performed within identity governance policy.
- Easier audit discovery of inconsistencies in access authorizations, including segregation of duties violations and other role-based access restrictions common in compliance.
- Streamlined process of onboarding and off-boarding all users, both internal and external.
Improve Security Using IGA and PAM
Challenges to staying on top of user identity will only continue to grow as the workforce spreads across physical space and insists on using types of multiple devices. In parallel, data assets continue to shift into new hosting modes like cloud and hybrid architectures. The very idea of a “user” itself is evolving, with automated, AI-driven systems now performing a range of tasks. In this environment, the need for tighter controls over user identity is essential. IGA and PAM working together provide a solution. They give administrators an agile, efficient way to govern user identity and access rights.