IGA and PAM: How Identity Governance Administration Connects with PAM

Misappropriation of user identity is one of the root causes of many serious cybersecurity incidents. The threat can appear as a malicious actor impersonating an authorized system user, a hacker creating a fictitious user account, or a legitimate user taking improper actions. In each case, security managers may have trouble detecting the actions of an ill-intentioned user or they discover the problem after the fact.

Identity Governance and Administration (IGA) offers a way to mitigate such identity-based risks. Privileged Access Management (PAM), which manages administrative users, aligns with IGA, reinforcing its effectiveness. Understanding how they work together can help security managers strengthen security based on robust identity management.

PAM reinforces IGA, significantly improving security organization-wide.

What is IGA?

IGA is part of the broader, always-evolving field of Identity and Access Management (IAM). Originally, it was known as User Administration and Provisioning (UAP). While UAP was focused on provisioning system access based on static user directories, IGA takes the process further and makes it more dynamic and granular. Given the complexity of today’s organizations and the systems, they rely on; it was no longer enough to grant access based on fixed sets of privileges. IGA undertakes the management of digital identity and access rights across multiple systems and applications.

An IGA solution aggregates and correlates identity and permissions data, which is usually distributed liberally across an organization’s collection of systems and data resources. IGA is involved in governing permissions, granting them, and taking them away while certifying access. As it handles access requests, IGA enables access and identity auditing, reporting, and analytics. IGA manages access entitlements across the identity lifecycle. With these attributes, it’s helpful for compliance with Sarbanes Oxley (SOX) and other regulations like GDPR, 23 NYCRR 500, etc. that mandate controls and auditability of system access.

IGA manages access entitlements across the identity lifecycle.

What is PAM?

PAM comprises a collection of processes and tooling that manage access to the administrative back ends of critical systems. Privileged users are able to log into the controls of systems and modify settings, set up or delete user access, and more. Some form PAM, ranging from manual to automated, is absolutely required for any serious InfoSec program. After all, accidental or deliberate abuse of privileged accounts can result in serious business impacts like data loss, systemic disruption, and breaches of privacy. PAM offers a countermeasure.

A PAM solution offers streamlined management of access privileges. It can grant and revoke privileged users’ rights to specific systems. The WALLIX PAM solution, for example, centralizes PAM functions, giving administrators a single point of control over all privileged users. With WALLIX, the privileged user does not know the root password to the system he or she is administering. This greatly reduces the risk of password sharing or of former employees retaining privileged access after termination. WALLIX also records privileged account sessions, which is useful for audit and incident response.

A privileged user does not have to be an employee or even a person. A privileged user can be almost anyone or anything. A PAM solution governs all privileged access by employees, contractors, and employees of third-party vendors. It could even be an automated system, operating either inside or outside the enterprise.

PAM consists of a collection of processes and tools that gives security teams complete visibility and control over who has access to an organization’s most critical systems.

IGA and PAM Together: Mutual Reinforcement

Unifying IGA and PAM enables a central locus of policy definition and enforcement for all forms of identity management. With an integrated IGA and PAM approach, a request for privileged access can be managed within the parameters of the organization’s IGA policies. All access requests and grants are part of a single access control chain. Both basic user and privileged user access become more easily auditable.

There are a variety of approaches to achieving the mutually-reinforcing relationship between IGA and PAM. The goal should be to build one authoritative identity store. With APIs, the two solutions can facilitate automated workflows to process all access requests, including requests for privileged access.

Benefits of Unifying IGA and PAM

A single point of control for provisioning all identity access in the organization.
Confidence that privileged access sessions will be performed within identity governance policy.
Easier audit discovery of inconsistencies in access authorizations, including segregation of duties violations and other role-based access restrictions common in compliance.
Streamlined process of onboarding and off-boarding all users, both internal and external.

Improve Security Using IGA and PAM

Challenges to staying on top of user identity will only continue to grow as the workforce spreads across physical space and insists on using types of multiple devices. In parallel, data assets continue to shift into new hosting modes like cloud and hybrid architectures. The very idea of a “user” itself is evolving, with automated, AI-driven systems now performing a range of tasks. In this environment, the need for tighter controls over user identity is essential. IGA and PAM working together provide a solution. They give administrators an agile, efficient way to govern user identity and access rights.

Interested in learning more about the WALLIX Bastion PAM solution and how it can connect with your existing IGA processes? Get in touch.

How to Apply the Principle of Least Privilege (POLP) in the Identity Lifecycle Governance (ILG) with Identity & Access Governance (IAG)

March 19, 2024

Related resources

February 8, 2024

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description