What is Access Governance?

The terms Access Governance, Identity Governance and Identity Management are often used interchangeably. Read on to learn about the differences between these concepts.

Definition

Access Governance, also known as Identity Governance or Identity Governance and Administration (IGA), refers to policies, tools and services used to combat unnecessary permissions and enforce appropriate access to sensitive information and digital assets. Ensuring that users only have access rights that are absolutely necessary for their position within an organization (a concept also known as the principle of least privilege or POLP) reduces the risk of cyberattacks that exploit excess privileges and helps organizations meet increasingly strict compliance standards for privacy and data protection, such as PCI DSS, ISO 27001 or the NIST Cybersecurity Framework.

The term Access Governance or Management is often used interchangeably with Identity Governance or Management. While there is significant overlap between the two concepts, we believe there several key differences that set access management apart from identity management.

Components

Different Access Governance solutions follow slightly different approaches and offer various extra features. However, these are the key components that define Access Governance:

  • Role-based access control: Modeling access rights based on business roles is a vital part of successfully implementing the principle of least privilege. Under this framework, the access rights needed by employees are bundled into roles, for instance roles for different departments, branches or positions. Instead of assigning permissions directly to user accounts, users are then assigned to these roles, which gives them access to everything they need. This prevents unnecessary permissions from being copied over through the reliance on reference users and ensures that permissions are revoked when a user is moved to another role or leaves the organization (also known as the user lifecycle).

  • Approval workflows: The purpose of an approval workflow is to allow department heads to grant access to data and resources they manage without the need to involve IT-staff. Access Governance systems that support self-service requests and approval workflows need to be aware of who the relevant decision maker (also known as the data owner) for any given resource is. Assigning data owners and custom workflows allows a business to streamline their approval process and free up time for their IT staff.

  • User access reviewsPeriodic user access reviews prevent unnecessary permissions from accumulating over time. While employees are quick to point out permissions they are missing, unused and outdated permissions tend to go unnoticed. The resulting privilege creep poses a significant security risk. Access Governance solutions help prevent this build-up by sending automatic reminders to data owners, who must confirm that permissions they have assigned are still in use. Privileges that are no longer required are removed during this process.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.