Access Governance, also known as Identity Governance or Identity Governance and Administration (IGA), refers to policies, tools and services used to combat unnecessary permissions and enforce appropriate access to digital resources and sensitive information. Ensuring that users only have access rights that are absolutely necessary for their role (a concept also known as the principle of least privilege or POLP) reduces the risk of cyberattacks that exploit excess privileges and helps organizations meet increasingly strict compliance standards for privacy and data protection.
The term Access Governance or Management is often used interchangeably with Identity Governance or Management. While there is significant overlap between the two concepts, we believe there several key differences that set access management apart from identity management.
Different Access Governance solutions follow slightly different approaches and offer various extra features. However, these are the key components that define Access Governance:
- Role-based access control: Modeling access rights based on business roles is a vital part of successfully implementing the principle of least privilege. Under this framework, the access rights needed by employees are bundled into roles, for instance roles for different departments, branches or positions. Instead of assigning permissions directly to user accounts, users are then assigned to these roles, which gives them access to everything they need. This prevents unnecessary permissions from being copied over through the reliance on reference users and ensures that permissions are revoked when a user is moved to another role or leaves the organization.
- Approval workflows: The purpose of an approval workflow is to allow department heads to grant access to data and resources they manage without the need to involve IT-staff. Access Governance systems that support approval workflows need to be aware of who the relevant decision maker (also known as the data owner) for any given resource is. Assigning data owners and custom workflows allows a business to streamline their approval process.
- User access reviews: Periodic user access reviews prevent unnecessary permissions from accumulating over time. While employees are quick to point out permissions they are missing, unused and outdated permissions tend to go unnoticed. The resulting privilege creep poses a significant security risk. Access Governance solutions help prevent this build-up by sending automatic reminders to data owners, who must confirm that permissions they have assigned are still in use. Privileges that are no longer required are removed during this process.