What Is Identity Governance & Administration (IGA)?

The terms identity governance and access governance are often used synonymously with identity and access management. Learn what separates these concepts, what they have in common and how to govern identities effectively.

What Is Identity Governance & Administration?

When it comes to managing IT users and privileges, there are many closely related terms to keep track of: identity management, access management, identity & access governance, identity governance & administration. It doesn’t help either that many solution providers put their own unique spin on these concepts. So let’s start off with a few basic definitions:

  • Identity management deals with digital identities (i.e. user accounts) and covers tasks such as creating new accounts, secure authentication and managing user lifecycles.

  • Access management concerns itself with IT privileges and deals with such topics as the automated provisioning and central reporting of access rights.

  • Identity governance & administration describes processes and policies that ensure that each user receives only intended and appropriate permissions. It includes tools such as role-based access control and recurring access audits.

The difference between identity & access management (IAM) and identity governance & administration (IGA) can be summarized like this: IAM allows organizations to assign permissions automatically, but IGA ensures that users receive only permissions they actually need. If permission management was a car, then IAM is the engine that moves it forward, but IGA provides the steering and safety features that safely get you to your destination.

This comparison also shows that IAM and IGA are not contrary concepts, but two parts of the same overarching goal. In fact, IAM solutions generally include essential governance features such as permission roles, segregation of duties and access reviews.

Despite its two component parts, Identity and access management (IAM) is generally treated as one unified field. More on the difference between identity management and access management.

What Makes Identity Governance & Administration Important?

In an increasingly digital world, businesses store and process vast amounts of sensitive data, ranging from customer data and payment processing information to the personal data of their employees. To satisfy regulatory requirements and prevent leaks, breaches or data theft, organizations need to manage access to sensitive data effectively.

For example, the EU’s GDPR mandates that personal data can only be processed for specific purposes and that it can only be accessed by users with a legitimate interest. This concept of minimizing access to sensitive data to only what is strictly necessary is also known as the principle of least privilege. It is an integral part of many IT security standards and privacy regulations, including ISO 27001, NIS2, NIST CSF and HIPAA.

Identity governance & administration allows organizations to meet these compliance requirements. Without a dedicated IGA platform, organizations not only face an incredible amount of effort in managing thousands of users and permissions by hand: Achieving compliance is simply impossible without the right tools, including comprehensive reporting and a centralized platform for access audits.

What Are the Components of Identity Governance & Administration

To ensure that each user only receives the intended permissions for their role in the organization, IGA solutions include tools for automated provisioning and permission audits. These include:

  • Role-based access control: RBAC is an access control model that automatically supplies each user with the exact privileges intended for their position and responsibilities. First, the organization defines the default permissions for users in different business roles, which map to the organizational structure and factors such as department or location. These permissions are then automatically assigned when a new user is added to a role and automatically revoked when their role changes later on.

  • User access reviews: Even if default privileges are assigned automatically, regular audits are essential to maintaining compliance. These audits, also known as access reviews, not only prevent mistakes but also help you keep track of additional permissions that users might receive on top of their baseline access. After all, it is not uncommon for users to request and receive permissions to deal with short-term projects, emergency substitutions or collaborations with other departments. Access reviews ensure that any extra permissions are removed once they are no longer needed.

  • Segregation of duties: Segregation of duties or SOD is a compliance safeguard designed to prevent a single user from holding too much power or a combination of privileges that would enable abuse. For example, if a person is able to both submit equipment orders and confirm that shipments have been received, they could use these privileges to create and approve phony shipments. IGA helps organizations avoid conflicts of interest by modelling appropriate role-based access and conducting regular audits, but can also include explicit SOD functions such as marking permissions as incompatible to prevent users from holding both at the same time.

Mid-Market IGA: Mature, Efficient & Feature-Rich

With regulatory requirements and the threat of cyberattacks on the rise, more and more organizations are in urgent need of identity & access governance. Mid-market organizations in particular are the target of a growing number of regulations such as the EU’s NIS 2 directive.

But there’s a problem with this growing need for identity governance: Traditional IGA solutions were not built to be used in medium-sized businesses. The enormous complexity of these enterprise-focused products makes them impossible to use effectively with smaller IT teams and limited resources. Instead, mid-sized companies need efficient IGA solutions that offer security and compliance with minimal effort.

Easy to use, efficient and feature-rich: Those are the exact advantages that helped tenfold win over the independent IGA analysts at KuppingerCole. Download the full report below for a detailed breakdown of the strengths and weaknesses of our unique, no-code solution.

Analyst Report

KuppingerCole Executive View: The Expert Opinion on tenfold

An independent report by the analyst firm KuppingerCole confirms that tenfold lives up to its goals: Principal Analyst Martin Kuppinger and his team describe tenfold as a well thought-out IAM solution tailored to the needs of mid-market organizations.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.