Approximately one third of all identities with permissions to access network applications and data are inactive or orphaned/ghost accounts. These accounts might be dormant or no longer needed, but because they are still there, they are a security risk. Often, these accounts are attached to users that have moved to a different part of the organization or have left the company all together. Sometimes they belong to an identity whose function has ended but the account remained open. Threat actors love orphaned accounts because the credentials are active yet the chances of getting caught are low because no one is paying attention to those accounts. Ghost accounts are low-hanging fruit for cybercriminals, as well as for both negligent or malicious insider threats.
Identities, both active and inactive, need to be monitored to prevent risk, and this is best done through identity governance.
What is Identity Governance?
Identity governance is the policy-based orchestration between identity management and access control. Identity governance acts as a security function, ensuring that identities are properly and securely connected to applications, networks, data and other IT resources when needed.
Identity governance focuses on issues like managing identity roles, determining the segregation of duties of the identities, logging, and reporting. The end goal is to be able to better understand and then streamline the lifecycle management of identities, determine and then scale identity processes, and optimize overall security and compliance to reduce risk. It protects your data through access discovery, identity access, and compliance reports.
The difference between Identity Governance and Identity and Access Management (IAM)
Gartner defines IAM as “the discipline that enables the right individuals to access the right resources at the right times for the right reasons,” addressing mission-critical operations so that identities have access to the right resources.
Identity governance, according to Gartner, manages identities and access rights data. Identity governance differs from IAM by “enabling organizations to define, enforce, review and audit IAM policy, but also map IAM functions to compliance requirements and in turn audit user access to support compliance reporting,” TechTarget reported.
Identity Governance and Compliance
Modern identity governance emerged to meet regulatory compliance. Although identity governance isn’t required for organizations to comply with regulations such as Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and Sarbanes-Oxley Act (SOX), it can certainly help show compliance efforts during audits or if an incident does occur. The solution monitors identity access across the system to ensure sensitive data is well protected from unauthorized and uncredentialed logins.
Better Data Protection through Modern Identity Governance
In any bank, there is a vault that stores money and valuable personal items of its customers. Those customers have access to their belongings within the vault, but only through a number of steps and with the aid of a trusted bank employee. The bank has a record of every person who is allowed access to the vault and tightly controls not only admittance but also exits – no one should be lingering inside without detection. The bank takes steps to make sure that only those with the proper credentials have access to those valuable assets and any unknown visitors or former employees are denied entry.
Your data should be similarly locked away, highly protected, with access given only when job functions require it. Identity governance is the key to protecting data in the following ways:
- Access discovery: Identity governance is a deep dive into authenticated identities throughout the company, both human and non-human, to determine if identities are active or non-active and the access permissions attached to each one. At this point, every identity and its authentication for access should be accounted for.
- Determining the level of user access: Once it is determined what identities should be granted access, there should be rules that determine access level. Access controls can be based on a user’s role within an assigned group (IT with admin responsibilities, for example), per project requirements, discretionary permissions, or even physical access.
- Audits and reporting: Compliance reports offer a record of identities and access history, and can be referenced for any questionable activities or anomalies in network behavior.
4 Considerations for Modern Identity Governance
Modern identity governance systems should offer the tools needed to allow companies to reduce risk and improve cybersecurity through:
- Streamlined identity lifecycle management: Human identities need to be managed from the moment the onboarding process begins until they are completely off-boarded from the organization. Non-human identities need to be accounted as well. Modern identity governance solutions should make it easier to manage the identity lifecycle.
- Visibility: You can’t protect what you can’t see or monitor. Modern identity governance solutions should grant visibility into all identities and access, and the ability to monitor any anomalous changes.
- Separation of duties: No single person or entity should have complete control over access permissions. This could lead to potential fraud and raise questions in compliance audits. Solutions should make it easy to implement access review policies and additional checks and balances for sensitive access.
- Simplifying least privilege implementation: Modern identity governance solutions should simplify: granting access permissions to only what’s required to do a given job, automatically deprovisioning access as soon as the job function is completed, and monitoring and terminating ghost accounts as quickly as possible. These go a long way to reducing the risk of credential theft and account takeover.
Related → What Is Light IGA?
