How Identity & Access Management (IAM) differs from Identity Governance & Administration (IGA)

Whether you’re new to Identity and Access Management or need a refresh on Identity Governance and Administration, this article compares the two and also explains why they are both critical to Information Technology. Already familiar with IAM or IGA and want to know if and where you’re overspending on your IAM projects right now? Read our latest article to find out: How to know if you’re overspending on IAM solutions.

Identity and Access Management, also known as IAM, is defined by Gartner as “the discipline that enables the right individuals to access the right resources at the right times for the right reasons.” IAM is simple management of access to systems and in its early days was best represented by Microsoft’s Active Directory (AD) service. AD was one of the earliest tools to keep track of access to PCs and applications, expanding eventually into access of mail systems and other types of IT resources.

“IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. IAM is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise,” (Gartner).

More recently, IAM has been transformed into a cloud service. The limitation of AD was that it was only available within local or protected networks, but this all changed as IT resources became moved out of office domains into the mainstream, and internet and cloud services became more prevalent. To take advantage of this shift, a new type of cloud-based IAM service appeared, and immediately became popular from several new cloud-based providers like Ping and Okta.

Ping and Okta are cloud IAM providers that provide this level of access control to applications and assets on-premise in office environments but also through the internet. It’s simple to use and setup and is delivered as Software as a Service or SaaS application with the advantage of not having to install or operate it. Cloud providers have made traction in the market by providing the same access controls as Active Directory (AD) but available in an easier to consume version available everywhere the internet was found. To meet the challenge, Microsoft offers its own cloud-based version of Active Directory within Azure. Amazon web services (AWS) also offers its own access controls as well, adding to the mix of choices, as well as complexity.

For highly regulated industries such as healthcare and financial services, it becomes even more important to track what users have been given access to within the application that might have personally identifiable information (PII). Government agencies require firms to protect this information and keep records of granting access to PII, but more importantly removing access if these users should leave. For managing and reporting on this access, firms need to employ Identity Governance and Administration capabilities.

So, what is Identity Governance and Administration or IGA? IGA is defined by Gartner as an “activity within the identity and access management function that concerns the governance and administration of a unique digital representation of a user, including all associated attributes and entitlements.” To recap, IAM grants access to applications to users, and IGA tracks what users are allowed to do once they gain access to the application.

IGA is more formally defined as a superset of Identity and Access Management. Additionally, Gartner defines IGA further as the “tools designed to manage digital identity and entitlements (access rights) across multiple systems and applications.”

IGA is a higher level of IAM because it provides much more granular access to applications. Once in an application, IGA controls what can be executed within the application, or which rooms in the house you can enter. As an example, a simple user role can only access basic things, but an administrator role can manage the application itself. What the user can do based on their role is referred to as their “entitlements.”

Once IGA is implemented, an organization can use one IGA application to control entitlements to ALL applications. Historically this was done manually, but granting entitlement access to applications with IGA is ‘provisioning’. Similarly, the IGA product can control moves and removal of employees which is used by compliance professionals, who are mandated by law to track which employees are allowed into what systems, and to make sure if they leave permissions are removed.

ProofID provides a variety of identity solutions and services to an organization’s needs. To begin the process of setting up IAM or IGA for your IT department OR to get your stalled IAM or IGA projects up and running again, contact us.