swipe to navigate

Is access governance really distinct from identity management?

Identity management is focused on automating the lifecycle of identities and credentials as people join an organization, move through it and leave.

In most organizations, identities are created, managed and deactivated with the express purpose of playing a part in access management decisions. i.e., users are granted identities in the corporate directory, systems and applications precisely so that they can sign in, interact with applications and access data. Identities alone have limited utility -- for example in a corporate phone book.

Access management means expanding the above processes to also grant and revoke specific security entitlements. The objective is to ensure that user identities have access to exactly those processes and data which are business appropriate, that users are reliably authenticated prior to being granted access and that change history and access usage are logged, to create accountability for actions.

Access governance is the subset of access management processes which relates to ensuring compliance with security policies. i.e., are access rights appropriate, audited, transparent and consistent with business rules?

In other words, access governance can be thought of as a functional subset of access management, which is closely (perhaps inseparably) linked to identity management. That said, industry terminology is always evolving and rarely unambiguous. The common term which refers to the union of all of the above is now "Identity Governance and Administration."


Comment via LinkedIn