Identity governance and administration (IGA) is the policy-based implementation of user identity and access to ensure security and compliance across the IT environment. In IGA, the first step is to remain aware of risks and then follow the best possible practices to mitigate them by improving visibility and accountability.
But that is not enough – you need to avoid making these mistakes as well!
- Assuming that identity is just for human resources
In identity governance and administration, it is not just your employees and customers whose identities need to be considered. You need to assign a corporate identity to goods, assets, devices, software – everything you use as part of your business. It is important to define each of their identities and determine what levels of access needs to be assigned to each of them.
- Disregarding the maturity of your IGA
Before you set up a new IGA policy, you have to know where your organization currently stands. It might turn out that you are already practising different aspects of IGA, albeit indirectly. Factor in your key risk indicators (KRIs) and what you are already doing to address inconsistencies, availability, redundancies, and compliance. Use these as your foundation and build up your IGA from there.
- Being unaware of IGA solutions
Identity governance products facilitate organizations to define, enforce, review, and audit policies as well as map IAM functions to compliance requirements. A good identity governance solution comes with features like user administration, privileged identity management, role-based identity administration, entitlement management, centralized access request management, access certification, and more.
- Ignoring your IGA post setup
This goes without saying, but a number of organizations are guilty of ignoring their IGA once the initial setup is complete. You must regularly monitor, review, and refine your approach as an ongoing process. Your organization changes, grows, and evolves and so must your IGA to manage the changing key performance indicators (KPIs) and key risk indicators (KRIs.) For maximum security, expect changes and execute them periodically. Stay agile!
- Not securing unstructured data
While managing access to applications is important, it is equally important to consider the information contained in each of them. In other words, there is a lot of data within your applications – in the form of emails, presentations, audio/video recordings, photos – that is neither encrypted nor tracked. Any of this data may be sensitive – use an IGA solution to analyze this unstructured data and alert you if there is something you must remove!