RiskTech Forum

Consider Solutions: Identity and Access Governance Evolves – Best Practices for Management Consideration

Posted: 1 September 2016  |  Source: Consider Solutions


The discipline of what we today call Identity Access Governance (IAG), comprising of the management of identities, the control of access to these identities, to assets and the governance thereof, has been on the CIO agenda for 15 years.

In an industry that is renowned for acronyms, these concepts have achieved outstanding success in garnering more than we have seen for any other domain: IDM, IDG, IAM, IMG and IAG to name a few. This paper will concentrate on the term IAG as defined above but will also touch on Identity Management (IDM) and Identity Access Management (IAM) to add context.

During this time the number of corporate systems has exploded from on premise to cloud, methods of access have changed to include mobile computing and bring your own devices (BYOD), remote working has become the norm. User populations are now diverse, opening up systems to subcontractors, suppliers, joint ventures and customers as the identity scope now needs to cater not just for humans but also things and apps, and given recent public incidents related to data loss, data loss prevention is becoming more and more associated with IDM and brings with it regulatory requirements around personal identifiable information (PII).

But IAG does not have an untarnished history. There are many examples of large scale projects and expensive software acquisitions that have foundered and even been cancelled after many years, when it becomes apparent that business value has not been delivered.

With the emergence of technologies such as directory services, early IDM projects focussed on authentication, provisioning and maintenance of identities – typically user accounts of employees.

The advent of Sarbanes Oxley and regulatory control brought in an awareness that managing identity itself (‘who are you and are you who you say you are?) was not enough. There was an obvious need to know that users were accessing only what they needed to perform their function and that that access met good compliance standards and was conscious of the nature of business and the concept of ‘joiners, movers and leavers’ and all that it entails business wise, giving rise to initiatives now being termed IAM.

The new breed of corporate governance and the issue of governance of the whole process has become an essential discussion, bringing with it the need to review and recertify identities and access and resulting in the latest buzzword - IAG.

This white paper seeks to share some of the experience we have had over the past 15 years, some of the thornier challenges, insights and best practices to give you a chance of building a business case that flies and a program that delivers the expected value without too much pain!

Please register or log in to download the report.