The New Power Couple—Identity Governance and Authorization Controls

Posted on by David Lee

Identity Governance and Administration (IGA) is a powerful tool in the hands of an organization. It helps govern access, provides separation of duties for critical tasks, and even handles privileged access to ensure that only those entitled can do certain things. But there’s one big problem that identity governance doesn’t address: authorization controls. Authorization controls enable organizations to enforce policies on how entitlements are assigned across their enterprise, ensuring that only those with appropriate privileges get them.

A simple way to think about governance and authorization—having an identification badge may allow an employee to enter their work location (identity governance), but it may restrict them from entering the company’s data center (authorization control). Identity governance needs authorization controls to be complete. Without controls, governance can’t be enforced. In this example, if your badge doesn’t restrict access to the data center, there’s nothing preventing your entry. Governance ensures that you have what you’re supposed to have, and authorization controls ensure that you’re doing what you’re supposed to be doing.

Authorization controls provide a logical enforcement point for entitlement assignments specified in identity governance policies. This can be done by implementing authorization rules to determine what types of users access data and what functionality they need across the enterprise. While similar to the rules you implement in identity governance systems, the rules in governance systems are trapped in the identity governance systems and aren’t accessible at enforcement. Does this mean your identity governance system is broken? The answer is no. It does, however, suggest that you may be exposed to increased risk because entitlements can’t be enforced.

For example, if you wanted to enforce that no one but executives have access to financial data—or any information about finances—then you would implement an entitlement policy in the IGA system that ensures that only executives can be assigned entitlements to grant access to financial data. Let’s say that those entitlements are groups within Active Directory. The first group is called Finance-All, and the second group is called C-Suite-All. The policy created in the IGA system would ensure that only executive users could be assigned the Finance-All and C-Suite-All groups, but that’s where it stops. The IGA system would not be able to enforce that rule whenever the application is accessed. Authorization controls are needed to mitigate that risk.

Without them, you still have an issue that leaves a gap in your protection.

There is a potential for the governance system and the authorization policies to be out of sync because governance systems poll the back-end applications for data and don’t control admin access to the application. In our example above, an administrator or any other application can still access the Active Directory system and make changes to the system itself. The governance system would not see these changes until its next polling event. If a change were to happen to the Active Directory account of a user in between the polling times of the governance system, then the user could be assigned improper access.

This issue can be solved by making a deeper connection between your authorization policies and your governance system. Update the authorization policy to check for the user’s group memberships and respect the identity view as reflected by the governance system. If the governance system doesn’t reflect the user’s group membership, that would be the authoritative view for the user. Now you have complete enforcement of your policy that a user cannot access financial data unless they are an executive in the company. The governance systems ensure users aren’t assigned improper access, and updated authorization policies ensure that if a user does get assigned improper access, it is still enforcing policies with the attributes available from the governance system.

This is just one example of the use cases that can be solved by connecting IGA systems to authorization policies. In a mature IGA deployment, typically, hundreds of hours have been spent implementing separation of duty policies, role compensation policies, and entitlement policies that govern how users can be assigned access within an environment. The return on investment from those efforts is limited if those policies can’t be enforced where they matter the most.

A best practice before deploying an authorization solution or building your own is to talk to your identity team and understand the work that’s gone into the IGA system, understand the policies, and provide complete protection for your applications and your data. IGA and authorization are a match made in heaven and ripe for integration.

David Lee

Identity Jedi, Consultant


access control application security controls governance risk & compliance identity management & governance

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs