Identity GRC is the convergence of identity management, governance, risk, and compliance
By Frank Vukovits
09/17/2024
4min read
In most enterprises, Governance, Risk, and Compliance (GRC) programs sit in a separate part of the organization from identity management. These teams have different areas of focus, goals, and expertise. Yet, they both impact processes related to identity and access control. These functions critically depend on each other and must use information generated by the other to meet their objectives.
As identity-related risk increases, GRC and identity management teams must start to converge. Integrating processes and solutions can make these teams more efficient, improve oversight, and close gaps. In this blog, you’ll see how the emergence of a new type of solution—Identity GRC—makes this possible.
How siloed technologies cloud their similarities
To serve GRC and identity management functions, companies often deploy and manage complementary technologies.
- GRC teams typically use GRC solutions that set policies and assess risk for all scenarios – financial, legal, and security. They navigate the complex web of regulatory requirements to help companies avoid severe financial penalties and reputational damage. Despite modernization efforts, many companies are still relying on complex, monolithic GRC solutions. Access control mechanisms for compliance-driven processes such as access reviews are often not user friendly or automated functions.
- Meanwhile, identity teams have dozens of tools to manage and secure the growing number of human and machine identities operating in their environment. They attempt to gain oversight and control through Identity Governance and Administration (IGA) solutions that speed up and simplify the onboarding process for legitimate identities to primary systems.
The marketplace has become clouded with crossover functionality and terminology. (Think “permissions,” vs. “entitlements” vs. “access,” vs. “privileges.”) Often, it can be difficult to see how functionality in one system aligns with—or duplicates—functionality in another.
There is a clear business case for solution consolidation.
CISOs and CIOs are increasingly pushing for fewer security solutions to license, integrate, and maintain. Budgets are tight and organizations can’t afford to have multiple tools that do the same thing.
Users require easier tools to support the process of requesting and provisioning access to applications and devices. Today, people are spending precious time and resources duplicating efforts. Plus, when each function reports results to executives, the board, or auditors, they may present disconnected or even conflicting results, which makes it impossible for an organization to truly understand their risk exposure or prioritize actions to reduce it.
At the end of the day, CISOs, CIOs, and CFOs have a shared goal to ensure identities have access to the right resources, at the right time, to perform their job function or tasks. Simply put, all these stakeholders expect least privilege access. These executives also want tools that automate the provisioning process and supporting controls to make sure risks are mitigated or removed, before access to resources is granted.
Furthermore, they would like this functionality to exist in one place, on one platform, with risk analytics and robust dashboard reporting, all delivered through a single pane of glass.
So, which solution should dominate? GRC or IGA?
Well, both types of traditional solutions have their drawbacks.
Challenges with traditional IGA
Traditionally, identity management has focused on automating the process of provisioning identities and managing their movement – the Join, Move, Leave (JML) process. In an IGA system, identities are provisioned at the entitlement level, with little regard to the fine-grained access the provision request provides.
Also, cross-application access and risks aren’t considered as part of the provisioning process. For example, a user could be provisioned into the accounting/ERP system, and separately provisioned with access to a CRM, where cross-application access risks may reside.
While business software like ERM and CRM systems provide out-of-the-box roles to make provisioning easier for IT departments, these roles often are littered with Segregation of Duties (SoD) conflicts, which require additional analysis and consideration before provisioning. Unfortunately, companies mistakenly trust business application vendors to have SoD conflict-free roles, and they don’t do the necessary analysis themselves.
Challenges with GRC access control solutions
Access control solutions within GRC systems are designed to understand the roles, policies, and risks related to provisioning access to business applications down to the lowest securable object.
This deep security domain knowledge of business applications is critical to ensuring the right access is provisioned, at the right time, to the right data and functions, for application users. Security models, roles, SoD rulesets, and access policies are constantly changing with these applications, and keeping up with this information can prove challenging for access control management vendors. Maintenance of this functionality is challenging as well.
Introducing Identity GRC
In Identity GRC, IGA functionality is blended with GRC access control functionality, providing an end-to-end solution for provisioning identities with fine-grained access. You can set permissions to the lowest level of securable object—well past traditional entitlements—in one platform, for greater efficiency and oversight.
Combining functionality of complementary solutions into one makes sense not only from a financial perspective, but also to collapse the silos that have existed for way too long.
Combining IGA solutions with access control functionality commonly found in GRC solutions provides a structured framework that automates user access management, ensuring that permissions are aligned with job roles and responsibilities. Identity IGA ensures ALL identities have compliant access to the right resources, at the right time, to perform their intended job function or task.
With robust identity governance, you can implement policies that prevent toxic combinations of entitlements and adhere to the Principle of Least Privilege so users have only the access rights they require to do their jobs. By establishing clear access controls and maintaining an auditable trail of user activities, you can confidently demonstrate your commitment to compliance requirements such as Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and many others.
As your business grows and your identity attack surface expands, Identity GRC will help you manage identity and access risks in a more preventative and automated way.
To learn more about implementing Identity GRC in your organization, download the eBook Converging Identity Security and GRC in the Modern Enterprise.