The Critical Role of Identity Governance in Achieving Zero Trust Security

Why does light IGA help enhance Zero-Trust security?

‍

Light Identity Governance and Administration (light IGA) is a streamlined approach to managing user identities and access rights within an organization. 

It focuses on automating and simplifying the processes involved in ensuring that the right individuals have the appropriate access to relevant (and authorized) resources.

By definition, light IGA embodies the principles of Zero Trust by operating under the assumption that identities may be compromised at any time.

‍

What is the difference between IGA and light IGA?

‍

Light IGA has emerged as a sub-category designed to meet the growing demand for quicker implementation and to fight the escalating issue of access sprawl. 

Additionally, it addresses the needs of SMBs with limited budgets that are eager to reduce their attack surface, as cyber risks pose a significant threat to them as well.

Traditional “full featured” IGA also helps organizations achieve zero trust. This post focuses on the light IGA feature scope as our experience at Zygon covers it.

‍

How does light IGA enhance zero trust?

‍

We came up with a list of 5 aspects of the Identity Lifecycle where IGA helps organizations enhance Zero Trust:
‍

1. Identity discovery and role management
2. User activity tracking and monitoring
3. Auditable and Approvable Access Request
4. Just-In-Time access
5. Automatic deprovisioning

‍

1/ Identity discovery and role management

‍

Continuous identity discovery limits the risk of shadow IT and fuels security teams with the data they need to oversee and secure app accesses.

Light IGA platforms can aggregate and unify this data from various sources including:

• Native integrations with Identity Providers
• Command Lined Interface (CLI) for hybrid hosting environments
• HRIS integrations
• Browser extensions

Once accessible from a single pane of glass, actions can be taken to start applying least privilege principles.

‍

For example, permissions can be assigned based on specific job functions, ensuring that users have access only to the resources necessary to perform their duties. This principle of least privilege is a cornerstone of Zero-Trust security, as it minimizes the risk of unauthorized access and potential security breaches. 

Common use case: a dynamic filter can reveal discrepancies in real time, such as identifying offboarded employees in the HR system while they still retain active licenses for certain applications.

‍

This example illustrates a basic (yet critical) view. More advanced filters can identify user roles and privileges that fail to comply with security guidelines for the Segregation of Duties (SOD).

With up-to-date data in a light IGA platform, organizations can systematically enforce these access controls, ensuring that each users’ access rights are aligned with their current role and responsibilities.

This not only enhances security by reducing the attack surface but also improves operational efficiency by streamlining access management processes such as access requests, user access reviews, provisioning and deprovisioning.

‍

By the way, the promise of automatic processes to manage joiner-mover-leaver scenarios often falls short. It typically requires SCIM-compatible applications, integration capabilities for each technology stack, and additional budget...

In this matter, we have developed an open source project called “The Auto-Provisioning Atlas”, which aims to serve as a comprehensive database of authentication and provisioning methods for cloud applications.

‍

Feel free to explore it to check if your applications support SCIM, SSO, Just-In-Time (JIT) provisioning, and deprovisioning!

‍

2/ User activity tracking and monitoring

‍

App usage tracking often has a negative reputation, as it can give the impression that a company is spying on its employees. While this concern is valid, it overlooks the true purpose and specifics of what is actually being monitored.

Security teams can restrict access to only the login information provided by their Single Sign-On (SSO) solution, a feature commonly offered by most Identity Providers (IdPs). This info can be complemented by a browser extension that has limited access to session attributes, such as session length and actions performed, which may not typically be logged.

By continuously overseeing this level of user actions and their access patterns, light IGA solutions provide organizations with the visibility needed to detect anomalies and potential security threats promptly. 

‍

This ongoing monitoring is crucial in a Zero-Trust framework, where verification is continuous and trust is never assumed. 

Here are a few examples of filters that can reveal misuse:

• Employees who haven't logged into an app for over a month
• Paid applications with very limited usage
• Access to corporate social media profiles by offboarded employees or interns
• Identities linked to prohibited tools such as file-sharing platforms, AI applications, or dating apps

‍

In case you're wondering, these examples are all based on real-life experiences. 😀

Furthermore, as users transition between roles or responsibilities within an organization, light IGA systems play a critical role in informing administrators about necessary adjustments to permissions.

This ensures that access rights are always aligned with current job functions, minimizing the risk of excessive or unnecessary access.

‍

3/ Auditable and Approvable Access Request

‍

Typically, users are reluctant to adopt a system of access request control and approval. 

Most companies have already adopted a versatile ticketing system to manage various internal processes. 

However, there are two primary challenges associated with access requests:

1. Ensuring the ticketing system is continuously updated with accurate, real-time data.
2. Maintaining comprehensive logs of information from the ticketing system to ensure auditability.

‍

Most light IGA vendors recognize this challenge and provide native bidirectional integration with many ticketing systems. 

It ensures that every task and action recorded in the ticketing system is also centralized within the IGA platform. This centralization enhances compliance and simplifies the audit process.

‍

Again, this ongoing monitoring is crucial in a Zero-Trust framework, where verification is continuous and trust is never assumed. 

Unlike legacy IGA, which embeds access request feature, light IGA integration with existing ticketing system eliminates the need for additional tools and processes for end-users.

‍

Let’s delve deeper into the identity lifecycle with two other common identity-related tasks for the IT team. 

‍

4/ Just-In-Time (JIT) Access

JIT access addresses scenarios where users need temporary elevated permissions to perform specific tasks. Instead of permanently assigning high-level access rights, which can pose significant security risks, administrators can leverage IGA solutions to implement controlled privilege elevation mechanisms.

This approach ensures that elevated permissions are granted only when necessary and for a limited duration, significantly reducing the potential attack surface and minimizing the risk of unauthorized access.

By dynamically managing access rights in this manner, light IGA not only enhances security but also aligns with the Zero-Trust principle of providing the least privilege necessary for users to accomplish their tasks.

5/ Automatic deprovisioning

‍

This automation is a cornerstone of robust identity lifecycle management, ensuring that access rights are dynamically adjusted in response to changes in user roles or employment status.

By automating these processes, light IGA significantly reduces the risk of human error, which can often lead to security vulnerabilities such as orphaned accounts or inappropriate access levels.

‍

Our experience with customers indicates that approximately 30 to 50 applications containing critical data are well-managed. They are typically secured behind a Single Sign-On (SSO) tool with “real” automated offboarding processes. 

We’d rather point out the additional 50 to 70 applications that, while known to the organization, are not subject to regular access reviews or data control measures.

‍

And beyond these, there are several hundred applications that fall into the category of shadow IT, about which very limited information is available.

Consistent and timely revocation of access rights is crucial in maintaining a secure environment, as it ensures that former employees or users with changed roles no longer retain unnecessary access to sensitive resources, thus applying zero trust principles.

‍

Conclusion

As mentioned in the introduction, light IGA embodies the principles of Zero Trust by assuming that identities may be compromised at any time.

The examples provided illustrate real-life use cases for IT and security teams in SMBs. These teams understand Zero Trust principles but struggle with implementation in the context of identity sprawl.

While traditional IGA remains a robust approach to mitigating security risks related to identity lifecycle management, it is often complex and time-consuming to implement.

Light IGA offers a complementary approach, enabling faster deployment, reduced security risks, and the implementation of Zero Trust principles in just a few days.