This content is part of the Essential Guide: Develop an IAM strategy for the mobile enterprise

How do identity governance and access management systems differ?

Identity governance and access management systems overlap naturally, but they are still distinct. Expert Matthew Pascucci explains the difference between these two aspects of IAM.

What's the difference between access management and identity governance?

Giving proper rights to data is imperative when it comes to securing sensitive information and performing access management.

Access management is the process by which a company identifies, tracks and controls which users have access to a particular system or application. Access management systems are more concerned with the assimilation of users, creating profiles and the process of controlling and streamlining the manual effort of granting users the proper access and roles. Having a process and the due diligence in place to create the roles, groups and permissions first is necessary with access management. Access management systems rely on the framework of which users have which rights and how that's accomplished.

This is somewhat different from Identity governance, in which administrators are more concerned about giving users new access to roles and alerting the security team to attempts by unauthorized users to access resources.

Identity governance relies on policies to determine if updated access is too risky for a particular user based on his previous access and behavior. These governance policies can be put into an automated workflow when a change is deemed a risk, and allows the owners of the application or the data to sign off on the update. This fixes the issue of having to recertify users annually, and takes more of an incremental approach to auditing access.

If someone accesses a system they don't have permissions for, the identity governance system can flag the access as suspicious. They can even be notified if a user is attempting to access a resource they don't have access to, or that no one in their role is attempting to access.

For instance, if a user on the engineering team is attempting to access the accounting share, this type of abnormal access should be noted and the security team alerted. This is heavily based on user behavior after roles are created and a firm understanding of what the norm is for a user or group.

These identity governance systems are also used to help automate the cleaning of user rights in systems by running analysis to determine if other users were granted similar access that was considered risky in the past. The discovery feature of these products allows administrators to get a hold of account permissions from after the system was put in place, and helps bring all the accounts into a similar governance policy.

Both access management systems and identity governance are used to protect sensitive data from being accessed without proper privileges. These two areas are tightly intertwined, and one doesn't really hit its full potential without the other.

Access management systems need to be in place first, before identity governance can be of use and, often, this is where organizations start.

With both of these processes in place, a company's data is on its way to being better protected from unauthorized use.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Check out more about the importance of privileged access management

Find out how organizations can benefit from identity and access management as a service

Keycloak tutorial: How to secure different application types

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing