It’s time for identity governance to go mainstream

By Microsoft Security

Identity governance is not a new concept. Traditionally tied to heavily regulated industries or high-value assets, IT teams use governance to understand how identities access sensitive data, applications, services, and more. However, the landscape is changing.

In recent years, governance products have evolved from traditionally on-premises technology to a more cloud-delivered model. This enables product technology stacks to easily deliver certain capabilities–for instance, providing insight into who has access to what resources and facilitating access review campaigns. It also has the dual effect of lowering the cost of implementation, which consequently increases the scale at which companies can spread identity governance throughout all areas of the organization.

As with any legacy technology that has expanded its scope, however, we’re in the early stages of an upward swing. Many companies are beginning to realize the benefits of widespread governance, but not everyone has taken the steps to adopt it. Read on to learn more about the new wave of identity governance and how you can implement it in your own environment.

What are the main changes we’re seeing in identity governance?

In the past, governance was viewed as the last step in a company’s identity and access management journey. Because the process was time and resource-intensive, organizations typically reserved governance for business areas that were deemed truly necessary. For many companies, this translated into heavily regulated functions or business processes that needed to comply with industry standards or SOX (the Sarbanes-Oxley Act) reporting.

However, times have changed. Identities are no longer limited to a single person performing a specific function on an easily monitored on-premises server or application. Instead, IT and security teams need to be monitoring the identities of external vendors, partners, privileged users with access to sensitive applications and security software, and even non-human workload identities in addition to internal employees.

So, what does this mean for the ways organizations approach governance?

Make self-service governance your end goal

When talking about the next evolution of identity governance, it’s helpful to think about it in terms of self-service. As companies spread identity governance to more areas of the organization, IT and security teams struggle to keep pace with the scale of identity and access controls.

Instead of limiting governance to only the most necessary functions, many organizations have begun adopting a self-service model in which project managers and the people involved in the day-to-day work of a specific task or campaign oversee granting and revoking access. This enables governance to be treated as a community-enabled or delegated function rather than a top-down one.

For example, a third-party contractor may be working on multiple projects or coordinating with multiple teams from the same organization. Once their work on one project is completed, the contractor still needs access to internal systems and controls for their other engagements. This is also true when a project timeline changes, or a scope is expanded.

Rather than having to submit a change order to IT, business users and project managers can dynamically control access on their end. IT is still able to control who can issue entitlement changes and what criteria needs to be met in order for access to be granted, but the actual day-to-day review of access management falls on the people who are most familiar with the project. This model also enables companies to more easily align with Zero Trust principles around least-privileged access and explicit verification.

Ultimately, as identities change, so too do the ways we protect and manage them. By treating identity governance as a self-service capability, businesses can empower project managers and business users to control access as needed. This subsequently reduces the burden on IT and security teams while maintaining protection standards for the organization as a whole.

For more information on the latest trends in cybersecurity, visit Microsoft Security Insider.