IAM and IGA: These are two sets of identity security capabilities that serve different, but complementary, functions.
- IAM focuses on enabling and managing users’ secure access to digital resources (applications, systems, and data) through authentication, single sign-on (SSO), and other capabilities related to authentication and access.
- IGA goes beyond the fundamentals of granting and managing access to 1) focus on how an organization grants access to digital resources and 2) ensure that the access that is granted is appropriate and compliant—and take action if it is not.
Basically, IAM addresses fundamental questions of who logs in, how they log in, and what they’re entitled to access once they’re logged in, while IGA is concerned with whether the access they have been granted is appropriate to their role and their assigned activities in the first place.
IAM refers to the policies and processes associated with authenticating the identity of a user (human or machine) seeking secure access to a resource or resources in an organization. The purpose of authenticating the user’s identity is 1) to confirm that the user is indeed entitled to the requested access based on their role and responsibilities and 2) to grant the access (or not grant it) accordingly.
Key IAM capabilities
IAM is all about authenticating users and giving them access to resources in a way that prioritizes both organizational security and user productivity. It has evolved over decades to simultaneously address these two areas in increasingly sophisticated ways.
- Authentication: At its most basic, authentication means a user submits a traditional set of credentials—username and password—to prove their identity. As the identity environment and the threat landscape grow in size and complexity, though, the problem of credentials being hard for users to remember and easy for bad actors to steal becomes more urgent.
- Multi-factor authentication (MFA): Adding another factor of identification, such as a biometric, raises the bar for authentication, thus improving security. This is especially useful when the additional factor isn’t burdensome. For example, a facial scan or fingerprint requires little effort on the user’s part, but makes it much harder to steal a credential.
- Single sign-on (SSO): As the number of secure resources users need to access grows, SSO enables them to access multiple applications with strong authentication at one login point, to speed and simplify the process. SSO also minimizes the attack surface by providing fewer opportunities for attackers to exploit login vulnerabilities associated with multiple logins.
- Passwordless: Passwordless authentication replaces traditional credentials with biometrics, passkeys, authenticators, and other ways to prove identity that can’t be easily stolen. They also make legitimate authentication easier by no longer requiring users to remember multiple credentials for access to a growing number of resources.
IAM critical focus: Zero Trust
Zero Trust is a security concept based on the idea of establishing trust before granting access to resources—and never assuming trust. That makes IAM foundational for organizations committed to operating a Zero Trust environment, in which identity must be proven every time someone or something seeks access.
Zero Trust environments are enabled by IAM core capabilities and practices.
- Authentication: Verifying identity with MFA and passwordless authentication
- Access: Adopting context-aware and conditional policies for granting access
- Centralization: Using SSO across applications and access environments
While IAM is mainly concerned with authenticating a user’s identity before the user is granted access, IGA focuses on governing how access is granted and to whom, and making sure it is always appropriate to the user and the situation. The overall purpose of IGA is to ensure that access rights conform to business policies, meet compliance requirements, and are consistent with security best practices.
Key IGA capabilities
While IAM is concerned with who has access to what, IGA is focused on whether that access is granted appropriately, based on factors such as a user’s role within the organization and the organization’s security and compliance policies and practices.
- Access requests and approvals: Workflow-based access provisioning in IGA environments combines automation and human engagement to rapidly and accurately qualify access requests and provision users.
- Access certification: With users’ roles and responsibilities constantly changing, identity governance requires regular access certification to validate the appropriateness of access levels. Manual efforts can’t possibly keep up with the change, making automation key.
- Role management: Creating roles for users is essential to easily ensuring they have the access to the secure resources they need to do their jobs. Strong role management is equally important, to ensure they don’t end up having excess privileges that create security risks.
- Identity lifecycle management: Changes in access are part of moving through the identity lifecycle of joining an organization, experiencing different roles, and ultimately leaving. Identity lifecycle management is essential to keeping access appropriate to the current role.
- Auditing and reporting: Taking stock of who has access to what resources is critical to complying with regulatory requirements and having visibility into access risk. Auditing and reporting are fundamental to achieving both.
IGA critical focus: Zero Trust
Zero trust operates on the assumption that trust can never exist by default, but rather must be established anytime someone or something seeks access. IGA provides the controls and governance an organization needs to continuously assess whether access is appropriate based on the level of trust in the user.
Zero Trust environments are specifically enabled by several IGA core capabilities and practices.
- Workflow-based provisioning: Using automation to ensure proper oversight of access
- Access certification: Continuously validating access and adjusting accordingly
- Role management: Recognizing and avoiding toxic combinations of access
- Identity lifecycle management: Immediately updating access when roles change or end
- Auditing and reporting: Supporting the Zero Trust principle of proving trust decisions
IGA critical focus: regulatory compliance
SOX, HIPAA, GDPR, PCI-DSS, ISO 27001IGA, and other regulations require strict access control, along with the ability to demonstrate that their control over access meets the standards established by the regulations. This kind of accountability and auditability is exactly what IGA provides.
Regulatory compliance is specifically supported by several IGA core capabilities and practices:
- Access certification: Reviewing access and showing validation of access rights
- Auditing and reporting: Meeting specific regulatory requirements for compliance evidence
- Identity lifecycle management: Maintaining correct access alignment with current roles
Both IGA and IAM are concerned with secure access to resources. But while IAM enables users to securely and conveniently access the resources they’re entitled to access, IGA considers whether they should be entitled to that access. In that context, the major differences are:
- Authentication
- Multi-factor authentication (MFA)
- Single Sign-On (SSO)
- Passwordless
- Workflow-based provisioning
- Access certification
- Role management
- Identity lifecycle management
- Auditing and reporting
- Rate of authentication success/failure
- Rate of MFA/passwordless adoption
- Average time to provision accounts
- Average time to resolve authentication issues
- Levels of system availability and uptime
- Average time to approve access requests
- Percentage of completed access reviews
- Segregation of Duties violations detected
- Number of accounts demonstrating least privilege
- Number of audit findings of issues
Goal/purpose
IAM: Enable Access
IGA: Govern Access
Main concern
IAM: Enable Access
IGA: Govern Access
Key capabilities
IAM: Enable Access
- Authentication
- Multi-factor authentication (MFA)
- Single Sign-On (SSO)
- Passwordless
IGA: Govern Access
- Workflow-based provisioning
- Access certification
- Role management
- Identity lifecycle management
- Auditing and reporting
Examples of success metrics
IAM: Enable Access
- Rate of authentication success/failure
- Rate of MFA/passwordless adoption
- Average time to provision accounts
- Average time to resolve authentication issues
- Levels of system availability and uptime
IGA: Govern Access
- Average time to approve access requests
- Percentage of completed access reviews
- Segregation of Duties violations detected
- Number of accounts demonstrating least privilege
- Number of audit findings of issues
To address the full spectrum of identity security, organizations ideally need a combination of IAM (to enable users to securely and conveniently access resources) and IGA (to ensure and demonstrate that user access to resources is appropriate and doesn’t create security risk). However, different organizations will have different requirements and resource levels that will determine how to proceed, as described in the following scenarios.
Scenario: Roll out IAM and IGA together? Yes, whenever possible.
Rolling out IAM and IGA together is almost always ideal, whether an organization is looking at a new deployment of both, or at displacing an existing IAM deployment and adding IGA as well. By deploying IGA and IAM capabilities from the same vendor, at the same time, the organization is assured of complete identity security coverage across two complementary and critical areas, without the risk of unnecessary security gaps, integration issues, or other problems that can come with a staggered deployment.
H3 Scenario: Add IGA to existing IAM deployment? Maybe.
For organizations that already have an IAM deployment that delivers everything needed to grant and manage access, it may be worth keeping that deployment in place to preserve their initial identity investment while also adding IGA. This works well if the IGA solution comes from the same vendor. Otherwise, overall administration of identity security is likely to be much more complex; integration of the two may be challenging; and there may be ongoing troubleshooting issues associated with operating disparate systems.
Scenario: Stay with IAM only? Not recommended.
It’s possible to have IAM without IGA, as some organizations consider doing because of budgetary or operational constraints. But it’s not necessarily advisable. It’s true that with IAM in place to authenticate users, there is less risk that someone who is not entitled to access will somehow get it. But that doesn’t take into account the issue of whether the access users have is the right access. This is why organizations that use IAM alone risk creating security issues from users accumulating excessive access privileges. Organizations without IGA also lack audit trails and other evidence to prove compliance under regulatory scrutiny.
Scenario: Use IGA only? Not really an option.
It doesn’t make sense to have IGA without IAM, since IGA enforcement of security policies relies on the underlying authentication and authorization mechanisms that IAM provides. In other words, without IAM, there’s nothing for IGA to build on. The only choice to be made is between IAM only or IAM and IGA together.
Identity security is the practice of protecting digital identities by verifying identities and applying access controls, with the goal of preventing unauthorized access.
Yes. IAM combines identity management and access management to secure digital identities and protect against unauthorized access to resources in digital environments.
Identity and access management, or IAM, enables the secure storage of sensitive resources and secure access to them using methods like SSO, MFA, and passwordless.
The objective of identity management is to reduce the risk of security breaches by ensuring that the right people—and only the right people—can access secure resources.
Identity management enables secure access to resources, supports regulatory compliance, and optimizes the user experience by making access both convenient and secure.
IAM focuses on who has access, i.e., authenticating users and managing user access to resources, while IGA focuses on whether a user’s access is appropriate to their role and responsibilities.