Identity Driven Governance provides great business and user value.

CHALLENGES and threats

Over the years, many of the security risks have been identified and mitigated, but the largest remaining threat is the individuals accessing and handling your information. Many breaches occur because of flaws in access governance and careless practices. Also, privileged accounts (or administrative or highly empowered accounts) are attractive targets for attackers.

Organizations often struggle to leverage significant value from automated user account provisioning, due to the complexity of factors influencing Security requirements:

  • specific corporate compliance and/or corporate risk appetite;
  • large numbers of systems and repositories;
  • fluctuating numbers of users and accounts;
  • lack of control over accounts with elevated permissions;
  • hybrid environments with on-premise and cloud architectures;
  • (multiple) legacy Role Based Access administration tools;
  • mixed sensitivity levels of information repositories and systems.

The complexity as well as the commonly used technical approach to Identity & Access Management contribute to a low confidence level of implementations.


Identity Driven Governance provides the mechanisms to execute corporate-wide change, both organizational and technical. And once executed, Identity Driven Governance organizes and controls behavior (human and technical), and to protect (business) information. Identity and Access Management* and Privileged Access Management* solutions are applications to verify users' identities and limit access to information and systems according to predefined role access entitlements. The Governance around it allows for maintaining the required maturity level, and creates awareness around information handling. Besides the increased level of information security, other benefits will be seen and felt on both business and user levels:

  • information and system access is set in minutes, not days or weeks; so new joiners will actually be up-and-running on their first day;
  • when an employee changes roles, old access rights will not be lingering around but will be revoked;
  • while administrators continue to perform their jobs, their access is diligently justified, controlled and administered;
  • regular recertification of access and role entitlements will become effective common practice;
  • flagging and reporting of unallowed access will be immediate;
  • performing system audits will become an efficient and effective process.

*Identity and Access Management (IAM) automates, monitors and controls user access of information, systems and infrastructure. While error-prone IT administrator work is eliminated, and interventions take place automatically when a breach is discovered by the system. Users' experience will improve greatly by increased operational efficiency, and audit reports and checks are performed by the press of a button.

*Privileged Access Management (PAM) restricts privileged access to vital systems to authorized users only. That access should be given only at appropriate times, only pursuant to strong authentication, and only with robust audit controls and reporting facilities in place. PAM will make it hard for attackers to expand an established beachhead by obtaining administrator privileges to additional systems. PAM requires administrator's accountability for the routine use of privileged access and, wherever possible, eliminate static, shared, and plaintext passwords, especially when they are used to sign into high-risk accounts. A PAM project will highlight necessary controls to apply to protect these accounts, which should be prioritized via a risk-based approach.