Identity Governance

Identity Governance Goals

Where do we begin with an Identity Governance project? Perhaps the goals have already been established by your key stakeholders. Just starting the commencement of an Identity Governance project often originates from pre-determined goals set by key stakeholders. It could be a compliance initiative aimed at meeting standards such as PCI DSS, SOX, HIPAA, or GDPR, or maybe it’s time to manage accumulated access permissions to achieve a state of minimal necessary access.

The ultimate goal of your Identity Governance program should be demonstrable evidence that your risks are identified and effectively managed. Here are seven comprehensive areas to consider when setting your Identity Governance Goals and Objectives, supported by real-world examples. All of this should be managed by an Identity Governance Board within your organization

Before we delve into the core of Identity Governance, two preliminary goals will lay a solid foundation for your success:

  1. IAM Lifecycle
  2. A robust Identity & Access Management (IAM) lifecycle is instrumental in ensuring zero-day start, change, and stop for user account access. This lifecycle can be compared to the operational management in a manufacturing plant.

    • Just as new workers are trained and equipped for their specific tasks, new accounts are on-boarded and provisioned with appropriate permissions for their job role.
    • When employees change roles, they are retrained and their equipment modified. Similarly, accounts moving to different job responsibilities have appropriate access added, and unneeded access removed.
    • If an employee leaves, their access to the facility is revoked. Accounts that enter a not-active employee status (termination, on leave, retirement, other) are disabled, or permissions are removed as necessary.

  3. Linked Accounts
  4. Linking all secondary and non-user accounts to specific owners will mitigate your risk of unaccounted-for access. This is akin to a rental car agency assigning each car to a specific renter for accountability.

    • Administrative accounts are identified to their specific owner, much like a rental car assigned to a customer. These accounts are processed correspondingly for lifecycle events. For instance, these accounts are disabled when the primary user account becomes inactive.
    • Service accounts must be identified and linked to a specific user/owner. This is similar to how a rental car would transition to another renter.
    • Privileged accounts should be individually-owned and linked, or governed by a Privileged Access Management (PAM) solution, just as luxury cars require additional identification.
    • Off-premises accounts for Cloud administration follow the same requirements, akin to remote vehicle tracking.
Once these foundational goals are addressed, you can shift from merely reviewing access to actively governing it:

Identification of Permissions

Much like product labels provide a comprehensive understanding of the product's features, effective descriptions for each permission will allow reviewers to understand what they are evaluating and make informed decisions. These permission descriptions also support role mining efforts, just as product labels help in organizing supermarket shelves.

Compliance-based Reviews - PCI DSS / SOX / HIPPA / GDPR / Other

If you're holding sensitive data, akin to a bank vault, you must identify the data, its permissions, and specify the risk level. Administrative and privileged account access form your requirement for certification reviews, just as bank vault access requires stringent scrutiny.


Roles can be likened to departments in a company, where each has distinct responsibilities. These department-like groupings of permissions simplify the review process and increase accuracy. Using roles, permissions granted outside the role are visible for scrutiny during Certification reviews, much like a worker performing duties outside their assigned department.

Risk-based Reviews

Risk-based reviews are similar to security checks at airports where individuals and their belongings are screened based on perceived risk. A risk-based approach requires upfront identification of sensitive data and access and scoring its risk level. Reviews are performed for the accounts exceeding a risk threshold, just as airport security checks are stringent for high-risk passengers.


An Identity Governance solution should incorporate the use of policies, like a country's legal system. Policies identify risk situations (Separation of Duties (SoD) or excessive access) and generate an Exception Review for the conflict, just as laws identify and penalize illegal activities.

Implementing Identity Governance projects require well-defined goals and objectives centered around the IAM lifecycle, linked accounts, identification of permissions, compliance-based reviews, roles, risk-based reviews, and policies. These guidelines, coupled with real-world examples, provide a comprehensive view of the Identity Governance landscape and lay a solid foundation for a successful implementation.