How to build a scalable IGA system?

Security
Written By Shasheen Bandodkar

Building a Scalable Identity Governance and Access Management

An IGA system ensures scalability, rapid deployment, and centralized governance. It consists of:

  • Central Configuration Hub: A tenant acts as the central unit, managing identity workflows, policies, and credentials. It standardizes automation, governance, and auditing for all applications, providing a unified view for oversight.

  • Virtual Appliance (VA): A cloud-based VA handles downstream API calls, connecting directly to SaaS apps. It executes account provisioning and de-provisioning via APIs, manual CSV uploads, or database integrations, ensuring flexibility for diverse systems.

  • User Portals: Manage workflows like birthright access and certifications while the VA operationalizes changes. For non-API systems, data is aggregated manually and routed to app owners via integrations like Jira, which are all tracked centrally in the tenant.

  • Connectors: These bridge the tenant to applications, enabling automation and visibility. Without them, governance becomes manual and error-prone:

    • Direct Connectors: Pre-built APIs (e.g., for Google Workspace or AWS) sync data in real time (e.g., every 3 hours).

    • Manual Connectors: For legacy apps, CSV or database uploads feed data to the VA for processing and task routing.

    • Schema Definition: For consistency, define account attributes (username, ID) and entitlements (roles, groups) per source.

    • Troubleshooting: Monitor VA logs for issues like aggregation failures (e.g., pagination loops) and tweak connector rules.

Automating Birthright Access

New hires need real-time, secure access to perform their roles without excess privileges. Birthright provisioning automates this process:

  • Source Integration: Connect your HR system (e.g., Workday or ADP) as the authoritative source via connectors or CSV uploads.

  • Role Mapping: Define birthright roles in the tenant based on HR attributes (e.g., department, job title); a developer might get read-only cloud access and email, while a manager gets broader permissions.

  • Automation: Workflows trigger provisioning upon identity creation, with the VA executing API calls (e.g., enabling SSO) or adding group memberships.

  • Validation: Audit logs confirm successful provisioning, alerting, and monitoring (e.g., integrated with SOAR tools) to catch failures.

Granular Access Control

Over-privilege is a critical security risk. Granular access control aligns with zero trust principles, reducing the attack surface:

  • Entitlement Schema: Define roles and groups per app via connectors (e.g., privileged roles vs. discretionary groups in collaboration tools).

  • RBAC Enforcement: Map entitlements to roles—data analysts might access specific cloud storage but not administrative functions.

  • Zero Trust: Require continuous authentication (e.g., MFA via push notifications) and device compliance (via MDM) before granting access.

  • Dynamic Policies: Use tenant rules to adjust access based on context, like distinguishing contractors from full-time employees.

Periodic Access Reviews

Entitlements drift over time—ex-employees or contractors might retain access unnecessarily. Periodic reviews ensure compliance (e.g., SOX, SOC2):

  • Connector Setup: Import account and entitlement data from all sources, auto-correlating accounts to identities.

  • Tagging: Flag sensitive entitlements (e.g., privileged: true, tagged for audits) for focused reviews.

  • Review Process: Automate reviews targeting specific criteria (e.g., source: "Collaboration Tool" AND privileged: true).

Approval Workflows

Balancing automation with human oversight, approvals enforce accountability:

  • Workflow Design: Configure approval steps in the tenant—managers greenlight standard access while security teams review privileged roles.

  • Integration: Sync with tools like Slack or Jira to track status.

  • Escalations: Set timeouts (e.g., 48 hours) to escalate unapproved requests to admins.

  • Audit Trail: Log all decisions for compliance reporting.

Swift Terminations

Prompt de-provisioning workflows on termination prevents orphaned accounts, especially for sensitive systems:

  • Trigger: An HRIS system signals termination (e.g., inactive status), kicking off the workflow.

  • Deprovisioning: The VA revokes access via APIs (e.g., disabling SSO, suspending accounts) or manual tasks for non-API systems.

  • Validation: Query inactive accounts (e.g., source: "Email Platform" AND status: Inactive) and alert on misses via SIEM.

  • Edge Cases: For role transitions (e.g., employee to contractor), retain specific access while revoking sensitive privileges.

Certifications for Compliance

Periodic or event-driven certifications (e.g., role changes) reduce privilege creep:

  • Campaign Setup: Launch quarterly reviews via the tenant.

  • Review Process: Managers or app owners approve or revoke access via the portal, triggering remediation tasks (e.g., Jira tickets).

  • Reporting: Track pending actions (e.g., action: Certification AND stage: Executing) with metrics.

  • Remediation: Automate revocation for denied access, with a manual follow-up tracked externally.

Edge Cases and Trade-Offs

No system is perfect, but here’s how to handle everyday challenges:

  • Pagination Loops: Misconfigured connectors can overload the system. Mitigate it with pre-processing rules and monitoring, balancing automation with stability.

  • Role Transitions: Customize workflows to preserve necessary access during shifts (e.g., employee to contractor), trading simplicity for flexibility.

  • Manual Delays: Set SLAs for non-API updates and alert on stale data, weighing flexibility against speed.

  • Vendor vs. Open-Source: Pre-built solutions offer speed and reliability but cost more; open-source is free but demands development time. Choose based on urgency and budget.

Shasheen Bandodkar
Next

The Cyberhaven Chrome Extension Vulnerability