Identity Governance and Security Automation: A Technical Framework for Enterprise Access Management

Enterprise landscapes need identity and access management systems that can go beyond perimeter-based authentication models. Identity governance and security automation are the converging disciplines of enforcing least privilege, continuous verification, and policy-based runtime decisioning across distributed environments, enabling such requirements to be met. IAM products in modern usage separate runtime-based authentication from identity lifecycle provisioning. This separation exists due to the challenge of balancing governance requirements against the need for real-time access enforcement in a world of on-premises, cloud and hybrid deployments. Customary role-based access control systems also face 'role explosion' issues where the number of role definitions required can exceed the number of employees. Attribute-Based Access Control (ABAC) uses subject attributes, object attributes, environment attributes and policy rules at access decision time to enable dynamic removal or granting of access decisions that are not predefined assignments of static roles. Identity Lifecycle Management (ILM) automates Joiner-Mover-Leaver workflows to sync to authoritative Human Resource systems for access entitlements. Separation of Duties prevents conflicting entitlements from being assigned to identities, whilst Just-in-Time Access refers to the provision of time-limited elevation of privileges upon request and policy validation, adhering to Zero Trust principles through assumed breach and continuous verification of all access requests for resources. Policy-as-Code is a model-driven specification of IAM policies in a domain-specific language, enabling IAM policies to be controlled in source version control and specified declaratively in a CI/CD pipeline. Identity Fabric is a federated authentication and authorization architecture between domains using open standards protocols.