But unless you truly understand what IGA is and how it fits in your identity and access management (IAM) program, you still might end up with shelfware. So let's have a little refresher.
What's the difference between IGA and IAM?
IGA and IAM are two sides of the same cybersecurity coin.
Identity and access management ensures that the right users can access the resources they need, at the right time, and for the correct reasons. It handles identity lifecycle management, controls access privileges, administers user accounts, and oversees access requests.
Identity governance is a subfield of IAM concerned with regulatory compliance. Not just identity security, but proving that all access decisions are defensible, auditable, and meets all compliance requirements.
As such, identity governance and administration is all about access policies and enforcement. When auditors come knocking, it allows you to answer questions like:
- Which users have elevated access permissions and why?
- What's your criteria for inappropriate or risky access?
- In case of security incidents and data breaches, what are your protocols for revoking user access rights? How about excessive permissions?
- How do you ensure appropriate access, especially to sensitive data?
- Who conducts user access reviews and how often?
IGA solutions are simply the software that does all that identity governance work for you.
Types of Identity Governance and Administration Solutions
Most identity governance platforms fall into two camps, and the choice fundamentally changes how your team works:
Standalone identity governance solutions
These IGA solutions run independently from whatever IT access management tool you use. For instance, you get a JSM ticket for "provision John as Backend Developer." Your team leaves JSM, logs into SailPoint or Omada, creates the user there, then returns to JSM to update the ticket.
They're great for big enterprises with dedicated identity governance departments who need every possible feature, but may be too much for most organizations.
Pros:
- Everything you could want - like role mining, advanced analytics, AI
- Tons of pre-built connectors for enterprise apps
- Handles complex regulatory compliance scenarios out of the box
Cons:
- A separate platform to maintain and update; can affect operational efficiency
- Takes longer to get integrated with your existing workflows
- More features = more expensive, but isn't necessarily better
ITSM-integrated IGA tools
Others add identity governance functionality into your existing ITSM platform, so user access requests become tickets in the system you're already using. Take Multiplier - it's an Atlassian Marketplace app built for JSM, so request, approval, and provisioning user identities all happen within your Jira instance.
Pros:
- Embeds identity governance inside your ITSM platform
- Keep your existing access management processes
- No juggling multiple systems
Cons:
- Smaller connector libraries compared to enterprise platforms
Identity Governance Deployment Models
Deployment models determine where your identity governance platform runs and who manages the underlying infrastructure:
Cloud-native IGA
The IGA system lives entirely on the vendor's servers as SaaS, like Multiplier. It sits on Atlassian's cloud and you use it through JSM. You get features like privileged access management and automated provisioning without extra overhead.
On-Premises IGA
The IGA solution gets installed on the organization's IT infrastructure and hardware. Works well for organizations with strict data residency requirements (e.g. government agencies, large financial institutions) or legacy systems that can't connect to external services.
Offers total control over compliance and security management, but resource-intensive with higher costs and maintenance requirements.
Hybrid IGA
Combines both deployment models for identity governance. Maybe your user accounts sits on local servers for compliance reasons but you manage user permissions online. Or user provisioning happens locally but reporting and analytics use cloud services.
Offers flexibility for complex compliance scenarios but seamless integration can be challenging.
What to look for in Access Governance Software
These features are what I consider the bare minimum for identity governance tools:
Identity and Access Management Automation
Automated workflows get rid of the biggest threat to identity and access management – human error.
It turns your identity governance into well-oiled machine. Secure access provisioning happens in real time, even for emergencies. Access changes are synchronized across your entire tech stack. Every user behavior is documented instantly, so security teams don't have to worry about maintaining regulatory compliance and having comprehensive visibility.
Planning to scale? Automation enables organizations to manage user access for 100 digital identities just as easily as 10 accounts.
Identity Lifecycle Management (ILM)
ILM handles the entire employee journey, from onboarding to role changes all the way to offboarding. It's the backbone of your IGA strategy.
Don't settle for solutions that take hours to provision. It should happen in minutes. And test the tricky stuff - contractors with end dates, temporary assignments, and manager changes. What happens when something breaks? Can it roll back changes automatically?
Automated Access Provisioning/Deprovisioning
Instead of creating accounts and granting permissions manually, your IGA platform should handle it for you. More importantly, it must be capable of revoking them automatically.
Check these specifics:
- Can it handle multiple users at once?
- How long does the access request process take?
- What happens when provisioning/deprovisioning fails?
- Does it support least privilege access management?
- How about things like role based access management?
If the vendor gets squirmy about any of these questions, that's a red flag.
Access Request Workflows
This is the behind-the-scenes machinery that makes IAM actually work. When someone requests access, where does that request go? Who approves it? What happens next?
Good IGA solutions route requests to the right approvers automatically. Great ones handle real-world scenarios like:
- Manager on vacation? It should re-route to a backup approver.
- If you need multiple approvals, it should manage the sequence and nudge people who are holding things up.
- Emergency after-hours access? There should be a clear break-glass procedure.
And once approved, it should trigger the actual provisioning without anyone having to do extra steps.
Self-Service Access Portals
Instead of submitting tickets for every single request and waiting around, self-service portals allow users to handle their own access needs. A good portal includes an app catalog where users can browse what's available and request access with a single click.
This catalog should be organized by category and relevance to their role. Users should immediately see what they already have and what they could request.
Automated Access Certification
These are your regular access reviews where managers verify employees still need what they have.
Your IGA tool should:
- Schedule and track these reviews automatically
- Let you set different schedules based on risk (quarterly for sensitive stuff, yearly for basic access)
- Give managers a simple "approve/revoke" interface
- Provide bulk approval options for managers with large teams
- Automatically fix issues when access is revoked
- Generate compliance reports that actually match your regulatory requirements
If the access review process takes more than 5 minutes per employee, your managers won't do it properly.
Role-Based Access Control (RBAC)
Efficient IGA categorizes access based on user roles instead of assigning individual permissions.
A simple example: Instead of manually giving each new JSM agent five separate permissions ("can view tickets," "can comment," "can access knowledge base," etc.), you assign one "Help Desk Agent" role that includes all five.
When they get promoted to "Help Desk Manager," you just swap the roles and they instantly get their new permissions.
The best IGA solutions can analyze your existing access patterns to suggest sensible roles. They should support nested roles (where specialized roles inherit permissions from basic ones) and integrate with your HR system to assign roles automatically.
Also crucial: temporary roles that expire when projects end. No more "still has access from that 2021 emergency project" that can lead to security breaches.
Segregation of Duties (SoD) Controls
SoD prevents a single person from controlling an entire business process. This exposes you to massive security risks like fraud. For example, someone who controls both password management and user access to critical data could bypass important safety checks.
Good IGA solutions automatically enforce SoD across your entire identity management system. For instance, it triggers an alert when someone gets both "JSM Change Approver" access and "Production Deployment" rights in your CI/CD pipeline.
Ask about:
- Pre-built SoD rules for common ITSM scenarios
- Cross-system conflict detection (not just within individual apps)
- The ability to set severity levels for different violations
- Support for temporary exceptions with proper documentation
This identity data control is essential for compliance requirements and prevents a single compromised account from causing serious damage.
Least Privilege Access Enforcement
Least privilege means users get only what they need, when they need it, for as long as they need it - and not a minute longer.
Features like just-in-time (JIT) access can significantly enhance security. How it works: a developer should be able to request 2-hour JSM admin access for maintenance, get approved quickly, and have that access automatically disappear when the time is up.
You also need "break glass" emergency accounts for those production incidents when normal approval chains are too slow. These accounts should be heavily monitored with alerts when they're used for maximum risk management.
The best IGA solutions also track who's actually using their elevated user access. If someone hasn't touched their GitHub admin account in 90 days, the system should flag it for review or just remove it automatically to prevent security risks.
Audit and Compliance Reporting
This one's a two-parter. First, IGA solutions must record all access requests, approvals, reviews, and provisioning actions automatically and in real time. Then generate reports for compliance frameworks like SOX, ISO, and ISO with detailed access control evidence. When it's time for an audit, you're always ready to demonstrate compliance that meet industry standards.
Integration Capabilities
This is where most IGA implementations succeed or fail. How well does it connect with your existing stack?
On the ITSM side, verify it has ready-made integrations with the platform you're using. So if that's Jira Service Management (JSM), for instance, can it provision access from your JSM tickets?
For identity providers, check if it works seamlessly with what you already use, whether that's Azure AD, Okta, Ping, or ForgeRock. Do the same for all your business apps when evaluating IGA solutions.
Embed IGA into Jira Service Management
Multiplier is an identity governance and access management platform for Jira Service Management. You can provision access, enforce least privilege, automate identity workflows, and other processes straight from your JSM portal - no separate platform needed.
Check out how you can add these features into your Jira workflows - book a spot on our calendar to schedule your demo.
You can also install Multiplier from Atlassian Marketplace and try it free for 14 days.
