As identities change, so too do the ways we protect and manage them. Discover why smart businesses are empowering project managers and business users to control access as needed. Credit: iStock/Who_I_am By Microsoft Security Identity governance is not a new concept. Traditionally tied to heavily regulated industries or high-value assets, IT teams use governance to understand how identities access sensitive data, applications, services, and more. However, the landscape is changing. In recent years, governance products have evolved from traditionally on-premises technology to a more cloud-delivered model. This enables product technology stacks to easily deliver certain capabilities--for instance, providing insight into who has access to what resources and facilitating access review campaigns. It also has the dual effect of lowering the cost of implementation, which consequently increases the scale at which companies can spread identity governance throughout all areas of the organization. As with any legacy technology that has expanded its scope, however, we're in the early stages of an upward swing. Many companies are beginning to realize the benefits of widespread governance, but not everyone has taken the steps to adopt it. Read on to learn more about the new wave of identity governance and how you can implement it in your own environment. What are the main changes we're seeing in identity governance? In the past, governance was viewed as the last step in a company's identity and access management journey. Because the process was time and resource-intensive, organizations typically reserved governance for business areas that were deemed truly necessary. For many companies, this translated into heavily regulated functions or business processes that needed to comply with industry standards or SOX (the Sarbanes-Oxley Act) reporting. However, times have changed. Identities are no longer limited to a single person performing a specific function on an easily monitored on-premises server or application. Instead, IT and security teams need to be monitoring the identities of external vendors, partners, privileged users with access to sensitive applications and security software, and even non-human workload identities in addition to internal employees. So, what does this mean for the ways organizations approach governance? Make self-service governance your end goal When talking about the next evolution of identity governance, it's helpful to think about it in terms of self-service. As companies spread identity governance to more areas of the organization, IT and security teams struggle to keep pace with the scale of identity and access controls. Instead of limiting governance to only the most necessary functions, many organizations have begun adopting a self-service model in which project managers and the people involved in the day-to-day work of a specific task or campaign oversee granting and revoking access. This enables governance to be treated as a community-enabled or delegated function rather than a top-down one. For example, a third-party contractor may be working on multiple projects or coordinating with multiple teams from the same organization. Once their work on one project is completed, the contractor still needs access to internal systems and controls for their other engagements. This is also true when a project timeline changes, or a scope is expanded. Rather than having to submit a change order to IT, business users and project managers can dynamically control access on their end. IT is still able to control who can issue entitlement changes and what criteria needs to be met in order for access to be granted, but the actual day-to-day review of access management falls on the people who are most familiar with the project. This model also enables companies to more easily align with Zero Trust principles around least-privileged access and explicit verification. Ultimately, as identities change, so too do the ways we protect and manage them. By treating identity governance as a self-service capability, businesses can empower project managers and business users to control access as needed. This subsequently reduces the burden on IT and security teams while maintaining protection standards for the organization as a whole. For more information on the latest trends in cybersecurity, visit Microsoft Security Insider. Related content brandpost 5 cyber hygiene strategies to help prevent cyber attacks By Microsoft Security Sep 14, 2023 6 mins Security brandpost Cyberthreats are taking center field Sports organizers, regional host facilities, and even event attendees face a heightened degree of cyber risk due to increasingly connected environments. Securing these environments is a top priority today. By Microsoft Security Aug 28, 2023 1 min Security brandpost From reactive to proactive: The next evolution of threat intelligence What is CTI (cyber threat intelligence)? More importantly, how can your organization take a more preemptive position in the current threat landscape? By Jason Harrison, Director of Specialist Management, Microsoft Security Aug 18, 2023 4 mins Security brandpost Securing the software supply chain one step at a time Learn what steps your developers can take to better secure software production and consumption throughout the software development lifecycle (SDLC). By Microsoft Security Aug 02, 2023 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe