Expanded Access Rights Management process

Expanded Access Rights Management (Expanded ARM) includes IGA access rights management use cases which require higher organization maturity and more complex capabilities. Key use cases in this category are e.g.: the management of physical access rights and management of privileged access rights.

Physical access rights management focuses on managing and controlling access to physical assets, facilities, and resources within an organization. While basic IGA capabilities primarily deal with digital access to systems and applications, physical access rights management extends these principles to govern access to physical spaces and assets.

Here are key aspects of physical access rights management in IGA:

• Access Control Systems: Physical access rights management often involves the use of access control systems, such as electronic card readers, biometric scanners, keypads, and smart locks, to control and monitor entry to buildings, rooms, and secure areas.
• User Authentication: Similar to digital IGA, physical access management requires user authentication. Users may be required to present identification cards, enter PINs, provide biometric data (e.g., fingerprints, retina scans), or use other authentication methods to gain physical access.
• Role-Based Access: Just as in digital access management, physical access rights can be governed by role-based access control (RBAC). Different employees may have varying levels of physical access based on their job roles and responsibilities.
• Access Requests and Approvals: Organizations can implement workflows for requesting and approving physical access rights. Employees may request access to specific areas or assets, and these requests can be routed to appropriate personnel for review and approval.
• Access Revocation: When an employee's role changes, or they leave the organization, their physical access rights must be promptly updated or revoked. Automated processes can ensure that physical access is in sync with digital access changes.
• Audit and usage tracking: Similar to digital IGA, physical access management includes auditing and monitoring. Access logs may be used to track usage, helping with investigations, compliance, and security incident response.
• Integration: Integration between physical access control systems and digital IGA systems can provide a holistic view of user access. This allows organizations to manage both digital and physical access rights from a centralized platform.
• Compliance: Physical access rights management is critical for regulatory compliance in industries where physical security is a concern, such as healthcare, finance, and government. It helps ensure that only authorized personnel can access sensitive physical assets.
• Visitor Access: Beyond employee access, physical access management may also cover visitor management. Visitor access requests and approvals can be managed, and temporary access credentials can be issued.
• Emergency Access: In emergency situations, such as fires or natural disasters, physical access control systems may have override mechanisms to facilitate rapid evacuation or access by emergency personnel.

Physical access rights management is essential for maintaining the security and safety of an organization's physical assets and facilities. By integrating it with digital IGA practices, organizations can ensure a comprehensive and coordinated approach to access management across both digital and physical domains.

Privileged access management (PAM) is a critical component of IGA that focuses specifically on managing access to privileged accounts and systems within an organization. Privileged accounts are those with elevated permissions and access rights, often held by IT administrators, system administrators, and other personnel who require high-level access to critical systems and data. PAM in IGA aims to secure these accounts to prevent misuse, unauthorized access, and potential security breaches.

Here are key aspects of privileged access management in IGA:

• Privileged Account Identification: PAM starts by identifying and cataloging privileged accounts and systems. This includes root accounts, administrator accounts, and other accounts with elevated privileges.
• Access Control: PAM enforces strict access controls for privileged accounts, ensuring that only authorized individuals can use them. This typically involves requiring multi-factor authentication (MFA), strong passwords, and strict access policies.
• Least Privilege Principle: PAM follows the principle of least privilege, ensuring that users and systems are granted the minimum level of access necessary to perform their tasks. Unnecessary privileges are removed to limit the potential for misuse.
• Access Reviews: Periodic access reviews and certifications are conducted to verify that users with privileged access still require those rights. This helps prevent access creep or unauthorized access.
• Policy Enforcement: PAM enforces security policies, such as requiring approval for access requests, implementing segregation of duties (SoD) rules, and ensuring compliance with security regulations.
• Auditing and Reporting: Robust auditing and reporting capabilities are integral to PAM. Organizations can generate detailed reports on privileged access, including who accessed what, when, and for what purpose. These reports are essential for compliance and security audits.

Privileged access management in IGA is crucial for safeguarding an organization's most critical systems and data from insider threats, external attacks, and accidental misconfigurations. By implementing PAM practices, organizations can significantly enhance their security posture and meet regulatory compliance requirements.

Efecte IGA includes the following use cases and capabilities in Extended ARM, as shown in the figure below: manage privileged accesses, manage physical accesses, manage entitlement lifecycle, user self-registration, manage identity storage and create & update entitlements.