How Identity Governance compliments MFA in protecting your data

By Craig Ramsay, CISSP, Omada

The benefits of well implemented multi-factor authentication (MFA) are apparent when it comes to securing user accounts and protecting against unauthorised access – weak passwords as a single factor for authentication are an open goal for bad actors to exploit.  MFA provides that extra layer of security meaning gaining unauthorised access to a user account is much more difficult.

But MFA alone is not enough to protect against common attack vectors. In this article I share my thoughts on how Identity Governance & Administration (IGA) can compliment MFA as part of wider identity-centric security strategies to protect your organisation’s data.

Identity Lifecyle Management

Identity Lifecycle Management is at the core of good Identity Governance. A key part of Identity this is the Joiner and Mover processes – which can be augmented with role-based access control (RBAC). These processes should ensure that an identity is onboarded with the access appropriate to their now role in an organisation and as they move around the organisation this access remains appropriate through recertification or policy related access changes such as RBAC. By doing so, access granted to an identity should adhere to the concept of least privilege thus reducing the impact of an identities account being compromised.

Whilst talking about the concept of least privilege it is important to consider another facet of Identity related security, Privilege Access Management (PAM). As excessive permissions allow attackers to move laterally within the network and access additional systems, ensuring privileged accounts with these permissions are subject to stricter controls mitigates this risk.

Another crucial part of Identity Lifecycle Management is a well-defined Leaver process. This should cover all access granted to an identity and revokes this access in an automated and timely manner when that identity leaves an organisation. Failure to do so can lead to user accounts remaining active after termination, leaving them vulnerable to the risk of ransomware exploitation amongst other threats.

Orphaned Account Management

Leavers are just one source of orphaned accounts though and failure to address this wider issue increases the attack surface of your organisation and the likelihood of a potential breach. Modern Identity Governance solutions should provide capabilities to identify, reconcile and where appropriate deprovision orphaned accounts. They should also enable the reassignment of ownership of accounts from leavers to avoid unnecessary orphaned accounts being created.

To make this easier, best practice when creating accounts in your target systems and applications states that you should follow standardised naming conventions that can be matched back to an attribute unique to an individual identity. Having such naming conventions in place, including conditions for non-personal accounts such as standardised prefixes, will ensure your Identity Governance solution can classify and ascertain ownership of the majority of accounts without the need for human intervention. This then allows you to focus on the smaller subset of true orphaned accounts and either find appropriate owners or deprovision accounts no longer required by means of account ownership recertifications – ultimately shrinking the attack surface of your organisation as you rid yourself of accounts no longer required.

Regular Recertification

In addition to account owner recertifications, other regular recertification campaigns should be scheduled as another control to ensure the concept of least privilege is being adhered to. These include but are not limited to user access recertifications, role content and membership recertifications and privileged access recertifications.

When implementing your recertification policies, it is important to take a appropriate and proportionate approach to ensure their efficacy. When complimented with Identity Lifecycle Management and RBAC, your recertification campaigns should be far more targeted in their scope. This will mean reviewers are presented with manageable recertifications focused on access assignments that really matter and provide means of demonstrable compliance with internal and external audit requirements.


There is more to IGA and MFA when looked at individually, but let’s summarise how IGA compliments MFA when protecting your data by breaking it down into two elements – likelihood and impact.

The likelihood of a user account being compromised is reduced by two things:

  • MFA providing an extra layer of security around authentication making it harder to gain unauthorised access to a user account.
  • IGA reducing the attack surface of your organisation through automated Leaver processes and strong Orphaned Account Management.

The impact of a user account being compromised is reduced by adhering to the concept of least privilege. This can be accomplished by:

  • Strong Identity Lifecycle Management around Joiners, Movers and a well-defined RBAC model – both of which are supported in modern IGA solutions.
  • Regular recertification supported by a modern IGA solution ensuring user’s access remains appropriate.
  • Considering PAM to further protect privileged accounts and access.

Protecting your organisation’s data starts with your securing your identities. Providing them with security awareness training and adopting a security-conscious culture will enable them to better spot things like phishing and social engineering attempts. But in MFA and IGA solutions you have two effective weapons in your armoury than can improve your cyber defences and decrease the likelihood and impact of a data breach – use them!

Hot Topics

Related Articles