In the past 18 months, weve witnessed an incredibly tumultuous time for the global economy. As the market begins rebuilding itself, companies must also begin sorting through the implications of the shotgun mergers, massive restructuring and massive layoffs of the last few years. The economic fallout has also taken its toll on IT organizations by lowering budgets and constraining resources at the same time that operational risk factors are increasing. Corporate churn has forced IT organizations to react with haste to organizational and structural changes, making it more difficult than ever to meet stringent compliance and security requirements.
Regulations like the Sarbanes-Oxley Act (SOX), the Healthcare Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA) were put in place to protect shareholders and consumers from corporate fraud, data breaches, and violations of privacy. These laws and other similar regulations around the world require organizations to demonstrate strong data security and controls. But doing no more than whats required to pass an IT audit will not address the true risks and security requirements facing an enterprise. Effectively managing risk requires corporate diligence above and beyond regulatory compliance. Companies must achieve a level of transparency and risk management to protect against the very real security threats that exist inside their organization.
One area of particular concern to CIOs and corporate risk officers is identity management the area of IT which focuses on managing worker access to corporate resources (systems, applications and data). Achieving transparency and managing risk around identity management requires organizations to inventory, analyze and understand the access privileges granted to their workers and to be ready on demand to answer the critical question of who has access to what. Failure to effectively manage user access to sensitive resources places companies at increased risk for sabotage, insider fraud and data breaches.
Two Market Pulse surveys conducted provide some evidence that organizations are not being proactive in improving transparency and addressing these risks. According to the surveys:
- 57 percent of respondents said their companies lack the transparency needed to prevent insider threats. That is, the company would not be able to present a complete record of user access privileges for each employee within 24 hours.
- 42 percent of the companies do not have the ability to promptly remove access when a layoff occurs, even though 40 percent of the companies have recently gone through a large-scale layoff.
- Almost half the companies surveyed have failed an IT audit because of a lack of control around user access. This area is one of the most commonly found IT audit deficiencies.
- The IT respondents overwhelmingly agreed that the recession has increased their risk exposure to internal sabotage. Yet 61 percent of companies have not adjusted their policies around access control to respond to that.
- The majority of IT organizations have a risk management function, but one-third of those companies dont allocate budget or additional resources to that function. That may explain why only 14 percent of the companies surveyed believe they have adequate controls in place to address the risk of insider threats.
As global companies work to effectively address these operational risks, they should look to a rapidly emerging category of identity management called identity governance. The analyst firm Burton Group recently published a report entitled Access and Identity Governance: Leading to Transparency and Visibility? The report, authored by Gebel Gebel, describes how an access and identity governance layer has emerged to address enterprise needs for greater transparency, visibility and business controls. The Burton report is notable in that it signals the evolution of identity management tools toward business intelligence software. As Gebel puts it, new governance tools strive to become business decision support tools rather than IT consoles.
The emergence of identity governance allows organizations to transform technical identity data from across the enterprise into business-friendly information that can be used to drive governance and compliance initiatives. This centralized visibility gives executive and business users the intelligence they need to define and enforce business policy, audit and report on the effectiveness of internal controls and more effectively manage risk.
If identity governance sounds similar to BI, thats because it takes the same approach to identity data that BI vendors take to centralizing and analyzing business data. BI solutions collect data from isolated application silos into a central repository, where analytic applications process it to reveal patterns and trends. Likewise, identity governance begins by aggregating identity data from various IT resources into a central repository of normalized data. In large organizations, this repository can contain access privilege information for more than 100,000 users spanning thousands of applications, resulting in millions of entitlements. Once the data is centralized, identity governance software enables business and IT to identify risky employee populations, policy violations and inappropriate access privileges.
In a nutshell, identity governance brings three fundamental capabilities:
- A centralized data repository. Just as financial or operational data resides in disparate systems throughout a company, so does identity data. Therefore, step one of identity governance is to aggregate, correlate and normalize the data so that it can be reported on and analyzed, much like a data warehouse function in a BI system.
- Business-friendly user interface. Identity governance solutions are designed to be used by business managers and compliance/audit staff. As a result, the technology must translate technical identity data into business-relevant data so that oversight and review can easily be performed by nontechnical staff.
- Analytics and data modeling. The purpose of any BI tool is to facilitate decision-making and to provide management with knowledge of current status versus desired state. Business users should be able to scan and analyze identity data to identify and assess policy violations and risks, so that the organization can take the necessary steps to reduce those risks with highly targeted controls.
Transparency for Risk Management.
One of the key challenges of IT governance is the need to tie IT data and operations to higher-level business policies and priorities, a crucial step in measuring how well IT supports the business and manages IT-related risk. To fully support executive and business-level oversight, IT must generate performance metrics that are aligned with business objectives and can be easily understood by businesspeople.
Identity governance enables companies to identify, measure and manage the risk associated with employee access to sensitive applications and data while ensuring regulatory compliance. Identity governance also allows business and IT staff to define a top-down business model for complying with internal policies governing users and their access privileges.
Now, organizations can approach identity management as a cross-department, enterprise discipline that provides a layer of intelligence to give enterprises the business insights needed to strengthen IT controls and reduce operational risk. The better a company understands which users have access to which corporate assets, the better it can realistically understand its potential security vulnerabilities.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access