Ben Goodman, in an Intelligent Workload Management article, notes that there's a coming paradigm shift in the world of compliance. He talks specifically about the new trend of turning to identity management solutions for help with compliance. We heard more about this trend from Dave Kearns in his discussion on SailPoint expanding its Access Governance solutions into the Identity Management space and Courion doing the inverse.
I spoke to an analyst recently who was hoping to see additional convergence between identity management, access governance, and compliance solutions. I think we can probably all agree that it would be nice. In my opinion, we're at least a few years out from that. Not because of technology, but because we need customer demand to drive it. And this is all so confusing, I don't think many organizations have come the Buddha-like realization of what an ideal identity and access state would look like for them.
Mr. Goodman can correct me, but I boil his point down to one easy statement:
Start with Security and compliance will follow.
I published a paper in late 2007 in which I discussed creating a Culture of Compliance leveraging frameworks for a Multi-Regulatory Approach (it's still on the NetVision site if you're interested). Essentially, I was making the same points as Goodman. Tech professionals get really wrapped around the axle on mapping specific controls to specific regulations. But, that's a recipe for unnecessary cost, effort, and frustration.
If you must do mapping, map to a single framework and then show how that framework meets the requirements in the numerous regulations you may be facing. But an even better approach is to look at each of your critical systems and:
a) Secure them to satisfaction
b) Enable auditing to prove that security is real
We've gotten a lot better at part A. Security assessors can poke holes, identify weaknesses, and provide best-practices to get an environment to a pretty secure state. But part B means both answering the big question who has access to what? and monitoring activity to ensure that a secure state is maintained. Even in secure, locked-down environments, someone has access to sensitive information. And that needs to be watched.
If you can quickly provide answers on part B, compliance should be easier, and less costly. Even without a 30 page spreadsheet showing mappings of each control to each section of every regulation.