Gartner research VP Earl Perkins posted a few days ago on the intersection of data and applications within IAG (Identity and Access Governance). I've certainly seen the same issues and we've been working with customers on these challenges quite a bit over the past six months. In fact, I authored a paper on the topic in April which is available in the STEALTHbits resource library titled Access Governance on Unstructured Data.
I hinted at the paper back in February and it was clear from the response I got that many are not willing to acknowledge a shift from the era of Identity Management to the era of Access Governance. But, I still see our current Access Governance efforts (as an industry) as analogous to what we did about a decade ago for Identity Management. Obviously, the industry remains dynamic and there's overlap but I think we have a pretty good handle on managing accounts while we're still working on the best ways to provide governance over access (whether to applications or data).
In my own phrasing (and ignoring structured and semi-structured data for the moment), the issue Earl addresses is, essentially that traditional IAM and IAG solutions are application-centric but a significant portion of enterprise data is unstructured (many estimates indicate that 80% of data is unstructured) rather than accessed and controlled via applications. IAG vendors are struggling with getting their arms around data as it sits out in the environment. And it's a hard problem.
I've been a part of two software vendors who addressed access rights to unstructured data. Neither company nailed it in the first attempt and there were challenges along the way. I've spoken with three large companies who tried to build in-house solutions for themselves. All failed and eventually sought commercial solutions. And I've spoken to IAG vendors who struggle with unstructured data solutions - even having tried popular brand name commercial solutions with unsatisfactory results. In my paper, I point out many of the challenges (platform coverage, geography, scalability, deployment, etc.) and how we've addressed them.
The one item that I'd differ on in Earl's post is that he mentions IAG vendors as looking to partner with SIEM and/or DLP solutions to address the issue. I don't think either is a good fit. SIEM is obviously event-driven and relies on logs. It may answer a piece of the question but it's not a direct fit. Even where it does provide value (who is doing what), it's data is limited to what shows up in logs, which isn't ideal for this scenario and doesn't generally enable context-based filtering.
And DLP may get much of the right information but the folks I've talked to describe it as overkill (too expensive and too difficult to deploy). Where DLP seems to shine is in the actual prevention (blocking action at the end-point or at the firewall). But for a quick, efficient scan of access rights and the ability to analyze high-risk conditions, I'm not sure you can bend DLP solutions to do what you need.
I'd love to discuss more with anyone interested. Let me know. I can also get you a copy of the paper. It's short and to-the-point, but is a good conversation starter.