Thursday, April 8

Governance the next Era of Identity Management

Ben Goodman, in an Intelligent Workload Management article, notes that there's a coming paradigm shift in the world of compliance. He talks specifically about the new trend of turning to identity management solutions for help with compliance. We heard more about this trend from Dave Kearns in his discussion on SailPoint expanding its Access Governance solutions into the Identity Management space and Courion doing the inverse.

I spoke to an analyst recently who was hoping to see additional convergence between identity management, access governance, and compliance solutions. I think we can probably all agree that it would be nice. In my opinion, we're at least a few years out from that. Not because of technology, but because we need customer demand to drive it. And this is all so confusing, I don't think many organizations have come the Buddha-like realization of what an ideal identity and access state would look like for them.

Mr. Goodman can correct me, but I boil his point down to one easy statement:

Start with Security and compliance will follow.

I published a paper in late 2007 in which I discussed creating a Culture of Compliance leveraging frameworks for a Multi-Regulatory Approach (it's still on the NetVision site if you're interested). Essentially, I was making the same points as Goodman. Tech professionals get really wrapped around the axle on mapping specific controls to specific regulations. But, that's a recipe for unnecessary cost, effort, and frustration.

If you must do mapping, map to a single framework and then show how that framework meets the requirements in the numerous regulations you may be facing. But an even better approach is to look at each of your critical systems and:

a) Secure them to satisfaction
b) Enable auditing to prove that security is real

We've gotten a lot better at part A. Security assessors can poke holes, identify weaknesses, and provide best-practices to get an environment to a pretty secure state. But part B means both answering the big question who has access to what? and monitoring activity to ensure that a secure state is maintained. Even in secure, locked-down environments, someone has access to sensitive information. And that needs to be watched.

If you can quickly provide answers on part B, compliance should be easier, and less costly. Even without a 30 page spreadsheet showing mappings of each control to each section of every regulation.


Ben Goodman said...


Thank you for reading and referencing my blog post.

Some points:

1)Please call me Ben

2)No need to correct “Start with Security and compliance will follow”, but I think it is about more then that. It is about taking a programmatic approach to both compliance and security. Enterprises often make the mistake of thinking that being compliant will make them secure and vice versa. Unfortunately this is rarely the case. However, implementing a framework to support both compliance and security will allow the enterprise to achieve both in a scalable and sustainable manner.

3)“Chasing” individual regulations with individual tools will be painful and expensive. Implementing a framework which allows the enterprise to leverage the same work and capabilities across multiple regulations will be less costly and set the enterprise up for future growth and expansion.

4)Too often, enterprises become victims of “Tools seduction”, thinking that one product or tool will make them secure or compliant. Both security and compliance require programmatic approaches that allow enterprises and organization to layer security and toolsets while creating overarching policies that can be implemented for the good of the enterprise. Tools support and help implement programs; they are rarely the answer on their own.

5)An Identity Management system will not make an organization secure or compliant by itself, but it is becoming increasingly hard to achieve sustainable security and compliance without one. Identity Management systems need to keep up their end of the deal by integrating with compliance management frameworks and their associated content. This intelligence will soon become a requirement for Identity Management products. That is the paradigm shift I reference in my blog post.

Thanks for the coverage… I look forward to keeping up the conversation.

Matt Flynn said...

Thanks for the clarifications Ben!

Sumner said...

Very interesting blog, and comment. I agree with all these points.

I might reference an excellent framework for rationalizing controls across multiple regulations. Such a framework is really essential for helping to reduce the total effort of developing and testing controls across multiple regs.
The framework is Unified Compliance Framework (UCF), from Network Frontiers. And, no, I have no relationship at all to the company.