When it comes to identity and access governance software, businesses need to take a cue from President John F. Kennedy’s first inaugural address.
In one of the most famous lines ever uttered by an incoming president, Kennedy spoke the immortal words, "Ask not what your country can do for you; ask what you can do for your country".
For a business, this means making the first step to its success an internal one. A businesses needs to forge the tenets of compliance management and control for itself rather than relying upon outside sources to do it. Establishing how a business is directed and controlled — known in the business world as governance — not only must be part of the foundation of any business, but also should be one part of the foundation that can adapt with the times and technology.
Recently, Mike Small of Information Systems Audit and Control Association (ISACA), contributed an article about a report performed by his association which concluded that companies need to focus on governance first and not technology for identity and access governance software. He notes:
"Over the past decade, there has been a tsunami of identity and access management software technology. However, many organizations have not realized the benefits because they have taken a technology-led approach rather than one based on governance".
There is both a bit of truth and a bit of short-sightedness in that statement.
What is true is that companies do need to establish their objectives for identity and access governance and that these steps fall into about a half-dozen categories, which Small defines in his article as:
- Availability — Business data and applications are available when and where they are needed.
- Integrity — Data can only be manipulated in ways that are authorized.
- Confidentiality — Data can be accessed only by authorized individuals and cannot be passed to other individuals who are not authorized.
- Privacy — Privacy laws and regulations must be observed.
- Accountability — It should be possible to hold people, organizations and systems accountable for the actions that they perform.
- Transparency — Systems and activities can be audited.
Where Small comes up short, however, is in who is responsible for identity and access management. Yes, ultimately the responsibility lies with "the owners of data and applications, and IT compliance management". However, to diminish the role technology plays in instituting the rules of governance is to ignore the complications of today’s business climate.
In today’s fast-paced business world, where employees must have immediate access to systems and assets, organizations are caught in an identity and access governance struggle between granting this access versus offering too much access. These difficulties are compounded by the need to address requirements of compliance and identity and access governance regulations such as PCI DSS, NERC-CIP, BSA, GLBA, SOX, HIPAA and SOD among others. It’s at the point where an access governance software solution that does not take advantage of available technology can have far-reaching implications of business and cyber security risks.
Instead, using the automation, rules engines, and audit controls that IAM technology can provide, essential auditing tasks can be flawlessly and easily managed by employee attributes set for optimum and immediate control within the identity and access management solution. The result is a streamlined, no-sweat approach to identity and access governance.
So, rather than treat access governance software and technology as separate entities as Small suggests, you would be best served to leverage the advantages of both and allow them to act in concert for the optimal result.
Get Your Free Top 10 Access Governance Best Practices Workbook
Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.