Organizations of all kinds have seen an increase in threats to their business-critical information and technology infrastructures. Some threats have come from cases of unauthorized access, abuse of privileges, or theft, and alteration or deletion of proprietary data. Others have involved more extreme instances of sabotage, espionage or financial fraud. These “insider attacks” represent a real business risk that must be managed by every organization.

Enterprises are also confronted with myriad regulations like the Sarbanes-Oxley Act (SOX), the Healthcare Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA). But effectively managing risk requires corporate diligence above and beyond regulatory compliance. Companies must achieve a level of transparency and risk management to protect against the very real security threats that exist inside their organization.

Controlling access to sensitive data is one of the highest priorities for IT security teams today, especially for highly regulated organizations. Many organizations have tried to address these issues by implementing identity management solutions such as user provisioning systems, but have failed to adequately address the need for stronger auditing and internal controls. Implementing a provisioning system for the wrong purpose can be a costly mistake, due to the fact that provisioning systems lack three fundamental capabilities for effective governance and risk management:

• Cross-enterprise visibility for all high-risk applications. Many deployments of provisioning solutions are limited to a small set of applications, and as a result can only provide a limited view of identity data.
• Business context for identity data. Because provisioning solutions were designed for IT users, their user interfaces are too complex for business users, making it nearly impossible for the business side of the organization to participate in audit and reviews of identity data.
• A risk management approach. Provisioning solutions were designed to automate the process of adding, modifying, and deleting user accounts (improve efficiency), but they do not provide the data mining and analytics required to model and manage risk and to help organizations align controls to reduce risk.

To more effectively address the growing insider threat, organizations are turning to a new generation of identity management solutions called identity governance, which are designed to help organizations enforce and verify that the right controls are in place to meet security, regulatory and audit requirements. Identity governance enables companies to identify, measure, and manage the risk associated with employee access to sensitive applications and data while ensuring regulatory compliance. The emergence of identity governance brings a new level of transparency and manageability to identity management -- via automated controls, dashboards and reporting tools that are designed for business users as well as their technical counterparts.

Getting Starting with Identity Governance

Before a company gets started with an identity governance project, IT leaders should step back and assess their most urgent issues in order to understand what they want their identity governance solution to help them achieve. Some common objectives that many organizations want to address with identity governance include:

• Lowering the cost of compliance;
• Addressing audit deficiencies and improving audit performance;
• Streamlining the access change and request management process; and
• More effectively managing risk during a merger, acquisition, divestiture or layoff.

Once it’s time to begin evaluating solutions, an organization should look at the specific attributes of various identity governance offerings and determine whether they can provide the functionality needed to accomplish those goals and whether they can deliver the business and technical benefits of true governance that the organization requires.

Finding the unique combination of risk-aware identity controls, automation of identity compliance processes, and access to personalized reporting and auditing tools will help an organization better protect its critical assets. The basic capabilities that a comprehensive identity governance solution should have are:

1. Data aggregation and correlation: The starting point for identity governance is centralizing a company’s identity data. This process involves creating a single repository for user and access information by extracting data from the high-risk systems and applications, resolving any inconsistencies between the various data sources, and creating an enterprise-wide view.
2. Automated access certifications: The solution should allow a company to perform automatic and regular review and validation of user access privileges across all critical resources to ensure that users have the appropriate access to perform their job responsibilities, reducing overall risk and chances of non-compliance.
3. Policy enforcement: To be effective, an identity governance solution must identify and centrally manage access policy allowing business rules such as separation-of-duty policy to be enforced across all critical resources.
4. Role lifecycle management: The solution should facilitate an automated creation of roles that align user access control with a user’s business or job function and lifecycle management of each role -- from creation and modification to approval and, when necessary, retirement.
5. Access request management: The most innovative identity governance solutions will enable managers and end users to conveniently request new access or make changes to existing access privileges within the constraints of a pre-defined identity policy and role model, and automate the approval and review process of such requests.
6. Risk scoring and assessment: Evaluate how (or even if) the solution can quantify risks for users and resources across the IT environment and prioritize security and compliance efforts accordingly.
7. Reporting and Analytics: To successfully integrate line of business managers in the governance process, a basic identity governance solution will use dashboards, reports, and ad-hoc query capabilities to improve oversight and provide evidence of the effectiveness of controls.

The good news is that investing in an identity governance solution will enable a company to realize some “quick wins,” while at the same time strengthening the organization for the long-term. Depending on the business priorities already defined, these immediate results could save the company money and reduce the compliance burden on IT; improve the company’s audit performance; improve the efficiency of identity business processes like access request; or improve the company’s ability to execute on a merger or divestiture.

Whatever path a company chooses to embark on first, IT leaders should avoid taking on every business problem on day one. Best results are achieved by taking a stepwise approach where the project is focused on the business units, departments, or applications that align with the business goals -- whether they are corporate agility, operational efficiency or regulatory compliance.

Jackie Gilbert is the vice president of product and marketing and a co-founder of Austin-based SailPoint Technologies.