Global corporations have recently begun to recognize that identity management is very much a business process that underpins compliance and security efforts. Identity management has always been an extension of core business processes, ensuring that users have the access they need to do their jobs. When users leave the organization, that access is promptly removed.
In the last decade, however, government regulations have added new security and compliance demands that require companies to demonstrate and prove strong controls over “who has access to what.” This shift has made it all the more imperative that IT organizations work closely with business managers. Because they are the ones who understand the business risks facing the organization, business managers can and should make the appropriate trade-offs between benefits and risks to the organization.
Many people in technology talk about bridging the gap between business and IT, or more accurately, aligning business and IT. But the reality is that engaging business users in security and compliance processes is no easy task. Addressing this difficulty can help organizations ensure the effectiveness of IT controls in managing risk and reducing corporate liability. To get organizations started in the right direction, the following are three best practices that IT managers can take to ensure that business managers are active and effective participants in identity management processes.
1. Build a culture of business accountability
Good identity governance ensures that organizations have full visibility into who has access to each critical application and system-and the risk this represents. The better managers understand the potential risks associated with access privileges, the better the company can mitigate those risks.
Business managers provide valuable insights into business risk, so a good identity governance program should regularly include review and approval of access privileges by business managers. By establishing a regular, automated process for business managers to review access, you can begin building a culture of accountability. You will be well on your way to ensuring controls that prevent fraud and enforce corporate policy.
Focus on Policy Alignment
2. Focus on policy alignment
Business managers understand the risks associated with sensitive applications based on asset value, privacy requirements or potential for fraud or misuse. Because of this, they are the ones best equipped to define the control objectives needed to mitigate business risk. At the same time, the IT organization is ultimately responsible for ensuring that access configurations (who can access programs, tables, documents, etc.) conform to those business policies.
Both sides must be involved in order to achieve policy alignment at the implementation level (that is, not just captured in binders that sit on a shelf). Business-friendly tools that allow business managers to understand how policy is implemented and that highlight when policy violations are detected can help ensure that IT controls properly reflect compliance policy.
3. Make transparency a priority
The final step to engaging business managers is perhaps the most important one. The organization must take steps to ensure the required level of transparency into the organization’s identity data-in a way that is easily understood by business users. It’s simply not practical to expect business managers to be able to interpret cryptic access privileges as they natively occur in directories, operating systems, applications and databases (and then make any meaningful decision about these privileges). To ensure good decisions and effective oversight, business managers require business-oriented user interfaces, glossaries and help facilities that turn IT data into business intelligence.
Todays Identity Management Tools
Today’s identity management tools
I’d be remiss if I did not suggest that today’s next-generation identity management solutions can help facilitate this collaboration across IT and business lines. Like BI tools, they aggregate and correlate identity and access data across applications, databases, systems and directories to create a single authoritative view of “who has access to what.”
They then transform that disparate technical identity data into consistent, business-relevant information. This gives business managers the information and metrics they need to strengthen internal controls, improve auditability and reduce risk. Finally, identity management tools provide business-friendly UIs that are designed to be used collaboratively by both business and IT users.
When organizations deploy the right identity management tools in accordance with the three best practices outlined earlier-building an accountability culture, aligning policy and providing full IT transparency-they can successfully engage business managers in a traditionally IT-centric process. Having business managers participate in identity management processes leads to more accurate compliance and security efforts and, ultimately, a better risk posture for the organization.
Mark McClain is founder and CEO of SailPoint. Mark drives the vision and overall business strategy for SailPoint. Previously, Mark was founder and president of Waveset, where he helped establish the company’s industry-leading position in the identity management space, including 250 percent revenue growth year over year for three years. Following the acquisition of Waveset by Sun Microsystems, Mark served as vice president of marketing for Sun software. Mark also has diverse experience in international sales and marketing with Hewlett-Packard, IBM and Tivoli Systems. He can be reached at Mark.McClain@sailpoint.com.