Controlling user access on the network is the cornerstone of any enterprise compliance effort. Finally, it seems that resistance to automating this process is crumbling, with broad-scale adoption of automated user access provisioning within sight.
Almost two-thirds (65 percent) of companies surveyed by boutique access provisioning vendor Courion have either started implementing role-based access management or plan to do so within the next 18 months.
They have also started to get a grip on some of their thornier implementation issues. Forty percent said defining roles is the biggest technical hurdle to overcome, which is down from previous years, according to Courion CEO Chris Zannetos.
More than 50 percent of customers surveyed by the Framingham, Mass.-based company cited disabling access for non-employee users as the biggest access control issue they face.
That issue is especially acute for health care organizations, which are increasingly implementing portals to allow external users such as physicians, partners, patients and RHIOs (Regional Health Information Organizations) to access data from internal applications.
The survey, results of which will be released on June 11, was taken at Courions user conference in May. Lori Rowland, an analyst at The Burton Group, said that Courion customers and their concerns are fairly representative of the overall market.
"Now the market is maturing enough that we are starting to see customers in the midtier market show interest in provisioning," said Rowland. "Are we to a point where they are actually deploying? I dont think [its] mainstream. Weve crossed the chasm, but we are just over it," she added.
In Rowlands estimation, one of the barriers to adoption is the difficulty of implementing automated user access provisioning products, which can take "weeks if not months," she said.
Rowland also put her finger on adoption pain points. "There are three areas where people are trying to get a handle on control and compliance: role management, identity auditing and entitlement management," she said.
Indeed, Courions survey of 150 IT executives across a spectrum of functions found that the biggest barriers to getting off the ground with a provisioning project are role definition and prioritization of internal business processes. Compared with Courion survey results from previous years, that finding represents a shift away from justifying return on investment or worrying about the impact on existing infrastructure.
The survey also asked executives what had the greatest impact on compliance activities. Answers were spread out across three main areas: Twenty-eight percent said role management was the top identity management offering having the greatest impact on compliance activities, followed by identity audit at 26 percent and user provisioning at 25 percent.
"Weve seen with our leading customers that theres no single, silver bullet to achieve compliance with Sarbanes-Oxley Act, HIPAA [or other regulations] and achieve it in a way thats cost effective. Role management, provisioning alone or compliance [auditing] alone doesnt address it," said Zannetos.
Past surveys indicated that users had been focused on the "flavor of the month" answer to compliance issues, which had favored one approach over another, according to Zannetos. "This shows us theres a growing sophistication in how people approach user provisioning," he added.
Courion competes with large platform providers such as IBM, Sun Microsystems and Oracle.