One of the issues that nobody seems to want to really address inside or outside of IT is who exactly is responsible for identity management.
With a specific domain, everybody wants to manage access rights. For example, the people running applications want to control who has access to what applications. The networking folks have any number of directories that track identities. And somewhere, there are usually security people who think that identity management belongs to them.
But nobody seems to want to be responsible for managing identities across the enterprise. So the end result is that nobody is exactly sure which individuals have access to which systems. And invariably, it comes as a surprise to them when a system is compromised by an internal employee whom nobody knew could access whatever they were not suppose to access in the first place.
Of course, auditors are now making a small fortune mapping this out on an hourly basis. But what if there was a way to automate the process of discovering who had access to which systems and applications? And once that was established, what if you could attach a score to an individual that would identify the level of risk to the company as a whole associated with any specific individual?
Besides the massive savings generated in terms of reducing the amount of time auditors need to spend crawling over your organization, the overall posture of your organization in terms of risk management would be greatly enhanced.
Companies such as SailPoint, IBM, Oracle and CA claim to have developed just such a capability, which industry analysts refer to as identity governance. There's even an identity governance framework developed by The Liberty Alliance. And while the issue of having to deal with any number of identity management schemes is not likely to go away any time soon, simply figuring out who has the means and opportunity to do your organization harm is the first step toward identifying where the real risks to the business actually lie.
Of course, if you read the headlines about security breaches these days, it's pretty clear nobody seems to be really responsible for identifying who has access to what, which may account for why there isn't a whole lot of appreciation for identity governance either.