The Intersection of Business Intelligence and Identity Management: Identity Governance

   
Mark McClain is CEO and founder of SailPoint Technologies, an Austin-based developer of identity governance solutions.

This past summer, analyst firm Burton Group published a report entitled “Access and Identity Governance: Leading to Transparency and Visibility.” The report, authored by Gerry Gebel, describes how an access and identity governance layer has emerged to address enterprise needs for greater transparency, visibility and business controls. The Burton report is notable in that it signals the evolution of identity management tools toward business intelligence software. As Gerry puts it, new governance tools “strive to become business decision support tools rather than IT consoles.”

Identity Governance Leverages “Business Intelligence” to Deliver Better Transparency

The emergence of identity governance allows organizations to transform technical identity data from across the enterprise into business-friendly information that can be used to drive governance and compliance initiatives. This centralized visibility gives executive and business users the “intelligence” they need to define and enforce business policy, audit and report on the effectiveness of internal controls, and more effectively manage risk.

As Gebel suggested, identity governance takes the same approach to identity data that business intelligence vendors took to centralizing and analyzing business data. Business intelligence’s success bodes well for identity intelligence, since it is based on the same principles. Business intelligence collects data from isolated application “silos” into a central repository, where analytic applications process it to reveal patterns and trends. Identity governance likewise centralizes user access information from critical applications, allowing managers to analyze it to identify risky employee populations, policy violations and inappropriate access.

Identity Intelligence Allows Identity Governance to Cater to the Business

One of the key challenges of IT governance is the need to tie IT data and operations to higher-level business policies and priorities, a crucial step in measuring how well IT supports the business and manages IT-related risk. To fully support executive and business-level oversight, IT must generate performance metrics that are aligned with business objectives and can be easily understood by businesspeople.

Because it is fueled by identity intelligence, identity governance enables companies to identify, measure, and manage the risk associated with employee access to sensitive applications and data while ensuring regulatory compliance. Identity governance solutions enable business and IT staff to define a top-down business model for complying with internal policies governing users and their access privileges.

Why Is Identity Governance Important Now?

It’s clear that the economic downturn has created havoc for the world’s largest companies, many of whom must now begin sorting through the implications of shotgun mergers, massive restructuring and the corporate downsizing of the last year or so. The resulting corporate churn has forced organizations to make major changes on very short notice and created a heightened level of IT risk for companies moving forward. Add to all of this the shenanigans on Wall Street, and it’s reasonable to assume that even more regulation is on the way, not less.

As an example, the Model Audit Rule, which effectively requires SOX-like compliance for non-public insurance companies, took effect on January 1, 2010. Another example: Part of President Obama’s stimulus package includes the HITECH Act in health care, which effectively adds more “teeth” to HIPAA by requiring companies to disclose any privacy breaches. Finally, two new pieces of legislation requiring companies to mitigate and manage security breaches – the Data Breach Notification Act and the Personal Data Privacy and Security Act of 2009 – are making their way through Congress.

As a result of all this activity in Washington, companies will be even more focused on risk management and transparency in 2010. This is why today’s CIOs are particularly concerned with managing worker access to corporate resources (systems, applications, and data). Achieving transparency and managing risk around identity management requires organizations to inventory, analyze and understand the access privileges granted to their workers — and to be ready to answer a critical, yet elusive, question on demand: “Who has access to what?” Failure to effectively manage user access to sensitive resources places companies at increased risk for sabotage, insider fraud and data breaches.

Amidst increasing operational risk factors and more regulatory demands, IT organizations are facing constricted budgets and strained resources, making it even more difficult to meet stringent compliance and security requirements. Companies must find ways to do more with less, making compliance automation paramount. They simply don’t have the resources to address their identity management challenges with manual, time-consuming processes – particularly when a company is reducing staff or cutting budgets.

Unfortunately, many companies are approaching these challenges using either automated or homegrown provisioning solutions, which can be costly. These solutions lack two fundamental capabilities which are required in order for large enterprises to manage the identity data of their employees and partners:

1. Visibility across critical information for the entire enterprise. The typical Global 1000 organization has thousands of users accessing hundreds of systems and applications, all in different locations – making centralized control a very daunting task. Unfortunately, previous generations of identity management solutions are often siloed by nature, focus on a narrow set of applications, and as a result only provide a fragmented view of identity data.
2. Business context for access privileges. A “decoder” is often needed to translate cryptic IT entitlement data in order to determine which business users have access to sensitive data. Because identity management solutions were originally created for IT and security users, they’re devoid of business intelligence, business relevance and context, leading to inaccurate decisions and rubber-stamping.

Global companies need to look to a comprehensive identity governance strategy as they work to proactively address these emerging and very real operational risks. Organizations can approach identity management as a cross-department, enterprise discipline that provides a layer of intelligence to give enterprises the business insights needed to strengthen IT controls and reduce operational risk. The better a company understands which users have access to which corporate assets, the better it can realistically understand its potential security vulnerabilities.