When it comes to actually managing user access, we often find a huge governance gap between business and IT. While internal IT organizations provide the physical access to those files, the management of the business is in charge of determining who should have access to applications and files. More often than not, businesses don’t do a very good job of managing that gap as roles across the organization change. In fact, it’s within that gap between IT and the business that auditors most often find compliance issues.
To help organizations better address such governance issues, IBM has acquired CrossIdeas, a provider of analytics software that specifically identifies user access to files, applications and systems either on premise or in the cloud.
Ravi Srinivasan, director of IBM security strategy and product management, says most organizations today don’t have a simple way of identifying which users can access particular IT resources. People are granted access when performing one role, but when that role changes, no one in the organization is specifically charged with making sure that the access privileges they needed for the previous job are decommissioned. The end result is a panoply of potential compliance issues that could result in high auditing fees or lead to real fines when those issues are discovered by a regulatory agency.
CrossIdeas, says Srinivasan, eliminates that stress on the organization by allowing IT to discover which user has access to IT resources in minutes. Armed with that information, IT staff can address those issues before an audit, or the auditor can invoke CrossIdeas to dramatically reduce the amount of time it takes to actually conduct the audit, says Srinivasan.
Srinivasan also says that the data from the CrossIdeas analytics applications can be shared with other applications, such as human resource systems, via application programming interfaces (APIs).
The biggest issue with compliance is that in most organizations, no one is really accountable for managing user access on a tactical level. There is no shortage of chief risk officers, but the daily routine of changing assignments and roles within an organization goes on without much regard to the compliance issues involved. Changing that behavior can be a gargantuan task. But by applying analytics, the pain associated with unraveling the potential compliance mess can be reduced.