Browse archive

Latest news

Experts highlight top data breach vulnerabilities

Review: Logging and Log Management

Commission wants to minimize U.S. IP theft economic impact

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

Guantanamo cuts off Wi-Fi access due to OpGTMO

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

From identity and access solutions to access governance

by Mike Small - Analyst at KuppingerCole - Monday, 20 August 2012.

The need to identify users, control what they can access and audit their activities is fundamental to information security. Over the past decade, there has been a tsunami of identity and access management technology designed to provide a solution to these needs. However, many organizations have not realized the benefits expected from the application of this technology, because they have taken a technology-led approach rather than one based on governance. In addition, the move to outsourcing and the cloud means that technology and some processes are no longer under direct control.

What is governance?

According to ISACA, governance “ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”

While management “plans, builds, runs and monitors activities in alignment with the direction of the governance body”, according to ISACA’s definition, governance sets the policies, procedures, practices and organizational structures that ensure the execution of strategic goals. Identity and access governance sets the framework within which identity and access technology and processes are implemented. By shifting the focus to control rather than execution, governance is also the ideal approach to manage identity and access in an outsourced environment like the cloud.

Why does governance matter?

Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple ad hoc approaches to compliance and risk management. Identity and access governance ensures, in a consistent and efficient manner, that only authorized people have access to their confidential and regulated data.

The governance process leads the organization to evaluate risks in terms of their likelihood and business impact, and then to decide on the best approach to manage those risks. For example, choosing how to authenticate individuals accessing a system is a trade-off between the risk of impersonation, the value of the information and cost of the different authentication technologies. Where the impact, in terms of losses, would be high, it may make sense to choose a stronger (and more expensive) form of authentication than a username and password. Where the impact is low, a cheaper but less effective authentication process may be more appropriate. Governance provides a way to make this kind of decision effectively and consistently.