Posted on Mon, Apr 26, 2010 @ 04:32 PM
Great InfoWorld blog post on Ponemon-Aveksa survey on Access Governance. It seems like there is quite a bit of media coverage on the second survey, especially with the findings around access governance for cloud based applications. If you want to read the full survey results click here:
http://www.aveksa.com/company/access-governance-resource-center/PonemonInstitute2010AccessGovernanceTrendsSurvey.cfm
InfoWorld Cloud Computing blog
By David Linthicum
April 23, 2010
A recent survey shows that business folks are doing an end run around corporate IT by adopting cloud services
A Ponemon Institute survey recently piqued my interest. In the 2010 Access Governance Trends Survey, 87 percent of respondents said too many employees were able to access information that should have been out of reach. And guess what? Cloud computing was a factor -- 73 percent of respondents said that cloud-based applications were enabling business users to skirt organizational controls.
The core issue is IT's loss of control over its assets, including data. Let's face it -- departments are sick of waiting for development and deployment of core business applications or infrastructure services, and they're going directly to a cloud computing provider to get what they need. Think of it as a kind of technological infidelity.
Going around IT and straight to the cloud has become common practice in the last few years. Salesforce.com built its business selling directly to the sales staff rather than to IT; eventually, IT was forced to accept SaaS (software as a service) after the fact. I've watched those battles firsthand.
Today, things are even worse. Now you can get storage as a service, database as a service, and even complete application servers and app dev platforms that are delivered on-demand. With such endless resources available, corporate fiefdoms are creating so-called rogue clouds -- their own array of cloud computing services, including data repositories, that they alone control. IT may not have a clue about what's going on.
The trouble with the rogue approach is that there's no way to ensure that data is handled in accordance with corporate policies. Worse, that data may come with compliance issues, including personal medical or financial information where the law dictates how the data is handled and where it can reside.
IT can implement a few measures to correct this. First, if IT meets the business requirements of its internal clients, then those clients have no reason to look for other options. Second, IT needs to publish and promote data governance policies within the company. Violations most often occur due to a lack of understanding, rather than deliberate subversion.
IT may never have the bandwidth to prevent business folks from looking outside the firewall for the services they need -- after all, that's a big reason why cloud computing exists. Users are going to take matters into their own hands when they need to, not for malicious reaons, but to get things done. If the rules for handling data are crystal clear from the start, then "going rogue" to the cloud has far less potential to damage the business.
Posted on Wed, Apr 14, 2010 @ 11:40 AM
Aveksa sponsored a research survey conducted by Ponemon Institute on the state of Access Governance. This is the second survey that we've worked on with Ponemon Institute and this one has some interesting trend analysis on how well organizations are achieving their objectives for properly governing user access over the survey findings in 2008.
We like to invite you to join Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Deepak Taneja, President and Founder of Aveksa, as they review all the survey findings and discuss a set of recommendations for improving how access is managed. Attendees of the 2010 Access Governance Trends Survey web seminar will also get a link to download a free copy of the complete report findings.
Date: Thursday, April 22, 2010
Time: 1:00pm ET/12:00pm CT/10:00am PT
Duration: 60 minutes
Register to attend this webinar
This study surveyed several hundred experienced IT practitioners from both multinational corporations and government organizations. The overall objective of this study was to understand how well IT practitioners are achieving governing user access to information resources within their organizations.
Posted on Wed, Oct 28, 2009 @ 11:30 AM
Our friend Dave Kearns of NetworkWorld had an interesting article in his newsletter this week on "moving the discussion beyond authentication." This is an excerpt from his newsletter -
"A couple of years ago ("Are we bogged down in authentication discussions?,") I advocated moving away from authentication discussions slowly, that until we were sure who was logging in discussions of what they could access was merely academic. Now it's time to move on. I may, in fact, have denigrated the possibilities of XACML. I'm still not sure it's the best we could do but -- similar to my thoughts on PKI -- it's the best we can do right now. XACML is all about rule-based access control. Couple that with role-based and context-based access control and we might be on to something."
http://www.networkworld.com/newsletters/dir/2009/102609id2.html?source=NWWNLE_nlt_security_identity_2009-10-28
Dave, we couldn't agree more! While XACML provides a common technical language for access control in the cloud, there needs to be a common business language for the governance of user access to cloud based information resources. Using business roles, coupled with policy rules, will enable organizations to extend their access governance framework to cloud based information resources in order to pre-determine whether a person should have access and what specific access permissions they should be allowed to have as part of their job function.
A number of organizations we've spoken with recently have expressed concern regarding being able to properly govern user access to cloud based information resources. Business units are buying subscriptions to cloud based applications and services independently, without consulting with their IT security team. Beyond basic security administration for setting up accounts to cloud information resources, there is no easy way for an organization to apply their governance controls for access. As a result, an organization may be exposing itself to potential access related business risks and compliance violations (depending on the nature of the information resource).
Extending business roles (with embedded controls) to cloud based information resources must be an imperative for organizations.