Posted on Thu, Dec 17, 2009 @ 08:30 AM
Kuppinger Cole had an interesting post today on their website titled "No Information Security Without Identity ."
In this article Martin Kuppinger states, "there are such things as data protection laws, for instance. And the public has a nagging habit of asking who actually has access to which sets of data and how in tarnation did they just get leaked again! Auditors are also prone to ask unpleasant questions about compliance issues concerning both external and internal regulations. The word "compliance", after all, means following the rules.
Data protection is actually a good example since it shows what IAM is really all about. Identity and Access Management, after all, isn't just an end in itself. Neither is it some purely theoretical problem. Instead, it's the result of a relatively simple demand that has been around since the early days of IT, namely: 'Make sure our information is safe!'
Part of IAM's job is protecting data, either directly or by protecting the systems that use and store data. That is also the backdrop against which compliance regulation, both internal and external, must be viewed. That also means that it is much easier to talk with business people about "access" rather than about "identity". The big question is how do we control and monitor access to information and systems? To do that, we need to know who is allowed to do what - and who isn't. The only way to achieve that goal is through true digital Identity Management. Anyone who thinks he can do it by granting rights and approvals based on IP addresses or MAC numbers is seriously kidding himself.
Good IAM is the fundament on which to build information security - nor else not. Individual measures such as banning or monitoring things like USB sticks can help, but only if they are part of an overall system. Companies today need an 'access strategy' which determines who is allowed to do what in my system. That cannot be done by a trying to apply and enforce a bundle of unconnected ad-hoc measures."
Martin brings up two very important points. First, "identity" is a language that is understood only by IT. But access is the language that the business understands. IT Security organizations must find a way to bridge this language barrier if they hope to drive accountability for governing user access into the business and enable the business to request the access in a context they will understand.
The second point that Martin makes is a trend that we see emerging, the convergence of data governance (information) with access governance (identity). By understanding the user and their relationship within the organization (role), we can improve how information access policies are enforced at run-time while ensuring that they are not overly restrictive to the business. We think this a pragmatic approach that enables information security policies to span across data, applications, systems, hosts, networks, cloud services, files and file shares.