Information Age: News, analysis & insight for IT & business leaders

MS    Male Speaker

MS: IAM is all about defining and enforcing policy with rigor, that’s policy around access; what people can do.  It basically provides strong governance to ensure that people are not over-credentialed, and that people have the right access at the right time.

IT Security departments are always walking a tightrope between deploying preventative and detective controls.  99% of the time, employees and users are doing the right thing.  It’s a matter of employing the right controls to detect those breaches for that 1%, or ensuring that you’ve got preventative controls to prevent that 1% breach.

The profile of people that have been laid off is different.  We’ve got more white collar, we’ve got more knowledge workers; these are the people that have got the entitlement access, from an IT perspective, to do malicious things.  When you’re talking about large numbers of individuals, the burden on the IT department can be very great and, not having automation in place in the form of IAM, can cause big problems.  In certain cases, it can take a few days or, in other instances, weeks and months before that access is withdrawn.  When those accounts are still around, there’s a really high risk of potential breaches for an organisation.

Compliance has been probably the biggest single driver, with legislative acts such as Sarbanes-Oxley driven from the United States.  I think, specifically in financial services, we’ll see compliance and the burden of compliance increasing, particularly with what’s gone on with regard to the credit crunch.

So, over the past 13 years, Courion has been a consistent innovator in the identity and access management market place.  We’ve had a number of firsts.  We were the first to market with self-service; we were the first to market with integrated compliance or attestation.  We were also first to market with an integrated role life cycle management product.  We see that innovation continuing now, moving forward.  Probably, in the short term, the most obvious thing to talk about is the integration of data loss prevention products.  Data loss prevention products create alerts, sometimes a lot of alerts.  The obvious thing to do is to test those against policy, which is stored in the identity and access management system.

I think it’s about organisations looking inwardly; looking at the issues that are facing the organisation.  It’s important to utilise an executive sponsor to actually deliver against these business priorities.  Deliver against them quickly and incrementally over time.  So, if you can take a certain piece of functionality, a certain business requirement, and address that within, say, a three month window, then that can demonstrate to the business that the IAM programme is succeeding and then you can build upon that over time.