The management of corporate identity frameworks is being spread across too many teams of employees in a lot of large organisations, according to Westpac Bank's security boss.
As Westpac's head of strategy and governance, information security, Theo Nassiokas has overall responsibility for the bank's enterprise information security strategy. The executive is also chair of the Australian Information Security Association.
Although he did not divulge details about Westpac's own situation, Nassiokas spoke out about his views on identity management at large organisations this week at a Sydney conference, telling attendees that access control at some organisations was not as effective as it could be due to lack of communication between different internal groups of staff.
"You can have user access control administration being done by business, by application, in addition to what operating system, what network, what platform, or whatever," he said.
"A lot of these teams in a lot of companies today don't even know each other. In some cases [they] don't even know of their existence. And yet they're all working together to make sure the right people have access to the right information to the right degree."
"I simply don't get that. I mean, surely it'd be better if they spoke?"
Banks like Westpac have invested plenty of time and money in identity management controls in order to increase security and comply with regulations like Sarbanes-Oxley. Introduced in 2002 in the United States, the Sarbanes-Oxley Act imposed strict requirements for public companies including how to manage, archive and secure data and access to it.
Adding to this complexity, identity management was increasingly becoming more about physical access, Nassiokas said.
"We are starting to see more and more projects where identity management is no longer about a logical thing, as in limited to data access. It's also about physical access to areas as well. So there will be some convergence between the requirements here, and the requirements in that space," he said.