IT, biz convergence necessitates access governance

Growing regulatory pressures, the rise in security threats and IT becoming integral to the business, have raised the urgency for enterprises to focus on access governance. However, observers say this need not come with bigger burdens of cost and complexity if companies take a holistic approach to manage it effectively.

Martin Kuppinger, founder and principal analyst at KuppingerCole, said there were essentially two main drivers pressing the need for access governance. The first is regulatory compliance and audit requirements, and the second is due to "IT moving closer to the business".

As IT gets more intertwined with the business, the definition of entitlements has increasingly changed from "classical IT-centric approaches", such as identity provisioning, to that being based on business roles or responsibilities, access requests and access recertification, he explained.

Just as IT's importance to the business is on the rise, the outsourcing of enterprise IT infrastructure as well as the growing prevalence of cloud computing have only "catalyzed" the need for access governance, added Lyon Poh, partner, management consulting at KPMG Singapore.

Jason Garbis, vice president of marketing at Aveksa, which makes access governance software, said within the past few years, access governance has "evolved from a nice-have to a must-have", simply because of the "dramatic increases" seen in both security threats and IT compliance regulations.

Numerous security breaches have been the result of unauthorized access not only from external sources but also because people inside the organization "have too much or inappropriate access to sensitive IT applications and data", he pointed out. That in turn means companies are under greater pressure from internal and external auditors to make sure "only the right people have the right kind of access to critical application and data resources," he added.

Enterprise spread, strength
Gerry Chng, partner, IT risk and assurance at Ernst & Young Advisory, pointed out that the notion that access governance is deployed and managed at an enterprise level, as opposed to a department or system level, has only recently caught on.

He attributed this to how businesses are constantly looking for ways to index and leverage information to gain a competitive advantage in today's data-centric era. To enable this cross-collaboration and sharing of information in real time, systems are increasingly interconnected and so naturally, access roles will span across departments and business units.

"When this happens, organizations start to realize that it is important from a security, compliance and accountability perspective, to have the ability to manage--and automate--user entitlements and access at an enterprise level throughout a corporate user's lifecycle. Not doing so could result in security lapses due to segregation of duty violations and other risks," he said.

Steve Lam, associate director, IT risk and assurance at Ernst & Young Advisory, said since most businesses would already have some kind of unit-specific or ad hoc process in place to review and certify user access, the first main challenge in access governance implementation is moving toward integrating the disparate processes in a seamless manner across the enterprises.

The next difficulty is then automating the said process, which is vital to ensuring that user entitlements are linked to business roles, and compliance is handled appropriately, he added.

Right approach to balance
Industry observers acknowledged that while the enterprise-level access governance has become more crucial, the complexity and costs of implementing it does not have to also go up inevitably.

Kuppinger argued that access governance not only makes the process around access management more efficient, it also reduces complexity and costs by providing an approach that can be implemented quickly and subsequently automated--instead of manually going through tons of log files.

Ultimately, the analyst noted that access governance is about risk mitigation, and "access-related risks can be extremely expensive".

Concurring, Garbis added that a proactive and preventative approach significantly reduces the costs and complexity compared to a reactive approach to security.

KPMG's Poh however said access governance should not be seen in isolation or a "miracle solution to all external threats", but rather as part of an organization's larger IT governance roadmap.

"The technology is just a means but the basics remain the same. A successful access governance program starts with a clearly charted roadmap on how the lifecycle of an identity is managed with the enterprise, and how access is granted and reviewed, and lastly, identifying the possible tools that can be used to simplify and strengthen governance."