Using risk management to prioritize security
As part of its project, ABN AMRO brought in consultants from PricewaterhouseCoopers (PwC) to help map out its areas of need and define where its greatest data and identity risks lay.

Jerry Lewis, a principal and national identity management leader at PwC, said that his company is advising more customers to tackle their projects using a risk management strategy because it allows them to refine their plans and improve their security standing with greater alacrity.

"We're definitely seeing risk management becoming the next real extension of identity management," Lewis said. "Most large companies we see have spent a lot of time and money putting solutions into place to drive various requirements -- such as in addressing compliance regulations -- and once they have the infrastructure installed, they realize that they need to use more of a risk-based approach."

Lewis said that more customers than ever are starting to adopt the risk-based identity management approach to get a better fix on handling applications and systems access from an enterprise-wide manner.

Those companies' immediate goals tend to revolve around their desire to improve identity management reporting capabilities, and to create dashboards that garner metrics related to potential compliance audits, he said.

"People are looking at this issue from more of a broad perspective, based on regulatory drivers, and focused on very specific applications or needs," Lewis said.

"Doing so, these companies are able to take a step back and find out what they really need to address first," he said. "They want the company-wide view, but they're also realizing that they typically can't have a complete end-to-end solution across the organization that is one size fits all and that they need use this risk-based approach."

As a result of the success that companies are having using the strategy, the consultant said that more customers have earmarked funds to buy products that apply the risk-based approach to identity during 2008.

One of the vendors PwC works with in the space, and the software provider to ABN AMRO, is SailPoint, a startup founded in 2005 whose products are focused squarely on identity auditing and analytics as well as policy enforcement and the creation of automated controls.

SailPoint executives said that customers are looking for a new generation of identity management tools that address the issues that will help them pass audits and give them more of a top-down view into where their organizations stand in terms of securing access.

"People began getting pressured to address issues of compliance and audit around Sarbanes-Oxley, but traditional identity tools were not designed to solve those problems, they were mostly about improving operational efficiency, and people have been stretching those technologies to do things they weren't designed to do," said Mark McClain, chief executive and founder of SailPoint.

"Most of these systems were initially designed to set up accounts and do password resets, but with compliance needs, it has to become more about governance and risk assessment," he said. "Customers are frustrated because they've spent all this money dealing with the terms of the regulatory audits, yet the breaches have continued because they haven't been able to address the real risks."