Risk model moves into identity

Experts are recommending that businesses abandon piecemeal security systems and instead adopt broader, risk management-style models

Across the security industry, experts are encouraging businesses to abandon piecemeal IT systems and data-defense efforts in favor of overarching risk management strategies.

According to some customers, consultants, and vendors, the strategy is starting to prove particularly helpful in addressing issues of identity management and access control.

Long identified by industry analysts as an area where businesses often end up "chasing rainbows" and getting involved in never-ending projects, experts contend that by adopting a risk-based model to drive identity management, customers' goals are actually being realized.

"When developing our architecture, it became very clear that one of the processes that was important to tackle before starting to change things in one region or business unit was to do risk assessment and integrate all the subjects related to access control," said Paulo Martins, enterprise identity and access manager at financial services giant ABN AMRO.

In 2006, the banking company made a decision to rework its identity infrastructure as part of an effort to make access control an even more central focus of its enterprise security strategy.

Rather than simply looking for a new technology to improve its standing, ABN AMRO found that by getting a fix on the areas of its business where controlling access to sensitive data was most crucial -- and then assessing the varying levels of efficacy within its existing operations -- it found a way to move its project forward faster and with a greater sense of direction.

"As companies get larger and the numbers of applications increase, and they grow through mergers and acquisitions, they find that they have different levels of maturity related to identity and access," said Martins. "We built our strategy considering all of these things. The first year was dedicated to process and access control reviews; the second year involved implementation of those processes and use of risk analysis for critical applications."

Among the most valuable topics that ABN AMRO was led to consider as part of its process, he said, was where it made sense to automate identity-based control for its applications and where it did not.

By gauging the number of users and criticality of the data involved in each area of its business, the company was able to set its priorities and get controls in place where the risk of information loss was most widespread or severe, said Martins.

Using risk management to prioritize security
As part of its project, ABN AMRO brought in consultants from PricewaterhouseCoopers (PwC) to help map out its areas of need and define where its greatest data and identity risks lay.

Jerry Lewis, a principal and national identity management leader at PwC, said that his company is advising more customers to tackle their projects using a risk management strategy because it allows them to refine their plans and improve their security standing with greater alacrity.

"We're definitely seeing risk management becoming the next real extension of identity management," Lewis said. "Most large companies we see have spent a lot of time and money putting solutions into place to drive various requirements -- such as in addressing compliance regulations -- and once they have the infrastructure installed, they realize that they need to use more of a risk-based approach."

Lewis said that more customers than ever are starting to adopt the risk-based identity management approach to get a better fix on handling applications and systems access from an enterprise-wide manner.

Those companies' immediate goals tend to revolve around their desire to improve identity management reporting capabilities, and to create dashboards that garner metrics related to potential compliance audits, he said.

"People are looking at this issue from more of a broad perspective, based on regulatory drivers, and focused on very specific applications or needs," Lewis said.

"Doing so, these companies are able to take a step back and find out what they really need to address first," he said. "They want the company-wide view, but they're also realizing that they typically can't have a complete end-to-end solution across the organization that is one size fits all and that they need use this risk-based approach."

As a result of the success that companies are having using the strategy, the consultant said that more customers have earmarked funds to buy products that apply the risk-based approach to identity during 2008.

One of the vendors PwC works with in the space, and the software provider to ABN AMRO, is SailPoint, a startup founded in 2005 whose products are focused squarely on identity auditing and analytics as well as policy enforcement and the creation of automated controls.

SailPoint executives said that customers are looking for a new generation of identity management tools that address the issues that will help them pass audits and give them more of a top-down view into where their organizations stand in terms of securing access.

"People began getting pressured to address issues of compliance and audit around Sarbanes-Oxley, but traditional identity tools were not designed to solve those problems, they were mostly about improving operational efficiency, and people have been stretching those technologies to do things they weren't designed to do," said Mark McClain, chief executive and founder of SailPoint.

"Most of these systems were initially designed to set up accounts and do password resets, but with compliance needs, it has to become more about governance and risk assessment," he said. "Customers are frustrated because they've spent all this money dealing with the terms of the regulatory audits, yet the breaches have continued because they haven't been able to address the real risks."