Avoiding leaks in IT governance

Earl Perkins, research vice president, Gartner

The infrastructure and services used to deliver governance, risk and compliance management (GRCM) are much like electricity or plumbing: you only really notice their absence when they don't work. In a further plumbing analogy, if the 'pipes and pumps' of identity and access management (IAM) stop working entirely or substantially, key inputs and integration points to GRCM fail, and things can get really exciting.

Business leaders are not plumbers, nor should we expect them to be. IT departments should provide not only good plumbing, but the practices to keep it good and to avoid excitement. To do this, they need to better understand the relationship between GRCM and IAM.

IAM complements GRCM by providing an infrastructure and systems to keep business processes and behaviours within specific risk-tolerance ranges. Specific elements of IAM workflow - user provisioning, role life-cycle management, auditing and analytics - contribute to those processes and behaviours. Indeed, a significant part of IAM intelligence is involved in direct support of IT governance, risk or compliance management.

The maturing of IAM has not been fast or easy but, as managers address IAM in a top-down manner as part of governance efforts, this is changing. Businesses can exploit IAM's role in GRCM by recognising the key deliverables from IAM and the work required to produce them. These can be summarised as the 'seven Ps':

Principles: The core vision and mission of the business

Policies: These formalise the key rules, guidelines and directions that the business must take to realise that mission

Practices: These codify the behaviours of the business in delivering policy

Processes: Policies and behaviours as a formal set of actions across the whole of the business, including IT

People: The optimum organisational structure for them

Products: Only after the areas above have been addressed can technologies be chosen to aid their delivery and support

Production: The business can then move into an operational phase that has lifecycle input to each of them

One key issue is the need to cut costs within and with IAM. An effective IAM implementation is risk-based, meaning that IAM helps risk management ensure that business processes and behaviours remain within a 'tolerance zone' to minimise business loss. While GRCM is seen as an enabler for reducing risk, and while IAM provides input to that, it is also a cost-cutting enabler for efficiency initiatives.

Organisations must now recognise 'risk-based' IAM economics, for example identifying operational risks (and costs) of business loss resulting from inadequate or failed internal systems, which can be greater than the cost of effective IAM.

Reputational risk can arise from retaliatory or predatory moves by former employees or competitors in an increasingly volatile market seeking to exploit vulnerabilities in an identity infrastructure. An effective IAM solution enables revocations of access for former workers to occur quickly, and to be monitored and audited to reduce reputational risk. Providing more effective IT cost control during an austerity programme involves the ability to match identities to resources, whether those resources are automated timesheets or expense/financial accounting systems. IAM programmes enable the decommissioning of other identity stores, and use or 're-task' hardware, software and operating system licences for other purposes.

IAM foundations can also enable outsourcing planners to identify key repositories of identity data for employees, partners and customers. They can map (and perhaps automate) process workflows for provisioning, deprovisioning and privilege assignments, and provide on-demand audit reports of authentication, authorisation and administration actions in the foundation.

IAM reporting provides a rich set of baseline metrics options that serve as a starting point from which to establish benchmarks to help measure IT cost-cutting performance. An IAM programme can enable greater flexibility and more timely changes to support business initiatives, including new product and system rollouts.

So what's in store for IAM as it responds to GRCM? Decision makers will find plenty of immature solutions with overlapping functions from different product categories, so the job of selection will initially be more complex. There will also be more emphasis on how security and access policy is best manifested in IAM solutions, particularly regarding how access controls can be implemented in the toolset for optimum use.

Across the business, a consolidation of key GRCM and IAM activities will occur that more accurately reflects the support needed by both constituencies and the business customer to ensure that everyone stays in a well-lit and dry 'home'.

Earl Perkins is research vice president at analyst firm Gartner