Obscured by the clouds of regulation and compliance lies the real issue, says Simon Moores: organisations need to control access to sensitive information through effective identity management
Historically, compliance is a word with an unwelcome association with authority, as in “compliance officer”. But for businesses, changes in regulations mean that from now on the word will be tightly connected with the elimination of risk, adding to the burden that companies carry in a world that has been wrapped up tightly in regulatory red tape.
In the shadow of a number of high-profile corporate scandals and the ever-present threat of cybercrime, understanding and controlling access to systems and data have become the driving force behind the introduction of a raft of new business regulations.
Many would agree that the Sarbanes-Oxley Act in the US is the single most influential piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting to appear in the last 70 years. Among other requirements, Sarbanes-Oxley calls for an annual assessment of internal controls relating to risk management and application access.
That, along with the new Basel Capital Accord's focus on operational supervision, ensures that users aren’t able to access any applications that might lead to risk or compromise for the business.
The argument in favour of stronger compliance (or what is really sound identity management policy) says that however strong an operating system - the foundation of any computing environment - it is worth very little without solutions that properly address authentication, authorisation, administration and a central store.
Inside this four-sided box, identity management is composed of three main components aimed at creating a unified single point of access to all applications within a company. These are:
- user management, provisioning and access control
- taking care of the user life-cycle and their authorisation profile
- automating the creation and management of user accounts into different back-end systems.
This might be the objective but the reality in most business sectors is that people hold multiple identities and access rights to systems, some of which might be considered business-critical, and which are not controlled from a single point.
In such a relaxed regime an individual might have access to sensitive information. That was one potential scenario explored at the last e-crime congress, which had a temporary member of staff, a skilled computer operator, infiltrated by an organised crime gang into a foreign bank to steal online account details by taking advantage of lax identity management policies.
This is one reason why the highly regulated financial services industry in the UK is the one most sensitive to the risks and penalties of non-compliance and why it’s the market that’s adopting the technology the fastest.
Identity management is the message that, like the words in a stick of rock, weaves its way through the new compliance and regulatory framework. It may not be as complex as you think it is, but if you’re a company of any size, you need to think about the fact that your business platform has to provide a foundation for compliance in the future, regardless of what the regulations are calling for now. That means preparing for tomorrow by putting sound and flexible identity management policies in place today.
Setting the world to rights with the collected thoughts and opinions of leading industry analyst Dr Simon Moores of Zentelligence.
Acting globally, Zentelligence (Research) advises governments, suppliers, business and the media on the evolution, application and delivery of leading-edge technologies, and specialises in the areas of e-government and information security.
For further information on Zentelligence and its research, presentation and analyst services, visit www.zentelligence.com