By Mark McClain, SailPoint Technologies

Over the last three years, identity management has been elevated from its position as an IT-only issue to become a critical matter on the radar screens of banking executives concerned about security and compliance issues. Historically focused on tactical issues like efficiently provisioning services and managing passwords, identity management is now a knot of interconnected issues with serious consequences like privacy breaches, fraud or misuse of corporate data. Companies are forced to balance safeguarding their IT assets – which usually means hundreds of applications – with the opposing need to maintain the speed of business.

The stakes in striking this balance have never been higher. Networked applications have opened sensitive systems to partners, customers, suppliers and mobile employees, exacerbating risk by expanding access to sensitive information. Just a few months ago, France’s Societè Generale was compelled to reveal the multi-billion dollar losses it suffered when a rogue trader with the right combination of access privileges bypassed internal controls to conduct unauthorized transactions. In this case, the employee had legitimate access to the systems, but was able to misuse them undetected. Lending Tree was hit with two lawsuits in May stemming from personal information thefts by an employee that allegedly continued from 2006 to early 2008. In other incidents, Wachovia Securities, Bank of America, Commerce Bancorp and PNC Bank all reported theft of customer account information by employees who sold it to third parties for profit.

Many companies are trying to manage these kinds of risks with either provisioning solutions from a software vendor or homegrown solutions. Both are costly and lack three fundamental capabilities for effective identity data management:
1. Visibility across critical information for the entire enterprise. Many deployments of provisioning solutions are limited to a small set of applications, and as a result, only provide a fragmented view of identity data.
2. Business context for identity data. Because identity management solutions were originally created for IT and security users, they provide access reports that can be too cryptic for reviewers to decipher, leading to inaccurate decisions and rubber-stamping.
3. A risk-based approach. Protecting information assets — and the business as a whole — requires a way to identify and assess identity management risks and take the necessary steps to reduce risk to levels acceptable to the organization.

An emerging technology category within identity management called identity governance addresses the business and IT dimensions of risk management. Identity governance approaches identity management as a cross-department, enterprise discipline that provides a layer of intelligence to give financial institutions the business insights needed to strengthen IT controls and reduce the risk associated with user access to sensitive data and applications. In short, it gives enterprises a degree of “identity intelligence” that they have never had before.

If identity governance sounds like it hearkens to a more established technology, that’s because it does. It takes the same approach to identity data that business intelligence vendors took to centralizing and analyzing business data. Business intelligence’s success bodes well for identity intelligence, since they are based on the same principles. Business intelligence collects data from isolated application “silos” into a central repository, where analytic applications process it to reveal patterns and trends. Identity governance collects user information from various applications into a central repository where managers can analyze it to identify risky employee populations, policy violations and inappropriate access.

Focusing attention on high-risk areas in this way enables companies to manage insider threats to the business without impeding business goals. One of the leading international banks in the world provides a good case study of identity intelligence’s power. This particular bank needed an efficient, cost-effective system for addressing Sarbanes-Oxley (SOX) and Basel II requirements. The staff realized that the manual access review and certification process was outdated; reviews were taking the entire quarter to process, so preparation became a year-round task. In addition, the bank was concerned about the errors and inefficiencies resulting from manual and paper-based processes.

The bank implemented a centralized identity governance solution to automate its access review process. Within 60 days, it launched a certification process across 29 SOX-relevant applications. The deployment included collecting and organizing identity data for more than 25,000 users into a single repository from which simple, business-friendly reports were made available to the business managers. The benefits realized in this first phase of deployment included:

• on-demand visibility into “who has access to what”;
• reduced the time to complete reviews by 66 percent from 3 months to 4 weeks;
• 20 percent reduction in unnecessary entitlements that reviewers were now able to identify; and
• improved overall compliance performance and risk posture.

The bank’s experience represents an effective compromise between IT and business needs – a compromise that resulted in a win for both organizations. Centralizing access data, analyzing it to determine levels of risk, then acting on that identity intelligence enabled the bank to bridge the IT-business gap by giving the bank’s management information that they could understand and act upon. By empowering business managers, the IT department met its goal of keeping vital data and applications secure, without slowing the flow of data and information, which was the business users’ main concern.

There are no perfect solutions to any complex problem, and identity management is no exception. There will always be risk in doing business through widely accessible computerized systems. Applying identity governance principles, however, gives companies the intelligence they need to focus their attention and resources where they are needed most, all while keeping risk to a minimum.

Mark McClain is CEO and founder of SailPoint Technologies, an Austin-based developer of identity governance solutions.