December 12, 2012

The challenge for banks has always been ensuring the right people have the right access to the right resources and do the right things with them -- this is identity and access management (IAM). The first wave of solutions in the early 2000s automated provisioning with a focus on efficiency. Organizations could on-board new employees more quickly while using fewer IT staff to do it. The second wave of solutions focused on governance, helping organizations meet increasing regulatory pressure. Still, breaches kept climbing exponentially.

The IAM Security Gap

The remaining problem is a disturbing phenomenon at the heart of every institution’s information security program: The "IAM gap."

Consider this: Actions such as on-boarding a new customer or employee, promoting a staff member, terminating a contractor, merging companies or departments, or delivering a new product all require changes in identities and access to sensitive information. How do you keep up with the constant changes?

Well, traditional IAM solutions address only part of the problem. User provisioning puts controls in place to ensure users are given only the access rights they need to do their jobs. Later – say, every three, six, nine, 12 months – organizations perform periodic reviews or certifications to validate that those access rights are in line with policy.

But here’s the problem: traditional IAM solutions don’t address the constant changes in identities, access and information stores -- billions of access relationships in most organizations -- that take place in the months between provisioning and validation. What you end up with is a huge gap that leaves an institution’s sensitive company information at risk to internal and external threats