Does Your Company Need Identity Governance?

In these tech-enabled times, well laid out rules for Identity Governance can help pave the way for safer and saner Identity Management.

Identity governance for larger companies in the 1990s was much the same as it is for tiny companies today. Each user had a password tied to an account, and this account was tied to a given set of network and application privileges.

With only 10 users, managing identities is fairly painless. Scale up to 100 users, though, and managing those identities starts to become uncomfortable. The “provisioning” of accounts (adding, modifying and deleting users, resetting passwords, etc.) starts to consume IT hours on a weekly basis.

By 1,000 users, a manual system turns outright painful.

“Usually, once companies get beyond 500 employees, they start needing increasing amounts of identity automation,” says Ian Glazer, Research Director for Identity and Privacy at Gartner. “Also, depending on the industry and regardless of company size, they will need identity and access governance capabilities, such as access certification.”

Glazer is referring to regulations such as Sarbanes-Oxley and HIPAA, which came into effect in the early to middle part of the last decade. Regulations compliance forced companies to become stricter with IT security and access management. Of course, it’s still possible to be compliant without identity governance, but the odds of encountering mistakes and less than perfect audits rises considerably.

Identity governance is the automated control of user identity in order to manage access to company data. Typically, this pertains to business insiders, such as employees, partners, contractors, and so on. (Controlling access by outsiders is a different topic we’ll address in a couple of weeks.) Whereas pre-compliance identity management efforts often revolved around controlling costs—namely finding ways to reduce IT support hours—current identity governance focuses more on controlling policies.

“Auditors can do a simple test, like ask how many accounts have access to the mainframe system and how many employees are there,” says Mark McClain, CEO and co-founder of identity management services provider SailPoint. “Not surprisingly, the number of accounts would far exceed the number of employees because people were getting added, but when they left, it was never getting cleaned up. And in the old days, people didn’t bother because they felt they were safe behind the firewall. Now, people recognize there’s risk associated with having access, so you have more auditors asking why Bob still has access to a system when he changed jobs three years ago.”