Vadim Lander, Oracle’s Chief Identity Strategist, recently published a compelling article in Web Security Journal entitled, “Five Steps Toward Achieving Better Compliance with Identity Analytics.”  He observes:

Enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful.

Vadim recommends five steps toward more effectively leveraging identity analytics technology to assist enterprises in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
2. Control privileged access
3. Automate remediation
4. Reduce the potential for audit violations
5. Take a platform approach to identity management

An excerpt from the conclusion:

Automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

Hope you enjoy the article.

April 15th marked the 100th anniverasary of the sinking of the RMS Titanic – by any measure a catastrophe of epic proportions. As we think about lessons collectively learned from this event, may I suggest a nugget worth remembering that has little to do with sinking ships, but a lot to do with the enterprise we serve today?

According to a recent ABC article:

… the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.

But we all know that twenty lifeboats were not nearly enough for this ship.  The article continues:

But the ship was 46,328 tonnes. The Board of Trade hadn’t updated its regulations for nearly 20 years. … The lifeboat regulations were written for a different era and enforced unthinkingly.

“Enforced unthinkingly.”  Therein lies our little lesson.

In discipline of information security, we may be tempted to think that “compliant” means secure.  But we must not accept that at face value.  We must really understand what regulations mean and how they apply to our enterprises.  PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses?

Let’s make sure we have adequate “lifeboats” and not rely completely on those who write regulations to protect our businesses.

Congratulations to my good friend Alan Norquist, whose company Veriphyr was named a “Cool Vendor in Identity and Access Management” by in a recent Gartner report.  Veriphyr offers an on-demand SaaS service that “analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data.” 

I received Alan’s email informing me of this recognition earlier today – ironically just two days after I posted an article about the business benefits of Identity and Access Intelligence.  Here is Veriphyr’s definition of Identity and Access Intelligence:

Identity and access intelligence (IAI) is a new category of SaaS application that uses advanced data analytics to mine identity, rights, and activity data for intelligence that is useful not only for IT operations, but also for broader business operations. What is new about IAI is its focus on the needs of the business manager, who typically has the best knowledge of what resources their direct reports should or should not be accessing, when they should be accessing it, and how much resource utilization is appropriate. IAI informs the identity and access management process (IAM) in a way that provides rapid value to business managers and generates the buy-in from business stakeholders that is needed for a successful project implementation.

I predict that this segment of the Identity and Access Management market will grow rapidly, as enterprises seek to gain actionable intelligence from their growing mountains of available Identity and Access data.