Even though enterprise information security managers are likely rethinking every dollar spent amid a difficult economy, the results of a recent TechTarget survey suggest identity and access management will remain a major area of emphasis in 2009. The survey reflected the responses of more than 900 security professionals, many of which are potential customers for security solution providers.
Preventing employees or insiders from gaining unauthorized access to sensitive data is the most important reason why 67% of respondents want to improve IAM efforts. However, because this survey was conducted in late 2008, companies had yet to feel the full effects of the recession. For this reason, Adam Gray, chief technology officer of Novacoast Inc., an IT professional services and product development company in Santa Barbara, Calif., believes that preventing employees from accessing sensitive data is now an added expense that companies may not want to invest in going forward.
The survey found that 56% of respondents think improving their user access rights will be important this year. Gray confirmed this, saying that identity management is becoming "less about the endpoint, and more about account and user management."
The volatile economy has prompted hundreds of thousands of layoffs, and with each layoff, like any new hire, user access rights must be assigned, revoked or adjusted. As more companies look toward automating identity management, Gray said that presents an important opportunity for security solution providers.
"Automating the hiring and firing process has some real benefit and value," Gray said. "Endpoint management is more of an insurance policy than a cost cut."
According to Andrew Plato, president of Anitian Enterprise Security Corp., a security solution provider headquartered in Beaverton, Ore., some customers do not see identity management and access control as big problems, so they are not doing anything to strengthen their IAM efforts. "Probably about half of the companies out there seem to realize that [identity management/authentication] is an issue," Plato said, "and the other half don't."
Identity and access management is among information security's more complex disciplines, and Plato said technologists often try to make the processes easier to manage by granting all enterprise end users rights to everything.
However, he said failing to be mindful of the importance of proper IAM procedures like access control and strong authentication can lead to many immediate security problems, such as increased administrative overhead, as well as bigger issues down the road, namely a company's identity management system growing so large that the complexity of it becomes a burden.
"Eventually, they can grow to a point where they are so complex, they are poorly managed and that allows for orphaned accounts and/or users with rights they should not have," Plato said, noting that this presents a good opportunity for solution providers as long as customers realize what a big problem identity and access management is in their company.
Another 68% of respondents indicated that compliance is their biggest reason for improving IAM. Although compliance is a must for all organizations, Gray believes that there's a chance things could change in this down economy.
"The economy could get so bad for people that regulators start dropping off the requirements for compliance, because companies are going to complain so loudly that it's too much of an expense to deal with," he said, adding that it hasn't happened yet. "Five to 10% of the profitability of a [public] company is spent on trying to remain SOX compliant," Gray said, reiterating that the need for compliance services is still a factor in the security channel, but that it may change if the economy continues its decline.