The management of corporate identity frameworks is being spread across too many teams of employees in a lot of large organisations, according to Westpac Bank's security boss.
As Westpac's head of strategy and governance, information security, Theo Nassiokas has overall responsibility for the bank's enterprise information security strategy. The executive is also chair of the Australian Information Security Association.
Although he did not divulge details about Westpac's own situation, Nassiokas spoke out about his views on identity management at large organisations this week at a Sydney conference, telling attendees that access control at some organisations was not as effective as it could be due to lack of communication between different internal groups of staff.
"You can have user access control administration being done by business, by application, in addition to what operating system, what network, what platform, or whatever," he said.
"A lot of these teams in a lot of companies today don't even know each other. In some cases [they] don't even know of their existence. And yet they're all working together to make sure the right people have access to the right information to the right degree."
"I simply don't get that. I mean, surely it'd be better if they spoke?"
Banks like Westpac have invested plenty of time and money in identity management controls in order to increase security and comply with regulations like Sarbanes-Oxley. Introduced in 2002 in the United States, the Sarbanes-Oxley Act imposed strict requirements for public companies including how to manage, archive and secure data and access to it.
Adding to this complexity, identity management was increasingly becoming more about physical access, Nassiokas said.
"We are starting to see more and more projects where identity management is no longer about a logical thing, as in limited to data access. It's also about physical access to areas as well. So there will be some convergence between the requirements here, and the requirements in that space," he said.
Why don’t we get some decent IT journalism, that provides some real insight rather than parroting the rhetoric of an exec that in-turn is parroting the common problem statement from IdM vendors.
Go to any major IdM vendor’s website download some of their market-tecture whitpapers and you’ll draw the same conclusions.
Why don’t you talk about which companies have successful implemented a resource or role driven provisioning solution that incorporates delegated admin amongst the fragmented / siloed organisation? This along with horror stories on how some consultants / vendors get the role definition for RBAC totally stuffed up? Plenty of good examples of what and what not to do out there, just have to exercise your network contacts and grey matter my friend.
BTW – IdM about physical access as well, absolutely! But you try and solve both problems at the same time and your run the risk of boiling the ocean, loosing momentum and management backing.