Data Security and Identity Access Management

As companies begin asking security questions about what transpires inside the firewall, they will first have to confront both the identity of their users, and those users' scope of permissions. According to Nick Nikols, Vice President and GM, Identity, Security, and Windows Management for Quest Software, it is common to find incorrect resource access permission in nearly all organizations. Nikols told me:

[O]ne in four IT professionals say they know meanwhile one IT co-worker at their business who has used privileged login credentials to inappropriately access sensitive information. Even more, 42% report that IT staffs freely share passwords and access to multiple business systems and applications.

How must these questions be addressed today in the context of cloud computing, when IT staff within the firewall to some extent manage-however certainly can't completely control-data outside it and held by third-party cloud providers? Cloud computing highlights the potential for serious disconnects between management and IT. For instance, what if the Vice President of a division implements a cloud-based Customer Relationship Management solution without IT's prior knowledge? What if senior management agrees based on cost concerns to shift to a software-as-a-service just as Google Apps for Business without IT's buy-in? These are not idle concerns, and they are "hypotheticals" experienced daily.

Information Access Management with appropriate systems is a "must have" business process in light of government regulations that require management of privileged accounts. The Sarbanes-Oxley Act of 2002, for instance, ushered exacting standards for openly traded U.S. companies' boards and management, as then as public accounting firms. Sarbanes-Oxley requires strict IAM controls because the financial information of openly traded companies resides on their own servers. IT must implement controls to minimize the risk of inaccurate financial statements or the misuse of financial records. For IT, this is not a one-time shot. IT must continually ensure that its controls are effective. This means being able to inspect, document, and repair access controls to remain compliant. Nick Nikols adds:

Government regulations just as Sarbanes-Oxley mean that network administrators and their management need tools to implement, maintain, and report on access controls across the whole range of computer systems and data stores in their enterprise.

This corporate myopia needs to change quickly. IAM is a critical business function without which companies will find themselves quietly losing intellectual property, featured in the news for prominent security breaches from without and leaks from within, and non-compliant with federal and state regulatory data security requirements.

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Founder of the BK Advisory Group

I am a Founder of the BK Advisory Group and Consero Group LLC. I graduated from Yale Law School and the University of Virginia and clerked for Judge Gilbert Merritt of the U.S. Court of Appeals for the Sixth Circuit. I am fascinated by the intersection of law and research, and electronic discovery in particular. I have contributed to The Huffington Post, AmLaw's Corporate Counsel, Law & Research News, Texas Lawyer, and Equine Journal. Please don't hesitate to email me with comments, criticism, and ideas to ben@bkadvisorygroup.com. Twitter = @benkerschberg. LinkedIn = benkerschberg.