February 11, 2010, 8:39 PM — The identity management landscape is changing. The need for stronger auditing controls is giving rise to identity governance tools that are supplanting ID provisioning solutions as the centralized management layer for identity.
Identity governance tools allow organizations to review, audit and enforce policies for fine-grained access privileges across the IT environment. Because they are less complex and easier to deploy than traditional ID provisioning solutions, identity governance solutions can deliver end-to-end visibility and control across all high-risk systems and applications – a breadth of coverage that has proved nearly impossible to date.
Looking at the genesis of provisioning technology, it's easy to see why it falls short on addressing compliance requirements: quite simply, it wasn't designed for it. Provisioning solutions were primarily designed to provide a delegated administration capability that helped automate the process of adding, modifying, and deleting user accounts for IT operations and help desk staff. Provisioning applications fail to address governance and compliance needs for three principal reasons:
• Deployment scope - The cost and complexity of implementing provisioning has typically limited its use within an organization to a portion of total applications – typically fewer than 10. In companies with dozens, hundreds or in some cases thousands of systems and applications, this limited view is not sufficient to meet enterprise-wide visibility and control requirements.• Entitlement granularity - Most provisioning systems are only used to manage account-level access and have no visibility into the fine-grained application entitlements that true managed security is based upon. Without detailed application entitlement information, provisioning systems are unable to effectively enforce access policies, separation-of-duty (SoD) rules, or to evaluate whether a given user's privileges are appropriate to his job function.• Technical user interface - Lastly, provisioning systems truly were designed for technical users, such as IT operations staff and system administrators. They do not provide an enabling environment for non-technical users in audit, compliance, or line of business positions, who are now responsible for proving and maintaining identity compliance.
Because of its technical limitations, many organizations that use provisioning systems still face the possibility of security breaches and failed IT audits. To effectively manage these risks, a complete, enterprise-wide view of entitlements and access privileges must be constructed to determine what actions a user can perform within a given business application environment.
