Q&A: The transformation of identity and access management
Q&A: The transformation of identity and access management
Dave Hansen, general manager, CA Security Management
Q. What are the best ways organizations can address compliance and data security issues this year, given the challenging economic climate in which we all find ourselves?
A. Many organizations have programs in place to automate their security compliance processes. They should continue down this path because it directly contributes to freeing up staff for more strategic business growth tasks. In addition, a transformation of identity and access management is beginning as it joins with data loss prevention technology to deliver a more comprehensive information security solution for compliance and data security. The combination can empower customers to control access to data and set policies on how that data can be used based on a user's identity and role.
Q. What problems or challenges is your company facing in the face of a declining economy and how are you and your executives going to overcome these?
A. Externally, the biggest challenge for CA, like all software companies, is to continue to innovate and develop products that help customers succeed. Our customers tell us they want great technology that solves important business and IT problems, and they want solutions that deliver a quick return on investment to create value and compelling IT economics. The biggest internal challenge is to make sure that all dollars and resources are directed at serving customers and building the business. Several years ago, CA started down a path to become a more streamlined and efficient organization. We're realizing the benefits of those efforts today in an economic environment where efficient operations are a key competitive advantage. We continue to push for increased operating efficiencies and have realized savings across the focus areas of G&A, Selling & Marketing and professional services.
Q. According to SC Magazine's research and many experts in the industry, the information security market may not see as difficult a time in this degraded economy as others since protection of data has become so critical to bottom lines. What are your thoughts on this?
A. We are in an unprecedented economic situation and I don't think anyone can say that any business area is recession-proof. However, we see customers funding the tools that help companies manage security, risk and compliance. The challenge, like I said, is that you have to provide first-class solutions that provide rapid time-to-value.
Q. Speaking of data protection, we're still seeing a great many exposures of personal and critical information, the most recent and largest being the Heartland incident. Where do companies keep making the biggest mistakes in protecting their customers' data?
A. Some organizations rolled out solutions to determine data loss and meet regulatory requirements in different industries. Many of these implementations were focused on forensic type discovery. Organizations need to start using these systems more proactively to ensure that data in motion is protected and monitored.
Q. As we move through 2009, what will be the biggest threats IT security practitioners will need to be mindful of and what are the ways to best address these?
A. As we move through 2009, organizations will be forced to take an aggressive approach to effective identity management and access to confidential information. According to a survey CA sponsored last year, 44 percent of executives see internal security breaches and the insider threat as a key security challenge. This threat has steadily grown year over year and 2009 will be no exception. This year and this economic climate will lead to mergers and acquisitions, and reductions in workforces, making it critical that organizations have a clear view into exactly who has access to systems, applications and data sources. As new employees come on board through M&A activities or new hires, quick and accurate user provisioning is required to ensure employee productivity and business contribution on day one. Companies that are going through restructuring have the opposite task and need to ensure that employees leaving the company have all access revoked swiftly for security and compliance.
Q. What about the newest technological advances that companies are taking advantage of, such as virtualized environments or cloud computing, and other newer ways to conduct business – how should the ensure they are managing their data safely and securely?
A. Virtualization holds potential savings for organizations in hardware costs and energy fees as existing servers begin to operate at a higher capacity by hosting virtual machines that run production applications. With production-level applications run on virtual servers, organizations need to secure those servers and applications just as if it were on a physical server.
There are several security concerns in virtualization deployments including file protection, role-based access rights for administrators and segregation of duties, detailed auditing and the ability to adjust security levels and policies regularly to match the flexibility of the virtual environment. Identity and access management is well suited to help secure virtual machines just as it secures the physical servers they run on.
An additional vulnerability that often goes undetected and unsecured in a virtual environment is that of the super-user or privileged user account. Access control, policy enforcement and segregation of duties help minimize the threat of the super-user without hindering productivity. Identity management capabilities that link a user to a privileged account also help provide an audit trail for compliance purposes.
Q. If there's one thing security practitioners and their bosses should be mastering when safeguarding their business, what would you say it is?
A. Companies need to look more proactively and holistically at their security efforts and ensure they are developing a plan to battle threats from the inside and outside. Often the focus is based on a check list of what they need to do to meet requirements or satisfy an audit. Security organizations should step back and examine the whole program and involve the business functions including HR, finance and other groups to determine the issues and overall security needs in order to become more proactive.