Risk model moves into identity

Across the security industry, experts are encouraging businesses to abandon piecemeal IT systems and data-defense efforts in favor of overarching risk management strategies.

According to some customers, consultants, and vendors, the strategy is starting to prove particularly helpful in addressing issues of identity management and access control.

Long identified by industry analysts as an area where businesses often end up "chasing rainbows" and getting involved in never-ending projects, experts contend that by adopting a risk-based model to drive identity management, customers' goals are actually being realized.

"When developing our architecture, it became very clear that one of the processes that was important to tackle before starting to change things in one region or business unit was to do risk assessment and integrate all the subjects related to access control," said Paulo Martins, enterprise identity and access manager at financial services giant ABN AMRO.

In 2006, the banking company made a decision to rework its identity infrastructure as part of an effort to make access control an even more central focus of its enterprise security strategy.

Rather than simply looking for a new technology to improve its standing, ABN AMRO found that by getting a fix on the areas of its business where controlling access to sensitive data was most crucial -- and then assessing the varying levels of efficacy within its existing operations -- it found a way to move its project forward faster and with a greater sense of direction.

"As companies get larger and the numbers of applications increase, and they grow through mergers and acquisitions, they find that they have different levels of maturity related to identity and access," said Martins. "We built our strategy considering all of these things. The first year was dedicated to process and access control reviews; the second year involved implementation of those processes and use of risk analysis for critical applications."

Among the most valuable topics that ABN AMRO was led to consider as part of its process, he said, was where it made sense to automate identity-based control for its applications and where it did not.

By gauging the number of users and criticality of the data involved in each area of its business, the company was able to set its priorities and get controls in place where the risk of information loss was most widespread or severe, said Martins.

Using risk management to prioritize security

As part of its project, ABN AMRO brought in consultants from PricewaterhouseCoopers (PwC) to help map out its areas of need and define where its greatest data and identity risks lay.

Jerry Lewis, a principal and national identity management leader at PwC, said that his company is advising more customers to tackle their projects using a risk management strategy because it allows them to refine their plans and improve their security standing with greater alacrity.

"We're definitely seeing risk management becoming the next real extension of identity management," Lewis said. "Most large companies we see have spent a lot of time and money putting solutions into place to drive various requirements -- such as in addressing compliance regulations -- and once they have the infrastructure installed, they realize that they need to use more of a risk-based approach."