Not too long ago, identity access management (IAM) hardly warranted a full-time manager. Mostly, these responsibilities were tacked onto other IT employees' duties. But burgeoning demand for this technology is leading to a convergence of business and IT functions and prompting companies like forest products giant Weyerhaeuser Co. to place ads for full-time IAM technologists. "Convergence is the most significant thing happening in identity management," says Jonathan Penn, vice president and research director at Forrester Research. "Integration and convergence are upfront costs that pay for themselves over time through lower operational costs and better overall security."
IAM began life as an IT security framework to identify individuals within an organization who required access to data, and the access management tool acted as a gatekeeper. Now, however, demand is being driven by business functions, including Sarbanes-Oxley (SOX) regulations and the pressure to overlay governance, risk and compliance (GRC) tools on enterprise resource planning systems, vendors say. IAM "is becoming a cornerstone of an enterprise compliance effort," says Venkat Raghavan, director of strategy for IBM Corp.'s Tivoli storage and security software products. "This is a core process that needs to be applied across a system in many applications."
IAM systems play a key role in complying with SOX because they consolidate and also enable the provisioning, management and auditing of systems and applications across an enterprise. They also can provide the notification and approval processes. Now, in their latest incarnations as risk-based tools, they can alert managers when unauthorized activity is afoot, extending not only to employees, but also contractors and customers. For example, when an accounts payable (A/P) employee sends an electronic check to a vendor, the employee uses the IAM system to establish that the recipient is the correct authorized supplier. The technology also leaves an audit trail for SOX compliance or compliance with other regulations, such as the Health Insurance Portability and Accountability Act (HIPPA) and Basel II. "Auditors are going to want to know who had access to financial information and when," according to Joe Anthony, program director of security and compliance for IBM Tivoli software. "This provides automatic documentation."
Recommended For You
The melding of security and GRC reflects the increasing partnership between the information technology and business sides of corporations, especially in light of fast-paced consolidation trends that have been forcing CFOs to understand enterprise systems from start to finish so they can feel comfortable signing their names on the bottom line of financial reports. This underscores the importance of bringing the CFO and the chief information officer together, says Axel Steinhardt, director of SAP AG's GRC business. "The CFO is talking about auditors, financial risk and segregation of duties, while IT is talking about underlying technology and identity management." According to Lori Rowland from tech consultants The Burton Group, "With identity management intersecting with GRC, there is a blur between controls management and risk management." That means IAM tools must be bought with both IT and business needs in mind.
Realizing that IAM is becoming an important component of the GRC space, several prominent system vendors have been buying up their IAM brethren or developing new IAM products. Among recent announcements over the past two months: Sun's purchase of Vauu Inc., a maker of enterprise role management and identity compliance solutions and Cisco Systems Inc.'s acquisition of Securent, maker of entitlement management solutions.
In December, IBM also released its first major update of its IAM software, Tivoli Identity Manager, in almost three years. The Version 5.0 includes new features and enhancements that improve management of business policy compliance. IBM says deployment time has been cut in half, thanks to new "out-of-the-box" instructional wizards, templates and best practices that can reduce the learning curve of new users.
As demand builds, IBM and other identity management providers, such as CA, Oracle, Cognos and Novell, are looking to the next generation of IAM tools: sophisticated IAM-based dashboards that will provide vital security information and raise red flags when there are breaches, similar to financial reporting dashboards. Cognos Inc., for one, has been working with clients to develop a strategic cockpit for treasurers and other finance executives. "We have seen considerable interest," says Doug Barton, Cognos marketing vice president. "It's just becoming available as an option for all customers."
IAM is becoming a cornerstone of risk and compliance activities…a core process that needs to be applied across a system in many applications
–IBM's Raghavan
Integration and convergence are upfront costs that pay for themselves through lower ops costs and better security –Forrester's Penn
BWise Launches Internal Audit Product
As internal Audit becomes an integrated part of the GRC process, it can help organizations mature and improve performance
Governance, risk and compliance (GRC) solutions provider BWise is rolling out a new internal audit module this month as an upgrade to its already successful GRC suite. Working in a secure Web-based audit environment designed to protect sensitive information from unauthorized access, the new solution features an array of capabilities designed to help internal audit staffs organize and document Sarbanes-Oxley 404 and other compliance efforts. Among the new module's features are resource allocation capabilities, detailed audit work planning and audit workflow management. The module also includes audit template management to enable reuse of previous audits and an audit best practices guide. "Organizations who have never had internal audit departments before are now building up expertise and manpower to get a better grip on the company," says Luc Brandts, BWise's chief technology officer and founder. "More and more, it is seen as an integrated part of GRC. Internal audit is now considered much more than the internal police force."
When properly used, internal audit will not only detect fraud and prevent losses, but also help "an organization mature and improve performance," Brandts notes. "But internal audit teams need support, preferably from a system that's tightly integrated with the GRC platform." Integration lets internal audit and business management work jointly and ensures follow-up on any audit issues and optimal reuse of existing documentation, Brandts notes.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
