Last week I meet with a big bank in Manhattan. We spent a morning talking about privileged account management, identity and access management and what the bank was trying to achieve.
One of the most interesting data points they raised was that they have approximately 1,600 audit findings that they are working on. The most interesting point was that of the 1,600 approximately half of them were directly related to identity. The bank employs over 200 people who are responsible for cleaning up these audit findings so one could assume that there are 100 people or so working on the identity side of the audit issues. Another interesting tidbit was that this was pretty much in reactive mode related to the findings. They were trying to fix the findings but figuring out WHY something happened was extremely complex in their environment. Furthermore, after figuring out the why they then had to implement processes to ensure the problem was prevented in the future. Needless to say they are having some pretty difficult times coping with the problem.
Now obviously a large bank can’t be compared to what everyone else might experience but it does speak volumes about how much compliance is driving people crazy – and driving firms to spend big bucks to fix it. Imagine the cost of having 200 people doing nothing other than fixing compliance issues.
Also, not that I want to get into the fray with Nishant Kaushik and Kim Cameron on governance but I have to say, as Kim titles his blog entry: Governance is key. But, as Kim states:
they (identity and access management products) continued to require extensive manual intervention by security experts to coax ”compliant” behaviors out of them
I am going to be a more-than-just-interested party sitting at the sidelines watching how this develops. Office 365 is a great use case. It’s new and it’s not like Kim (and therefore Microsoft) don’t know the issues that companies like the bank I visited are facing.
How Microsoft solves this problem for Office 365 is going to be very, very, very interesting indeed.
No comments:
Post a Comment