Rights Management may not exactly be something new, but the rising demands from internal and external auditors are putting it back in center stage. Organizations are being forced to adopt systematic, open and replicable processes for creating, assigning, and monitoring rights within their systems, not only to ease the admins’ workloads, but also to achieve their compliance goals.
Companies have been doing Rights Management for ages now as part of their overall IAM strategies (Identity & Access Management), mainly with a strong emphasis on the technical issues. Lately, however, the focus has been shifting towards Access Governance instead of simply managing roles and recertifying the processes for distributing user information and certificates.PxM is also gaining new momentum as organizations worry about the risk posed by giving individual users, accounts and identities carte blanche within their corporate systems. The record numbers of participants signing up for KuppingerCole's webinars on these subjects increasingly speak for themselves: XACML and the related topic of granular authorization management for applications and services is growing more important than ever.
As the list of subtopics and related fields indicates, there is no silver bullet that will solve all your Rights Management problems. Technically, it calls for a concerted effort in all four areas - identity management, rights management, PxM and application authorization management.
However, there is an additional area that is even more important: organization. The question to ask yourself is: What kind of processes do we need? Are those in place capable of fulfilling all our auditors' demands? How do we deal with segregation of duties issues, ensuring that people aren't in effect assigning themselves rights or receiving conflicting ones? And what about risk control? Which verification processes do we have in place? And above all: How do we make sure these policies are implemented correctly and fully within the organization, especially within individual business units?
Flawless Rights Management is no trivial issue. It requires a 360 degree overview of the company and how it needs to manage rights within its systems. Simply looking at the applications is not enough. You need to get the people on the business side interested and involved - always a tricky task. However, it can and must be done.
Consistent Rights Management not only determines whether a company can maintain compliance. It also sets the stage for true information security. And that, after all, is what IT is all about: technology for handling information in a mature and responsible fashion.
„It's about the I in IT, not the T"
Information security is becoming more and more important as companies strive to reduce or eliminate leakage. Plugging the holes is a prerequisite for efficient application development so that they can utilize security functions based on accepted industry standards. And as an added benefit, administrative processes in business and IT get to profit, too.
In order to reach that goal we need to make sure we know where we're heading. By looking at the big picture, we can define a roadmap that will help us, a step at a time, to create a truly secure and efficient organization.