Cisco’s recent threat report said that role management could help IT departments handle the insider threat. With role management, IT gives software a definition of what a particular person should have access to. For example, a sales person needs access to the sales database but does not need access to the general ledger.
Some have argued that if the software could tell who was doing what — and could alert IT when someone accessed a system that they should not have access to — then many breaches would never happen. They argued that organizations that suffered breaches lacked role management.
But role management itself might not be the problem. It be change management rather than role management, Michael Liou, CA (NASDAQ: CA) principal product marketing manager, told InternetNews.com. He is speaking on the subject this week at the ISACA International Conference in a session called “Managing Roles and Entitlements.”
“People think of role management as a one time function, but the business changes, the regulatory environment changes, and there are mergers and acquisitions,” he said. “In addition, people are role accumulators throughout their careers.”
“From an IT standpoint, there are so many entitlements,” he added. “An IT organization supporting 20,000 users on hundreds of resources can be supporting individual entitlements in the millions or tens of millions. The question becomes how to manage it, given this scale.”