The concept of being prepared for the worst crosses over all types of incidents.
In security, this means being proactive rather than reactive. Is this a pipe dream? Well arguably not according to one company I recently talked to. Jay O'Donnell, CEO of identity management firm N8 Identity said that the challenge with IAM is that it allows you in or out, while its idea of ‘continuous compliance' is about knowing who has access to what and how they login and what access and privileges they have.
O'Donnell said that the 13 year old company, which began life as a consultancy, focuses on trying to accomplish things than sell technology. He said: “We found quite a gap on what companies were using, what they wanted to accomplish and what the products could do – it was fairly significant,” he said.
“We help operationalise and give an opportunity for companies to layer in their own technology. The challenge is products don't have the scale and flexibility to solve problems as they are made up of components: directory, connectors, user stores and role management, and they are built to have ‘baskets' of access.
“Systems do not work when they are scaled with a small rollout as they are not capable of role management and require coding and ‘on data' store level, and it is not technology for storing who has access to what. Most companies have serious gaps.”
This, O'Donnell said, is down to products being reactive in nature, and as an organisation scales up, the issues multiply and become more complex. “Business managers are not in a position to certify users and what happens is the business doesn't understand what is pushed down, but it is not solving problems from a business perspective as they are not fixing what they are intending to fix,” he said.
“We say identity management is a process with business involvement and they all need to participate in it. You can do it in a concerted fashion. You cannot be reactive; you want to prevent access from happening in the first place, instead you are putting out fires.
“We say that proactive compliance is preventing access in the first place, we say be more reactive as people are not fixing the problem before it happens.”
O'Donnell said that in an organisation if 20 people this is not a problem, but if there are 10,000 then it becomes a huge problem. “We help identify who has that access to see who has access to what,” he said.
Companies, he said, have spent upwards of £50 million on trying to solve this problem and ‘have still not scratched the surface of compliance', and that people are still trying to solve the problem after the event. “The reactive model is much more complex.”
Listening to these comments, I did feel that O'Donnell had a point about the problem but the question has to be asked on how many companies are able to be proactive against a threat that is unseen and mostly unknown. Compliance and risk management are often the key factors in helping with this.