2012 Predictions: Compliance and Access Management
Continuing our series on threat predictions for 2012, The Tech Herald presents a list of things to consider over the next year, from two different sources, focusing on access management and compliance.
Subhash Tantry - CEO of FoxT
In 2012 enterprises will continue to use multiple solutions for access management until the management burden on IT becomes unbearable. This will force adoption of centralized, automated platforms that can cover granular access control policy management and enforcement across diverse IT infrastructures.
In 2012 policy management for access controls will become a greater problem as organizations will continue to be held financially accountable for failed audits across increasingly complex IT infrastructures. In order to meet compliance requirements, new technologies will be required to centrally manage and enforce access and use of enterprise resources across mobile devices, physical and virtual services, and newly adopted cloud solutions.
In the coming year, insider threats exploiting Windows server and desktop access will increase as organizations struggle to control local accounts.
The increasing complexity of regulatory policies and IT infrastructures will drive IT managers to explore the use of attribute or roll-based access management techniques for enforcing and managing user access to enterprise data.
Many organizations this year deployed cloud solutions for anytime-anywhere accessibility. Unfortunately for many, the purchasing decision was rushed and without a more complete evaluation of how access policy and compliance enforcement would function in the cloud. We believe organizations in 2012 will deploy more granular access management technologies to prevent unmanaged employee access in the cloud.
Michael Hamelin - Chief Security Architect for Tufin Technologies
2012 will be the year of continuous compliance - in other words, organizations will see the value in implementing the ability to track changes to their compliance posture in real or close to real time, as opposed to referring back to a single point in time based on their last audit (e.g., prove they maintain their compliance posture in between quarterly PCI audits.)
As a result, investing in automating the audit process will be top of project lists for 2012, which will result in many organizations adopting more mature and effective processes for managing compliance.
Organizations who are not bound to the need for direct regulatory compliance standard will still adopt standards like PCI DSS as a methodology to create a robust network security framework.
Next Generation firewalls will continue their strong adoption by mid-to-large-sized organizations. The need to craft and manage more complex rules, combined with the need to demonstrate continuous compliance, will accelerate the demand for automation.
Once organizations start implementing their own controls to demonstrate compliance, dependence on third party auditors will decrease.