By Kurt Johnson, VP of Corporate Development, Courion
As environments like Web 2.0, enterprise collaboration, and virtualization
become pervasive, business people are working together in ways previously unimaginable.
The interconnectivity of these environments leads to greater employee productivity,
while diminishing the importance of physical location - business people can
be more productive than ever before, even when out of the office. Virtualization
and collaboration enable organizations to innovate in new ways and rely more
heavily on remote employees, contractors and consultants.
But how do organizations balance the business value of collaboration and virtualization
with the reality of risk management and compliance? Opening up greater access
from various devices certainly enhances productivity, but they also expose significant
security issues. How can it be done in a manner that doesn't sacrifice business
value and preserves as much of the egalitarian values of collaboration as possible?
Let's take a look at some of the technologies that are unlocking hidden value
in the enterprise and the new levels of exposure and risk these technologies
Collaboration is all about groups of people working on and sharing common content,
including documents, data, and discussion forums. The beauty of collaboration
is that it provides an environment for real-time revision tracking and provides
alerts to content changes - empowering business users to work together in previously
unforeseen ways. Typical forms of collaboration include file shares, discussion
groups and project calendars.
One of the most popular collaborative tools in the market right now is Microsoft
SharePoint, facilitating collaboration communications and content management.
Industry pundits herald SharePoint as a key driver for Office 2007 sales, and
its quickly being adopted in the enterprise. However, tools such as SharePoint
bring new levels of exposure that have yet to be addressed by regulations or
best-practice company policies. For instance, how do companies manage the risk
from an identity and access management perspective when thousands of employee
portals are cropping up without any checks and balances? With company sensitive
documents being posted and shared, what controls are in place to ensure people
only with proper access can view such information? While collaboration and its
usage is viral by nature, there needs to be some level of access control that
manages who is "collaborating" with potentially sensitive data and
who is responsible for that data's use.
Forrester Research recently issued a report stating that 51 percent of North
American companies have deployed or are testing virtualization technology. What
makes virtualization so popular? Virtualization is about delivering any application
or data to anybody at anytime in a more cost effective manner - making it especially
relevant to organizations with a large mobile or geographically dispersed workforce.
As an organization's workforce becomes increasingly distributed, access to critical
applications and data is required from a variety of locations and devices. Virtualization
affords today's workforce access to the enterprise anytime and anywhere - without
costly client software installs and without bogging down network performance.
Virtualization's strengths in providing "anytime anywhere" access
also represent the greatest threats to enterprise security and compliance. Virtualization
technology excels at providing user access to applications and data - but it
is not designed to determine whether that user should have access to those applications
at all. Virtualization creates a new level of exposure in adhering to compliance
and security policies -- adding layers of complexity to company access policies
as well as enforcement of these policies.
Compliance in the New World
So what's an organization to do? Should they forgo the obvious and needed benefits
and competitive advantages afforded by these technologies because of security
concerns? Of course not. But, organizations need to understand the vulnerabilities
they are introducing into their information security strategies by leveraging
these as well as enterprise Web 2.0 technologies.
Identity management and access compliance software has traditionally focused
on in-house enterprise access - the act of putting the policies and procedures
in place to ensure that users only have access to the applications and data
to which they've been granted rights based upon their job or role within the
The introduction of collaborative tools like SharePoint and virtualized access
complicate matters. Both environments provide limited visibility into how a
user achieved access to a particular application or data and make it more difficult
to determine what content is being shared. This muddies the compliance waters
The key to effectively and securely deploying virtualization and collaboration
technology is to ensure that policies are in place to control access and content
and that they are being enforced - every time.
Manually provisioning and reviewing access to these environments and applications
can be a tremendous burden to an organization's IT staff. To ensure policy is
being enforced correctly every time virtualized or collaborative access is established,
organizations need to automate the enforcement of security and regulatory policies
for access to these environments.
The key is establishing strong policy and automating workflows to ensure these
policies are followed every time. Access policy also cannot be demonstrated
solely in IT terms. For example, simply showing a line-of-business manager that
someone has access to an Active Directory Group will not create the ability
of ensuring proper access. It needs to be shown in business terms that can be
easily understood. Also, this solution greatly alleviates what can be a labor-intensive
effort by the IT Staff, and puts control into the hands of the line-of-business
managers - giving them the ability to create access only where it's appropriate,
and only for the properly credentialed. Automation also provides an auditing
mechanism to provide periodic checks of users' access to ensure that it's in
line with corporate policy.
While these productivity environments will revolutionize the way organizations
do business, addressing the security and compliance vulnerabilities raised by
collaborative and virtualized environments is a top priority. Organizations
can maintain unparalleled productivity and innovation while maintaining access
compliance through automating the creation, enforcement and validation of corporate
policy, providing a mechanism for quick remediation and removal for anyone who
fails to follow company policy.
About the Author
Kurt Johnson is responsible for Courion's strategic direction, product management, and securing and managing Courion's alliances and partnerships. Prior to Courion, he was vice president of the Service Management Strategies program at META Group, a leading industry research organization, where he established himself as a leading authority on the help desk, IT service management, system management and IT outsourcing markets. Johnson is widely recognized as an authority on support automation and self-service operations.
Courionís award-winning Access Assurance solutions are used by more than
four hundred organizations and over 9 million users worldwide to quickly and
easily solve their most complex identity and access management (password
management, provisioning, and role management), risk and compliance
challenges. Courionís business-driven approach results in unparalleled
customer success by ensuring usersí access rights and activities are
compliant with policy while supporting both security and business
objectives. For more information, please visit our website at
www.courion.com, our blog at http://blog.courion.com/, or on Twitter at