***Editor's Note: For an in-depth look at the next wave of attacks targeting your company, replay ebizQ's Threatscape 2008 right here.

IT controls around user access, regardless of the internal business policy or industry regulation, are the common denominator for surviving audits and ensuring compliance. However, the creation and enforcement of access policy for job-critical applications and systems is an increasingly complex undertaking, especially for organizations with large transient workforces. Adding to the complexity is the rapid adoption of new technologies that support increased enterprise collaboration and virtualized or remote access. In the coming years, organizations' approach to addressing compliance requirements will be put under a microscope, especially as high-profile data breaches continue to make headlines, and repercussions for non-compliance weigh heavily on companies' reputations and their bottom line.

With the constant pressure of audit cycles required to demonstrate compliance with business policies or guidelines such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry (PCI) Data Security Standard and the Sarbanes-Oxley Act (SOX), many organizations are being pushed into "reactive mode." They scramble to simply meet the next deadline, and pass the current audit -- not able to plan ahead for what the next one may entail. This often comes at a cost with many resources dedicated to the latest fire-drill approach to get through the audit of the day.

In order to break out of that reactive rut, business mangers, who are increasingly shouldering compliance responsibilities, need to be able to proactively evaluate the risks associated with access created (intentionally or not) within new virtualized or collaborative work environments. This means being able to answer critical questions related to where the exposure is and what policy is being enforced, and in some cases, determine how they can go back and build policies around new access compliance exposures that are not currently being addressed.