Blog post

Data Meets Applications in Identity and Access Governance

By Earl Perkins | May 07, 2012 | 2 Comments

IT GovernanceIAM

Do you find yourself sometimes looking at a problem in hindsight and saying to yourself “well, the answer to THAT was obvious”? When you are able to examine trends or history looking back, you can spot patterns where they may not have been obvious previously. I find myself doing that in identity and access governance (IAG) when it comes to the problem of governing access to data, whether unstructured, semi-structured, or structured.

If you look at IAG products today, a rather clear characteristic emerges about them– they are application-centric. The features that address access request administration assume that the requests for access are primarily for applications. The discovery and mining tools are predominantly focused on repositories that serve applications and applications themselves. The analytics tools often deliver reports in terms of applications. This is a good thing, not a bad thing. But it isn’t a complete thing.

Clients also have similar requests for access to data, whether it’s data in Windows file systems, data stored as email or documents, data that has well known formats, but data nevertheless. Sure, there may be an application between the requestor and the data, but it is primarily the data that is the target. That application doesn’t dictate the rules of engagement, the data does. Many of the products today that can or do handle access to data are often not covered or spoken of in IAM in general and IAG in particular.

Fortunately, that is starting to change.

A number of the IAG vendors are beginning to aggressively partner with data loss prevention (DLP) and security information and event management (SIEM) vendors in pursuit of extending their functionality into the data realm. Some are developing such capabilities organically rather than via partnership. Most are leveraging their identity and access intelligence functionality to collect, correlate, and analyze data to produce the intelligence required to broaden the scope of IAG from just applications to applications and data.

It isn’t a moment too soon. Stand-alone IAG vendors are under ‘attack’ by the IAM portfolio or suite vendors. The suite vendors believe that IAG administration and management features should be absorbed into the traditional user provisioning/de-provisioning products they have been selling for years. Or to view it another way, suite vendors believe that they should absorb the user provisioning features of their established products into the versions of IAG products they have acquired or developed. Whatever the direction, they are seeking to marginalize the smaller, more nimble players by showing that IAG features should join the mainstream side of user administration. This means these standalone players must seek new ways to innovate and expand their feature set– preferably in a logical and customer-driven way. In the case of the marriage of data and application access governance, it is a logical union. The question will be whether they can pull it off at a pace that addresses customer demand with competitive differentiation.

The next time you talk with IAM vendors about identity and access governance, ask them about their plans for data access governance. Make sure their story and what they can deliver matches your expectations for complete IAG.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Todd Harris says:

    The big one here is the integration of SIEM (aka Security Intelligence / Situational Awareness) with IAG. Of course IAG vendors will benefit with gobs of events, devices, and network data to bring into the mix. SIEM vendors will have a whole new level of personality to their intelligence – beyond fname/lname/IP. It’s a great match.

  • I can’t agree more. However, problem is that SIEM solutions strongly depends on log files and for most (if not all) of the relevant data sources, the log files are just not there.. Intelligence? Yes. SIEM? i’m not sure.