IT is very well-known for first its ability to create three-letter acronyms and second the mix-up of different marketing terms, leading to overlapping and sometimes pretty unclear market segments. Besides, many vendors try to convince people that their (and only their) solution is sort of the holy grail for all problems.
This situation becomes very obvious when you look at technologies like IAM, GRC, DLP, PAM, and IRM. These are tightly linked together – and none of these approaches solves all your problems. Thus, it requires an integrated strategy and approach to really address your compliance and security needs.
What these acronyms are about…
To start with the acronyms and their meaning: IAM stands for Identity and Access Management, e.g. the capability of managing identities and entitlements across their entire lifecycle. In a broader definition, that term includes everything around digital identities, including aspects like PAM and IRM. GRC is the acronym for Governance, Risk Management, and Compliance. It is commonly understood as a layer above IAM. Whilst IAM is more focused on the technical and administrative aspects, GRC is the link between business and IT. DLP is the abbreviation for Data Leakage Prevention (or Protection), e.g. approaches which help to avoid uncontrolled leaks for valuable or sensitive information. Whilst the term is pretty broad, many of the vendor’s implementations are limited to specific technical approaches which help to deal with some aspects of DLP like the unmanaged use of USB tokens.
PAM is the acronym for Privileged Account Management. Some vendors prefer PIM (Privileged Identity Management). These technologies try to manage the use of privileged accounts, e.g. administrative/root accounts, service accounts, technical users and so on. These accounts provide often extensive access with limited control about the usage of these accounts. IRM, finally, is Information Rights Management as the business counterpart to Digital Rights Management (DRM). The goal is to protect information at the level of the information itself, e.g. adding access control information to the information, encrypting it and allowing access only with appropriate access rights. There are even more technologies – we could add Key Management or all the parts of IAM like Identity Provisioning, Enterprise Single Sign-On, and more.
The links between different approaches
All these topics are tightly linked together. The main parts are, from the Kuppinger Cole perspective, IAM and GRC as the main layers. IAM and GRC are dependant from each other. Classical IAM, at least without the GRC features which have been added right now by many vendors to their core IAM solutions, can’t provide everything which is required from a GRC perspective. On the other hand, GRC requires also the more administrative and technical capabilities of IAM to apply the results of business roles and rules as effective access control settings to the systems.
PAM is an add-on, allowing managing specific types of accounts which usually aren’t fully covered by the Identity Provisioning solutions which are well able to manage the entire lifecycle of “normal” identities but struggle with these specific account types.
IRM strongly relies on an identity management infrastructure and, in effect, is just a specific type of access control. It is probably the best approach, because it doesn’t manage access only on specific types of systems but regardless of the system information is stored at or transported with.
IRM, on the other hand, is – like mentioned above – as well a specific means of DLP. And it is, by the way, probably the most effective approach for DLP. DLP usually focuses on protecting leaks caused trough specific types of hardware, whilst IRM protects the information itself. Thus, DLP might add some level of security to IRM, but IRM goes well beyond DLP.
There is as well an interesting relationship between DLP and overall IAM. Recently, some vendors announced “identity-aware” solutions for DLP. Most of today’s DLP solutions focus on protecting specific device types, regardless of who is using them. The new solutions focus as well on who is using devices. But like mentioned above: Shielding the information itself is, without doubt, the more comprehensive approach.
A strategic approach
Given the tight relationship between all these technologies it is obvious that effective solutions have to be built on a strategy which covers all these aspects. DLP will close some of the security gaps, but it won’t solve everything. IAM provides access controls for systems – but if information is exchanged for example as an eMail attachment, there is no protection without additional systems, mainly IRM.
Thus, investing in for example DLP might solve some issues at first glance, but it might appear as money thrown away because it only improves the felt security without really closing the security gaps.
Companies have to start with the big picture, defining the layers of protection they would like to implement to close the security gaps with a little effort and as little technologies as possible. That won’t be only one approach – but only a thoughtful combination of technologies will really improve the level of information security.
What we observe and what we expect
Despite the marketing fuzz of vendors trying to position themselves as the ones who solve every threat we observe some interesting trends towards a better integration. Even while PAM today is usually separated from IAM, we expect that vendors will add PAM capabilities – either through own development or acquisitions – to their provisioning platforms.
GRC and IAM still are tightly coupled, with a growing number of GRC functionalities in IAM applications as well as more standard interfaces between provisioning and GRC platforms.
The identity-aware DLP approaches have been mentioned above. And we also observe a gaining momentum for IRM, where we expect as well a significant impact of the improved interoperability of Microsoft’s Windows Rights Management when the “Geneva” framework finally will be released, providing the capability for standards-based federation to that IRM implementation.
Technologies are converging – but customers still have to define their approach to deal with the issues of security, GRC, efficient administration, and information leakage.