Ending the Tug-of-War Between Agility and Compliance
Building a GRC Foundation that Connects IT Controls to Business Policies
Written by Todd Swensen
Businesses have always faced an underlying tension between agility and control. On the one hand, you need an infrastructure that can respond quickly to competitive threats and new business opportunities. On the other hand, expanding regulations make new processes and controls nearly unavoidable, which all too often leads to a slower, less responsive enterprise. So which option do you choose? Do you grudgingly accept a higher level of regulatory risk to make your organization more agile? Or do you err on the side of caution with more restrictive controls and processes that can slow your business down and take away your competitive edge? Finding the right balance between agility and compliance presents a difficult dilemma—especially when different factions and interests inside your organization are constantly tugging on opposite ends of the rope. (See Figure 1.)
Fortunately, a new approach is emerging—one that focuses on connecting compliance controls directly to your overall business objectives. At the highest level, this means turning your infrastructure into a strategic asset that can simultaneously keep you compliant and drive business results. And of course, it's a significant departure from the siloed, tactical approach many businesses depend on today, where teams are assembled to address specific compliance needs and the only goal is passing the next audit. This new, more proactive model requires the kind of infrastructure that can provide deeper visibility into business objectives—and then clearly show how all the controls and processes you put in place affect those objectives across the whole enterprise. In other words, moving beyond the agility/control tug-of-war means taking governance, risk and compliance (GRC) solutions to the next level—by finding a way to map everything that's happening in your enterprise directly to the business results you're working to achieve.
Connecting the Dots
So what does this new strategic infrastructure look like? And exactly what will it take to get there? The good news is that most organizations already have at least some of the necessary pieces in place. For example, some enterprises have already integrated their identity management systems and access control tools to create a more automated compliance framework. Others have added automated, real-time security capabilities to their identity infrastructures, which allows them to automatically test the controls that protect the organization. And most organizations already have some kind of solution in place to manage and enforce business policies. Although every organization is at a different point along this path to GRC maturity, most are in a position to leverage their existing investments as they move toward a framework that connects compliance efforts to business results. It's simply a matter of extending those investments, adding additional pieces, and then enabling all the components to interact and work together in new ways. Of course, this is much easier said than done. Forming all of the necessary connections and interactions among various IT controls, business policies, systems and applications demands a great deal of careful thought and planning. It also requires vendors that understand the big picture and are working actively together to close the traditional gaps between IT controls and business policies. (See Figure 2.)
Novell, SAP and Greenlight: Forging New Connections
Novell, SAP and Greenlight are at the forefront of these efforts—with joint offerings that make it practical and affordable to create and extend these crucial connections across your enterprise. This starts with the Novell Compliance Management Platform, which integrates identity and access information with security information and event management technology to give you a real-time, enterprise-wide view of every network event. By creating a bridge between identity management (which defines who should have access to specific resources) and security event monitoring (which tracks who is actually accessing those resources), the Novell Compliance Management Platform provides important new integrated governance and risk management tools that deliver new levels of visibility and control.
Next, a Novell Compliance Management Platform extension for SAP environments connects all these integrated Novell identity, access and security management capabilities to the risk analysis features in SAP's GRC solutions. This creates a proactive infrastructure where IT controls and SAP access control tools work together to ensure authorized and appropriate access, avert threats and automatically shut down activities that could lead to policy violations.
Finally, a partnership with Greenlight extends risk analysis and remediation within business applications. For example, Novell provisions users into specific applications and indicates when users have logged in, while Greenlight determines what users are allowed to do within the application based on SoD rules. This makes risk analysis and compliance an integral part of the end-user provisioning process enterprise wide, so you always know who is provisioned to what application and what they can do in that application.
Building a Better GRC Foundation
This new infrastructure—where SAP business policies are integrated with Novell event management and monitoring and then extended across the whole enterprise—finally creates an environment where business objectives and compliance requirements can work in harmony. It makes a state of continuous, automated compliance a practical reality. And it finally puts a permanent end to that counterproductive tug-of-war between agility and control.