And do not forget about privileged account management: "You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution."
RBAC
Defining and enforcing roles is a huge topic. Although simple in theory, assigning roles to people and then setting access control according to role is non-trivial.
Bruce Schneier has some great info in his latest newsletter "Real World Access Control".
What may seem easy at first is complicated by poorly defined roles, constant role churn, multiple roles, and the pragmatic fact that under-entitling employees incurs productivity costs.
I like Stiennon's suggestions to keep it simple, start by defining groups for each function in the organization, and include tools for review of exceptions; as he puts it, "granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require."
Compliance and Reporting
Regular review of audit logs to see who has accessed what is important. Monitoring and logging are essential to understanding risk and detecting malicious activities.
Enter the Cloud
Of course, all the above take on new challenges once we leave the corporate four walls.
Technologies that extend the span of Authentication and Access Control to SaaS Apps are indispensible. Simply because an app is SaaS does not make it immune to regulatory needs.
What Now?
Listen to the experts! Employ processes and tools that manage the insider threat. Look at the facts: this threat is real.And all organizations have these risks. And of course, build you r single most valuable defense: IAM.
