ID management enters the application stack

The complexity of managing governance, risk and compliance (GRC) activities is driving firms to integrate identity and role management into the application stack.

According to analyst group Kuppinger Cole & Partners, identity management and role management have become so fundamental to enterprises' ability to manage GRC that business leaders are looking at new ways to simplify the process.

Headline cases such as Société Générale have hammered home the importance of being able to track and audit users' activities, said Martin Kuppinger, founder of Kuppinger Cole. This need becomes paramount as organisations embrace service-oriented architecture, users' identity has to be managed across a proliferation of federated applications.

"Vendors such as SAP and Oracle have understood that identity management can be addressed in the context of business applications," he added.

SAP this week updated its GRC product line, introducing new risk management analysis tools which it says will help business leaders to control their organisational risk profile. These tools "allow executives to effectively determine their risk thresholds and implement key risk indicators" to monitor compliance, said Narina Sippy, general manager of the GRC unit at SAP.

International drinks company Barcardi uses SAP's GRC tools to keep watch on 300 staff, representing 40 different roles within the company. This allows it to track possible role conflicts – such as an employee raising and signing-off the same purchase order – and the feeding this information back so that executives can understand the entire risk profile of the company.

Traditionally, IT has tackled GRC issues with point solutions, but business leaders are increasingly concerned that this approach may not give them a complete picture of their exposure to risk, said Gartner analyst French Caldwell. And while he does not believe that an out-of-the-box GRC solution is yet likely, controls are "likely to become embedded in business applications and networks", he added.

Already enterprise application vendors such as SAP and Oracle have acquired identity management vendors to flesh out their GRC offerings.