TOM KEMP'S CENTRIFY BLOG
No Surprise Here: Compliance Still Driving Identity Management and Overall Security Spending
Saturday, January 5, 2008
Back in October I attended the Goldman Sachs' "Building Great Security Companies 3.0" conference, which covered trends impacting the future of information security. One of the highlights for me was Sarah Friar from Goldman Sachs discussing the results of the fifth installment of Goldman's security spending survey that was published in September 2007. Over the holidays I had the opportunity to catch up on some reading material, and I was able to finally review the 2007 survey in detail, and was curious what had changed from the 2006 security spending survey edition that I blogged about previously.
This survey interviews "50 managers with decision-making authority for security spending at multi-national Fortune 1000 companies." It projected that security budgets would grow 8.3% for 2007 and 7.8% in 2008, as compared to growth of 12% in 2006. Aha, so security spending is moderating a bit - not so good news for us security vendors. But actually, if you compare that growth to the projected overall growth in IT spending, which Goldman Sachs projects to be in the 6-7% range for 2007, one could argue that security is in a more "must have" category than overall IT spending. So that is good news for us security vendors in that our solutions may be higher priorities vis-a-vis other IT solutions.
Not surprisingly, her study revealed the biggest driver for security spending is compliance, with over 84% of respondents saying it was their top driver, compared to 78% in 2006. The top 5 drivers for security spending in 2007 were the following (factoring in multiple responses):
Compliance/regulations (e.g. GLB, SOX, HIPAA) |
84% |
Internal threats (data leakage, data loss, etc.) |
52% |
External threats (virus, hackers, etc.) |
48% |
Employee use of mobile devices |
32% |
New technologies such as VoIP |
28% |
This matches the fact that compliance is a key driver of our DirectControl solution, and some of the most downloaded white papers on our web site are descriptions of how Centrify DirectControl can help address SOX requirements, the Payment Card Industry Data Security Standard (PCI DSS), and compliance in general.
The second driver is "Internal Threats" at 52%. This actually is a big feature and benefit of our DirectAudit solution, which in effect provides a "Tivo" or "VCR" for your UNIX and Linux systems, collecting all activity (i.e. both input and output) performed by users (e.g. superusers and/or those with root permission) and allowing your auditors to see if someone has been doing something they should not be doing, and play back like a VCR exactly what these users were doing.
Given compliance is such a key driver of security spending, it is also not surprising that the Goldman Sachs security survey then later documents that Identity and Access Management is the top "intend to spend" within security as shown below.
The survey notes: "IAM (Identity and Access Management) solutions scored highly in our survey for the fifth time running, with 72% of respondents expecting to increase spending in the area over the next 12 months. Beyond compliance, IAM can be a first step in preventing internal threats or data loss. We believe that IAM spending will continue to be strong over the next few years as additional technologies come to market."
Given the pain that these CISOs are clearly expressing regarding Identity and Access Management, we at Centrify think we offer the painkiller for them. Our solution "embraces and extends" their existing Active Directory deployment by integrating non-Microsoft systems, applications, databases, etc. with Active Directory. This means all the benefits you have in the Windows environment from an identity perspective (single sign-on, centralized point of access control, etc.) can now extend across the enterprise, making it much easier and cheaper to meet your compliance needs than, say, putting in a complex synchronization solution. Likewise, our DirectAudit solution makes it easy to deter internal threats by providing the security camera on your UNIX and Linux systems.
From my perspective I think the key takeaway is that it is comforting for us as a vendor to know that our focus on compliance matches what customers think is their top priority within security. A great example of this is how we were able to focus our solutions on helping customers pass their PCI audits — in effect the idea behind DirectAudit was born in part out of wanting to help customers become compliant with Section 10 of the PCI DSS. If you have not done so already, please check out some of our compliance white papers.
< Previous Article: More Examples of Customers Leveraging Active Directory for Linux and UNIX Authentication
> Next Article: Why Leverage Active Directory for Linux Identity Management? Part 1
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
- Strong Authentication for the Mac
- How DirectAuthorize Compares to sudo for Root Access Control
- How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
- How DirectAuthorize Addresses Root and Shared Account Management in UNIX/Linux Environments
- Introducing DirectAuthorize and the Centrify Suite
Categories
- Centrify (54)
- Centrify Suite (3)
- Group Policy (37)
- Mac OS X (19)
- Regulatory Compliance (35)
- DirectControl for Databases (26)
- DirectControl for Systems (47)
- DirectControl for Web Apps (24)
- DirectAuthorize (4)
- Customers and Press (36)
- DirectAudit (12)
- Partners (9)
- Open Source Tools (7)
- All (71)
Other Blogs
Subscribe
RSS Feed
