Security threats are everywhere -- so what is the appropriate response, given that you can't block everything? One approach: Focus on user identity. According to Mike Denning, General Manager of the Security Customer Solutions Unit at CA Technology, enterprises need to understand who their users are if they want to provide real security.

Denning delivered a keynote address yesterday at the RSA security conference in San Francisco, which he later discussed in an interview with Denning's view is that IT security professionals need to move to a proactive user-centric approach that enables businesses to do more, rather than block more.

"I talk to a lot of CISOs and they tell me that identity has become the final audit and control point," Denning told "Data doesn't live inside the firewall anymore, it lives out there in the cloud."

Given that data that can exist in places where an enterprise doesn't directly control access, it is more essential then ever to provide authoritative security. According to Denning, the best way to do that is by controlling access to information through secure authentication of each individual that is accessing the data.

The idea of a world in which identity is federated across disparate heterogeneous systems is one that still has a few challenges though.

"It is a possibility, but it's clearly not the reality today, but we are definitely chasing it," Denning said.

That said, the rise of identity governance as a best practice for IT is beginning to take root. With proper identity governance, users can be given the correct role-based access to applications and assets. If, for example, an employee used to work in human resources and now works in the finance department, that person needs to have his or her HR-specific access rights removed -- and a new set of access priveliges needs to be provisioned. Tracking role-based access dynamically is a necessity for proper identity governance.

As the IT security industry marches towards role-based identity access, there are still some missing pieces, according to Denning. Identity proofing is one such issue, especially in the consumer space. Denning noted that many enterprises do have a good methodology for validating that a person is who they say they are.

"As you look at the consumer-facing applications, the technology for identity proofing is still an evolving area and a challenge," Denning said.

Sean Michael Kerner is a senior editor at eSecurity Planet and, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.