Access Assurance – How to cut costs and improve security

In today’s difficult economy, businesses are increasingly challenged by the need to improve efficiency and effectiveness. They need to ensure they are meeting their customer needs whilst, simultaneously, cutting costs to conserve cash and other precious resources. Depending on their circumstances, different companies are adopting different strategies to solve these problems, which all boil down to the need to do more with less – less cost, less people or less time.

At the same time, the regulatory environment continues to increase the burden on businesses, requiring them to exert greater effort, without necessarily delivering greater business value. These regulatory pressures are converging from two different sources: government regulations and industry requirements.

Relevant government regulations in the United States include the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act (SOX). Companies operating in the UK and Europe are required to meet data privacy and protection requirements promulgated by the international banking regulators (BASEL II), the United Kingdom (Data Privacy Act), the European Union (European Data Protection Act), and other relevant authorities.

Industry-specific requirements are also driving organisations to spend large sums of money and energy to deliver infrastructure that enables them to be compliant. Probably the most widely known example is the Payment Card Industry Data Security Standard (PCI DSS), which affects any organisation that accepts credit or debit cards.

What these regulations all have in common is that they require organisations to implement processes and procedures designed to protect sensitive information from being compromised. Whilst each act or regulation comes at the data protection problem from a different perspective, they all result in the need to ensure that only the right people have access to the right resources and are doing the right things with it.

As the identity and access management market has evolved, its scope has also been evolving: from password management to a broader security management focus. However, much confusion remains in terms of understanding how this market has evolved. As one observer recently put it, “Is it a provisioning play, a role-management play, a password-management play, a compliance play, or all of the above?”

Other technologies and markets, such as policy management, security and intrusion detection, or governance, risk and compliance (GRC), are also converging on this problem space, leading to even greater confusion on the part of some as they try to figure out where the various vendors deliver value.

Virtually all modern organisations depend on various computer systems to perform vital business activities. These include a dizzying array of PCs, servers, databases, networks, file shares, middleware, collaboration tools, web sites, enterprise portals, and a host of enterprise applications (HR, finance, manufacturing, healthcare, etc.) Employees (and others, such as contractors, temporary workers, or business partners) all require access these various systems in order to perform their specific business functions efficiently and effectively.

The bottom line, for many organisations, is that they require identity and access management solutions to help them manage end-user identities, improve the end-user experience and conform to audit and compliance requirements, whilst continuing to drive to reduce overhead expenses and enhance productivity.

Access Assurance Vision
What companies are looking for to address all these issues is, in other words, Access Assurance.

What is Access Assurance and what are the elements that companies should be looking for in order to ensure that they are getting value from adopting an Access Assurance strategy?
Courion’s vision of Access Assurance is based on the interaction of three complementary components that combined enable organisations to fully automate the management of users’ identities and access rights. They are:
• Access Governance
• Access Provisioning
• Access Compliance

Together Access Governance, Access Provisioning and Access Compliance provide the basis for designing, implementing, managing, monitoring and remediating end-user access rights and entitlements.

Access Governance
Access Governance is the process of defining corporate access management policies. There are two major elements to consider when developing an Access Governance strategy: policy and roles.
Policies can vary considerably from one organisation to another, but some examples of widely used policies include:

• Restrictions on access rights – which users have access to which applications and/or data, and at what level of privilege.
• Authorisations – governing who can approve what, such as purchase orders greater than £10,000 must be approved by a Managing Director, or only a department manager or supervisor can originate a new hire.
• Information classification – Differentiating non-critical information from sensitive or proprietary data (such as protected personal information).
• Principles of least privilege – defining the minimum level of privileges users require to perform their function.
• Segregation of duties – polices intended to minimize the potential for fraud or abuse. Authorisation and authentication are essential to enforce SoD policies.
• Password strength – policies that influence password integrity, such as minimum length, password strength (i.e., mix of alpha, numeric and special characters), expiration, prohibiting password reuse, now allowing words found commonly in a dictionary, etc.

Roles are a valuable adjunct to a comprehensive Access Governance strategy. Every organisation, regardless of size or complexity, employs the concept of roles in its organizational design. Roles (senior teller, sales manager, customer service specialist, etc.) control the business operations that users can engage in.

From an information technology perspective, roles determine the systems and access rights that individual users should be granted. For example, all users may be granted accounts on a corporate email server and file server. However, only certain roles in the human resources (HR) department may have access to the HR functions within a Peoplesoft system, whilst only senior tellers may have access to certain banking operations, such as cash drawer reconciliation.

Business Alignment
Defining business roles and associating them with specific IT accounts and respective access rights is essential to properly aligning business operations with the information technology infrastructure, by ensuring that authorized users have appropriate access to mission-critical business assets.

Without understanding the business role a user plays within an organisation, it becomes difficult for IT to determine which applications the user should be able to access or what rights and entitlements the user should have within the application. This often results in over-provisioning, wherein users are granted access to applications that they don’t require. Similarly, as users shift from role to role, due to promotions or reorganisations, IT needs to understand how a new business role affects accounts and access rights. In one widely publicized incident, a trader at Société Genéralé was able to hide massive unauthorized trades by utilizing credentials he retained from his previous role in the compliance department.
Access Governance, therefore, is where the business aligns the core elements of its IT security infrastructure and strategy with specific business requirements. Without this alignment, there is no way to ensure that access rights granted to users are consistent with corporate security guidelines, industry best practices or requirements, or government mandates.

Access Provisioning
If Access Governance is where roles, access policies and rights are defined, Access Provisioning is where they are put into practice. Provisioning is the process of establishing accounts for users, along with their respective access rights, on selected target systems.
The provisioning process requires, at a minimum:
• Integration with one or more target systems
• The ability to establish accounts on those systems
• The ability to ensure that the account holder entitlements and access rights are managed appropriately by the native security system of the target platform.

In addition to establishing accounts on various systems, provisioning may also include configuring a variety of other access management systems. These include:

Password management: provides a mechanism for users or IT support personnel to manage passwords. For example, if a user forgets their password or it expires, a mechanism must be in place for the user to reset it.
Web access management (WAM): used to control access to an organisations internal and external-facing web sites. These sites can be used to support of a wide variety of business activities, such as a customer support, business partners, e-commerce, etc.
Single sign-on (SSO): enable users to log into a single portal or Windows log-on screen, and then access other systems without having to log on to the individual applications.
Privileged account management (PAM): manages accounts for privileged users, such as a network or database administrator. PAM systems reduce or eliminate the potential threat that a privileged account password might fall into the wrong hands.

Automated provisioning and password management deliver a number of useful benefits. They provide improved security, by ensuring that user accounts privileges and password profiles are consistent with policy. Automation also reduces overhead costs by enabling fewer personnel to manage user access and accounts. An added benefit is the increased convenience for users who don’t have to wait idle for long periods of time, waiting for access to their systems.
Another important benefit, from a security perspective, is the ability to de-provision (revoke) or modify access rights when employees and other stakeholders either change their positions or leave the organisation. This eliminates the potential for terminated employees to access their former accounts and engage in malicious behavior.

Access Compliance
The third Access Assurance component is Access Compliance, which enables the organisation to verify that end-users have access rights and entitlements that are consistent with corporate security policy, relevant industry guidelines and government regulations. Access Compliance is becoming increasingly important as various industry and government regulators mandate that companies periodically attest that internal access controls are both appropriate and adequate.
Despite the recent economic downturn, auditors and regulators are not reducing their demands for compliance attestation. In fact, many industry observers expect that demands by government and other regulators will likely increase in many industries, such as financial services, as a direct result of the recent increase in bank failures and company bankruptcies.
Implementing Access Compliance as a core business process brings many organisations two major benefits.

First, an Access Compliance strategy enables managers to quickly and easily confirm that employees have appropriate entitlements. This is particularly important in environments where segregation of duties (SoD) is essential. A properly implemented Access Compliance process enables managers to demonstrate to auditors and others that only authorized individuals can access sensitive data or perform certain key functions.

Second, the expense of collecting, consolidating, analyzing and reporting on compliance with mandates can be substantial, particularly for large entities with thousands of employees. An Access Compliance process that automatically collects, formats, and reports on this information saves both time and money.

However, even beyond the need to meet the demands of auditors, the true spirit of Access Compliance is to make compliance a seamless, transparent part of routine business activities. Access Compliance eliminates the need for periodic exercises that divert managers from their usual activities and force them focus a significant amount of effort on compliance reporting and attestation.

The bottom line, for many organisations, is that implementing an appropriate Access Assurance strategy provides stronger security, whilst simultaneously reducing wasted time, effort and costs and enabling the business to run more efficiently and effectively.

Contact details:
Courion Corporation
E: info@courion.com
www.courion.com