Verifiable access: in jail or in control

Thomas van Vooren assesses compliance from the perspective of verifiable access to your assets and explains how Identity and Access Management (IAM) supports this.

Organisations are facing increasing law and regulations by government and regulatory bodies, partly as a result of scandals with root causes in flawed access control to information and transactions. This is apparent across industries with examples such as the Sarbanes Oxley Act for the US public held financials, the Health Insurance Portability and Accountability Act (HIPAA) for healthcare institutions in the UK and the Data Protection Act in the UK. Some of these acts are quite recent while others have been around since the late 1990s. Pressure from key stakeholders such as shareholders and employees (transparency and security) and the general public (privacy concerns) make even the old laws increasingly more actual.

To organisations and its executives held responsible it is about being in control: Adhering to law, regulation and policy and being able to demonstrate it. In order to achieve this, processes and procedures must be in place and IT security improved. However, organisations need to do this in a cost effective way, balanced with business opportunity and needs. Improved security and tightened procedures must not make adequate time to service impossible or extremely expensive.

Compliance cycle

The bottom line to compliance from an access perspective is how to ensure appropriate and verifiable access for end users (employees, partners or even the general public) to information and transactions. This is a continuous process: the compliance cycle.

The compliance cycle is a four-step process, addressing a question in each step:

§   How do I define authorisation and access rights in line with policy and administer those?

§   How do I roll out resulting access rights and do real-time validation?

§   How do I check and report on policy versus practice?

§   How do I repair access rights discrepancies?

It becomes costly to repeat if these steps are left to a manual process only. IAM, the combination of procedures, processes and tools to manage identities and access rights, offers capabilities to support the compliance cycle in all these steps and does it cost-effectively.

IAM capabilities

When administering your policy, authorisation management solutions are available which allow access rights to be documented using roles or other mechanisms in a language that can be understood by your business. Typically this solution uses workflow in the approval process by the business.

The administered authorisations are executed across the ICT landscape using provisioning solutions that store username, password and access rights in the ICT systems. The execution of authorisations is also supported through the use of access management: the ability to verify access rights as the end user is using the system, enforcing policy real-time and providing a centralised audit trail.

Even with these solutions in place, it is still possible access is compromised via alternative paths or that access patterns are suspicious. Security Incident and Event Monitoring allows the detection of such events followed by automatic lock down of the associated username and access rights or notification of the appropriate staff. Next to this real-time detection, reporting solutions are available to perform 'soll-ist' access comparisons and to provide dashboards with access history across ICT systems or other access reports required by auditors.

Any discrepancies highlighted by the detection and reporting capabilities can be repaired using the previously mentioned authorisation management and provisioning solutions.

Conclusion

With introducing IAM to support the compliance cycle, organisations become in control in a cost-effective manner. However, while the challenges with regard to access compliance are many, so are the IAM capabilities to address them. A big bang approach embracing all IAM capabilities at once can be costly. Therefore, it is recommended to identify your main goal and possible quick wins as a first step. At the same time, lay out a roadmap and build value iteratively from there.

Thomas van Vooren is Competence Center Leader and Senior Consultant Identity and Access Management (IAM) at Everett. He has over 10 years of experience in IAM consulting, working for top 500 clients throughout Europe. He also has written several whitepapers and is a frequent speaker at IT conferences.