White Papers Addressing Excess Entitlements using Access Certifier
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Addressing Excess Entitlements with Access Certification


This document describes the business problem of privilege accumulation and the impact of this IT problem on organizations in the context of a growing set of regulatory requirements.

Having defined the business problem, this document then describes the process of access certification, used to respond to privilege accumulation in a manner consistent with regulations such as Sarbanes-Oxley, HIPAA, 21CFR11 and GLB.

The Challenge

The Regulatory Environment

Two common threads running through many regulations are privacy protection (e.g., HIPAA, GLB, PIPEDA, EU Privacy Directive) and corporate governance (e.g., Sarbanes-Oxley, 21-CFR-11). Privacy applies to customers, patients, investors, employees and so forth. Good governance applies to financial data, clinical processes, safety procedures, etc.

Compliance Requires AAA

Privacy protection and corporate governance both depend on effective internal controls. The challenge is to answer the questions:

Who can access sensitive data?

How are these users authenticated?

What can they see and modify?

Are users held accountable for their actions?


These requirements can be restated as AAA: authentication, authorization and audit.

Problems with AAA

AAA infrastructure is nothing new and has been built into every multi-user application for decades. The problem is that a growing number of systems and applications, combined with high staff mobility, have made it much harder to the manage passwords and entitlements on which AAA rests.

With weak passwords, unreliable caller identification at the help desk, orphan accounts, inappropriate security entitlements and mismatched login IDs, AAA systems often wind up enforcing the wrong rules. The weakness is not in the authentication or authorization technology -- it's in the business process for managing security entitlements and credentials.

Addressing Problems with AAA Requires Identity Management

To address problems with AAA data, it is essential to implement robust processes to manage security, so that only the right users get access to the right data, at the right time.

This is accomplished with:

Access Certification

Hitachi ID Access Certifier enables organizations to review and clean up security entitlements with:

Benefits of Access Certification

Access certification offers substantial benefits over previous approaches:

Access Certifier strengthens security by helping organizations to find and remove inappropriate security entitlements. It makes business stake-holders take direct responsibility for ensuring that users within their scope of authority have appropriate security rights for their jobs.

Previous Approaches

Previous attempts to address the problem of finding and removing excess access rights have focused on policy-enforcement in general, and policy-based provisioning in particular:

Policy-based provisioning is defined as follows:

On an enterprise scale, where there are (tens of) thousands of users, employees, contractors and other principals are constantly hired, moved and terminated. This makes user classification difficult.

Role definition, where user responsibilities are subtly different and where infrastructure is ever changing, is similarly difficult, because the target (a role model) is complex and moving.

Access privilege reconciliation may also be hard to implement, as it can flag more exceptions than human authorizers can realistically review.

The policy-based provisioning approach is challenging in complex organizations, because defining a comprehensive and appropriate policy is time consuming, difficult and expensive. These challenges apply equally to initial deployment and ongoing system sustainment.

Motivating Managers to Participate

In a large organization, there will be many managers, application owners and data owners who must perform periodic audits of user access privileges. It follows that some mechanism is required to ensure that these audits are in fact carried out and performed diligently.

Audits by application and data owners are straightforward -- this can be made a core part of the responsibility of these stakeholders and since there are relatively few such stake-holders, ensuring that they complete periodic user privilege audits.

Audits of users by their direct supervisors can be more difficult, since there may be thousands of such supervisors and it is hard to make them all comply with any single directive.

One approach to motivating managers to review the access rights of their direct subordinates is to require a signature at the end of every such review, but to block such signatures until subordinate managers have completed their own reviews. This signature underlies a legal statement by each manager, certifying that the remaining list of that manager's direct subordinates and their privileges, are appropriate.

With this process, an executive such as the CEO or CFO, who wishes to implement strong controls to support a regulatory compliance program, will pressure his direct subordinates to complete their own reviews. They will be unable to sign off until their own subordinates have finished and so a downward pressure through the organization to complete the audit is created. Whereas pressure to perform the user privilege reviews flows downwards from the top of the organization, results of the audit, including cleaned up user rights, flow back up from the lowest-level managers right to the CEO or CFO.

Advantages of the Access Certification Approach

The Access Certifier process has several advantages that organizations can leverage:

Please contact Hitachi ID Systems to learn more about the Hitachi ID Systems Access Certification Process and Hitachi ID Systems's complete line of Identity Management Solutions.

About Hitachi ID Systems, Inc.

Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Identity and Access Management Suite is a fully integrated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premise and in the cloud.

The Hitachi ID Identity and Access Management Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID Systems is recognized by customers and analysts for industry leading customer service.

Originally founded in 1992 as M-Tech Information Technology, Inc. and acquired by Hitachi, Ltd. in 2008, Hitachi ID Systems, Inc. is a leading provider of identity management and access governance solutions.

Hitachi ID Systems first identity management and access governance product, Hitachi ID Password Manager, has been commercially available since 1995. Today, Hitachi ID Systems is the leading password management vendor world-wide and a leading provider of identity and privileged access management solutions.

Hitachi ID Systems currently has 160 employees. Hitachi ID Systems has enjoyed strong financial performance, with 76 consecutive quarters of growth and profitability.

Hitachi ID Systems is headquartered in Calgary, Canada and has regional offices in: Canada: Vancouver, Ottawa and Montréal; United States: Denver and New York. Europe: Amsterdam and Poland. Australia: Brisbane.

Hitachi ID Systems's customers include Avon, Bank of America, Bristol-Myers Squibb, Cisco, eBay, Ford Motor Company, Intel, Kimberly-Clark Corporation, Merck MetLife, NCR Corporation, Pfizer, Pitney Bowes, Sears, Shell, Symantec, Wells Fargo and many more. For more information on Hitachi ID Systems and its products, please visit http://Hitachi-ID.com/ or call 1.403.233.0740.