Hitachi ID Access Certifier Business Case
The Regulatory Compliance Challenge
Regulatory compliance requirements and security policies increasingly demand that organizations maintain effective controls over who has access to sensitive corporate information and personal data about employees and customers:
- Systems must limit access to just the right users, at just the right time.
- Organizations must be able to provide auditable evidence that these controls are in place and effective. Section 404 of Sarbanes-Oxley specifically states that management must assess the effectiveness of internal controls on an annual basis.
- Organizations must be able to report which internal users currently have and had in the past, access to sensitive data.
Meeting these requirements can be challenging as users often have unique and changing business responsibilities, thus making their entitlements difficult to model using formal roles and rules.
The difficulty in modeling complex, heterogeneous entitlements is compounded by the fact that although users accumulate entitlements over time, they rarely ask IT to terminate old, unneeded rights. Moreover, it is difficult to predict when, after a change in responsibilities, a user will no longer function as a backup resource for his old job and so old entitlements can be safely deactivated.
These challenges together mean that it is difficult to model all of the entitlements that users need across multiple systems and applications at a single point in time and likely impossible to model those needs for thousands of users, over multiple systems, over an extended period of time.
A Process Solution: Access Certification
Access certification is a process where business stake-holders are periodically invited to review entitlements, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal.
There are several components to access certification:
Before entitlements can be reviewed, they have to be collected from systems and applications and mapped to users. Technical identifiers should be replaced by human-legible descriptions that reviewers will understand. Since entitlements change all the time, discovery should be a regularly scheduled, automated process, not a one-time data load.
- Who performs the reviews?
Options include managers -- asked to review their subordinates, application or data owners -- asked to review lists of users who can access their applications or data or security officers -- asked to review high risk entitlements.
- When are reviews performed?
The frequency may vary with the business risk posed by the entitlements in question.
- What kinds of entitlements are reviewed?
The highest level review is of employment status -- should the user in question still have access to any systems? Slightly more granular is a review of roles -- should the user in question still have these roles? At the lowest level of granularity are basic entitlements -- should the user in question have a login ID on this system or belong to this security group?
- Which entitlements warrant a review?
Not every entitlement poses a significant business risk. User membership in the social committee mailing list is not really worth reviewing, for example. Some determination must be made of the risk level posed by each entitlement, as this forms the basis for deciding whether to review it and how often.
- What happens to rejected entitlements?
Reviewers may flag entitlements as inappropriate, in which case something should be done. Does this raise a work order in an IT issue management system or trigger a connector to revoke the entitlement immediately? Should further reviews take place before the entitlement is reviewed?
Hitachi ID Access Certifier Security Benefits
Access Certifier helps organizations to find and eliminate stale user privileges:
- All user objects are subjected to periodic reviews -- by managers and group owners. Orphan and dormant accounts are eliminated.
- All user membership in security groups (also known as roles, profiles, etc.) are periodically scrutinized. Inappropriate rights are deactivated.
- Accountability is introduced by documenting when each login ID and group membership was reviewed and by whom.
- Organizational roll-up allows executives to sign off on statements asserting that all sensitive security rights have been reviewed.