Solutions Compliance Using Identity Management
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Regulatory Compliance Using Identity Management

arrowAbstract
Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive business processes. Regulations such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection Directive 2002/58/EC require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively.

Security in every multi-user application depends on authentication, authorization and audit infrastructure (AAA). In turn, this infrastructure depends on complete, current and accurate data about users. In particular, dormant and orphan accounts must be reliably deactivated, and privilege creep must be addressed.

Identity management systems enable reliable maintenance of data about users and their security rights. In turn, this supports reliable AAA and therefore regulatory compliance.

Introduction

Corporations and non-profit organizations, such as Universities or Government agencies, are increasingly subject to regulations that have an impact on IT governance. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive business processes. Regulations such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection Directive 2002/58/EC require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively.

The common theme in all of these regulations is that IT security is crucial, to protect both corporate governance and privacy. Since every multi-user computer system depends on authentication, access controls and audit logs (AAA) for its security, it follows that the regulatory environment mandates an effective AAA infrastructure.

AAA is not new: one form of AAA or another has been embedded into every multi-user application since early mainframes in the 1960s. The weakness in most systems is not their ability to authenticate users, control their access rights and audit their actions, but rather in the fact that these run-time decisions depend on accurate and reliable user data. As the number of users in a typical enterprise IT environment has grown, and as the number of systems and applications has multiplied, it has become increasingly difficult to maintain accurate and reliable data about very user on every system.

Identity management systems are intended to overcome this problem, by automating user administration processes, so that data about users, how they are authenticated, and what rights they have can be maintained more efficiently and reliably.

This document outlines a variety of problems that can arise with user profile data, the impact of those problems on the efficacy of an enterprise AAA infrastructure, and the solutions that an identity management system can bring to bear to eliminate those problems.

The remainder of this document is organized as follows:

Identity Management System Components

Enterprise Identity Management

This document focuses primarily on identity management inside the enterprise, managing internal users -- employees, contractors, vendors, etc. Internal users are qualitatively different than external users, in that they are relatively few (thousands, not millions), and complex (having tens of login accounts and user objects each, many of which may be inaccurate, uncorrelated or obsolete).

Without an identity management system, users are managed by separate administrators, using separate software tools, and often separate business processes, on each system. This is illustrated in Figure [link].

figure

    Managing Each Application in its own Silo (1)

An identity management system is used to externalize the administration of user objects, replacing processes that are implemented within each system and application with new processes that apply uniformly to all users, on all systems. This simpler process is illustrated in Figure [link].

figure

    Externalizing the Management of Users and Entitlements (2)


Business Processes

As illustrated in Figure (_label_fig:idm-processes), an identity management system connects to multiple, existing systems where user objects are stored, and manages them cohesively. It does this as the end-product of one or more business processes, which drive changes to user definitions.

Identity management systems may implement any of the following business processes:

Functional Components

Breaking processes down further, enterprise identity management systems may expose some subset of the following functions:

Identity management systems are closely related to access management systems, which may consolidate or strengthen user authentication processes (i.e., single, strong sign-on) and may enforce authorization policies at run-time. These include:

Authentication

Overview

Users typically sign into systems and directories by typing a personal login ID and password. In most organizations, if a user forgets his password, or inadvertently mistypes it often enough to trigger an intruder lockout, the user may call the help desk, identify himself, and request a new password.

Vulnerabilities

This process can create multiple security vulnerabilities, exposing sensitive systems and data to access by unauthorized users:

Security Benefits of Identity Management

All of the above problems can be addressed by an effective identity management system:

Summary

Vulnerabilities in a typical password-based authentication infrastructure can be eliminated using a combination of:

Authorization

Overview

Most systems control user access to data by first authenticating users (see previous section), and then checking each attempted user action against a privilege model.

Users gain access to sensitive systems and data first by having a login account on the system in question, and secondarily by having specific privileges on that system. Users may be granted privileges directly, or in relation to specific resources (e.g., folders, shares, printers, screens, menus, etc.). Users may acquire privileges by virtue of membership in a security group, which itself has been assigned privileges.

Most large systems rely heavily on user groups to manage privileges, since assigning fine-grained rights individually to many users is too onerous. As a result, the rights a user has across multiple systems in an organization can usually be expressed as a function of which accounts the user has, and what security groups the user belongs to on each system.

Vulnerabilities

The authorization infrastructure in most systems and applications is technically effective, but relies on data about user rights, which may be inaccurate:

Security Benefits of Identity Management

The above problems can be addressed by an effective identity management system:

Summary

The combination of a user provisioning system and a privilege auditing system can be used to find and remove:

Audit

Overview

Audit logs are intended to make users accountable for their actions. Various regulations that impact IT security require logging of changes to financial data, attempts to access private information, various authorizations and digital signatures.

The degree to which common systems and applications log events of interest is variable. For example, most systems record failed login attempts and user lockouts, but not all systems record successful user logins. Financial and clinical systems log authorizations and signatures, but other systems don't. Many systems do not log user administration actions, such as the creation of new users, changes to user privileges or deactivation of user access.

In almost all cases, audit logs are internal to systems and applications. Events on different systems may be difficult or impossible to correlate, as would be required in a forensic audit to establish a pattern of activity. Beyond local storage, a challenge for event correlation is that users often have different login IDs on different systems, and so audit logs on one system cannot be readily connected to those on another.

Vulnerabilities

Limited, system-specific audit logs present some security challenges to enterprises who must protect multiple, sensitive systems:

Security Benefits of Identity Management

An identity management system can resolve all of these audit challenges:

Summary

A user provisioning system, combined with a privilege auditing system, can significantly improve the ability of an organization to create accountability, and to find and remove inappropriate security privileges.

Summary

Regulations increasingly demand that corporations and non-profit organizations implement sound IT security to protect privacy and ensure sound governance.

Most systems and applications already incorporate authentication, authorization, and audit (AAA) infrastructure with which to do this. Unfortunately, AAA infrastructure is vulnerable to weaknesses in security-related business processes and to improper user privilege definitions.

An identity management system, including user provisioning, password synchronization and reset and privilege audit can be used to address shortcomings in security business processes and inappropriate user privileges, which would otherwise undermine a AAA infrastructure.

These identity management features can be supplemented by strong authentication technology, single sign-on and web access management systems.

References