Regulatory compliance in general and specific laws such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, FDA 21-CFR-11, HIPAA, PIPEDA in Canada and the EU Privacy Directive have created significant challenges for many organizations. While the focus of each of these regulations is different, they do have two common threads: improved corporate governance (e.g., Sarbanes-Oxley and 21-CFR-11) and safeguards to privacy protection (e.g., HIPAA, GLB, EUPD, PIPEDA).
Both corporate governance and privacy protection depend on strong security in applications and IT infrastructure. Without such security, internal controls cannot be relied upon and regulatory compliance cannot be assured.
IT security depends heavily on an infrastructure of user authentication, access authorization and audit, commonly referred to as AAA. AAA, in turn, depends on accurate and appropriate information about users -- who are they, how are they authenticated and what can they access?
It is in managing these entitlements where organizations have problems. There are too many users, accessing too many systems and they keep moving as a result of hiring, transfer and termination business processes. The result is that users sometimes have inappropriate access rights or weak credentials - which undermine the AAA infrastructure in systems and applications.
Hitachi ID Identity Manager includes a variety of mechanisms to ensure that user access rights are business appropriate:
- Reports on both current and historical identities and access rights.
- Automated access deactivation, triggered by a system of record such as HR.
- A risk scoring system, for both users and entitlements.
- Reports to find orphan and dormant accounts and user profiles, which ought to be (manually or automatically) deactivated.
- An approvals workflow process, which applies policy to determine the identity and number of approvers required for any given request.
- Indefinite retention of history relating to identity attributes, access rights and change requests, including access rights detected on target systems (i.e., made out of band).
- Application of segregation-of-duties policy, both to access requests (preventive) and existing security entitlements (detective).
- Access certification and remediation, both periodic (e.g., manager reviews subordinates annually, group owner reviews membership quarterly, etc.) and event-driven (e.g., certify users after they change location, department or manager).
- Feedback from the reporting system to the request system, creating a closed loop due to actionable analytics.