Hitachi ID Identity and Access Management Suite can enforce a variety of internal controls, all of which contribute to access governance and regulatory compliance:

Control Description
Automatic access deactivation

  • Automatically deactivate all access when users leave an organization.
  • Trigger from SoR where possible -- for example, employees.
  • Trigger by request where there is no SoR, or where it is late or unreliable.
Segregation of duties (SoD)

  • Define a set of entitlements that should not be assigned at the same time to any one user.
  • Prevent users from acquiring new entitlements that would violate the policy.
  • Find users who already have rights that violate policy and remediate their access rights.
Approval for access

  • Pass all access requests through a workflow system.
  • Require approval by business stake-holders for any requests that represent material risk.
  • Invite managers, policy owners or data owners to approve access.
  • Effective for ensuring new rights are business-appropriate.
Access certification

  • Periodically ask stake-holders to review users and their entitlements.
  • Items are either certified (i.e., marked as acceptable) or marked for revocation.
  • Invite managers, policy owners and application/data owners to perform reviews.
  • Effective for finding inappropriate rights among existing entitlements.
Orphan, dormant accounts and profiles

  • Find orphan accounts -- not associated with an owner.
  • Find orphan user profiles -- which have no accounts.
  • Find dormant accounts -- with no recent login activity.
  • Find dormant user profiles -- which contain only dormant accounts.
  • Automatically disable and/or highlight for manual review.
Risk scores

  • Assign business risk scores to entitlements, number of subordinates, frequency of transfers or other signals.
  • Aggregate scores to identify high risk users.
  • Adjust approval, certification processes when high risk users are involved.
Password security

  • Ensure that users change their passwords regularly, choose hard-to-guess (but memorable) passwords and do not reuse their passwords.
Authentication prior to IT support

  • Reliably authenticate users prior to assisting them with login problems, such as forgotten passwords or clearing lockouts.
  • Combine multiple factors, such as sending a PIN to the user's phone and answering security questions.
Randomize and vault passwords

  • Periodically change passwords to service accounts, app-to-app accounts and administrator accounts.
  • Set passwords to random strings and store in a secure vault, where access can be controlled.
Control access to elevated privileges

  • Authenticate and authorize access to shared, privileged accounts or group memberships.
  • Grant access for short time windows only.
  • Pre-authorize frequent users and approve single-use requests otherwise.
Audit elevated access

  • Log requests and session initiation when elevated privileges are used.
  • Record login sessions (video, key-logging, etc.) where required.
Multi-factor authentication

  • Replace just-passwords or just-security-questions with multiple factors, including tokens or PINs sent to smart phones.
  • Leverage federation to extend strong authentication to applications, especially SaaS.


Read More: