This document describes the business problem of privilege accumulation and the impact of this IT problem on organizations in the context of a growing set of regulatory requirements.
Having defined the business problem, this document then describes the process of access certification, used to respond to privilege accumulation in a manner consistent with regulations such as Sarbanes-Oxley, HIPAA, 21CFR11 and GLB.
Two common threads running through many regulations are privacy protection (e.g., HIPAA, GLB, PIPEDA, EU Privacy Directive) and corporate governance (e.g., Sarbanes-Oxley, 21-CFR-11). Privacy applies to customers, patients, investors, employees and so forth. Good governance applies to financial data, clinical processes, safety procedures, etc.
Privacy protection and corporate governance both depend on effective internal controls. The challenge is to answer the questions:
Who can access sensitive data?
How are these users authenticated?
What can they see and modify?
|Are users held accountable for their actions?|
These requirements can be restated as AAA: authentication, authorization and audit.
AAA infrastructure is nothing new and has been built into every multi-user application for decades. The problem is that a growing number of systems and applications, combined with high staff mobility, have made it much harder to manage passwords and entitlements on which AAA rests.
With weak passwords, unreliable caller identification at the help desk, orphan accounts, inappropriate security entitlements and mismatched login IDs, AAA systems often wind up enforcing the wrong rules. The weakness is not in the authentication or authorization technology -- it's in the business process for managing security entitlements and credentials.
To address problems with AAA data, it is essential to implement robust processes to manage security, so that only the right users get access to the right data, at the right time.
This is accomplished with: