This document describes the business problem of entitlement accumulation and the impact of this IT problem on organizations in the context of a growing set of regulatory requirements.
Having defined the business problem, this document then describes the process of access certification, used to respond to entitlement accumulation in a manner consistent with regulations such as Sarbanes-Oxley, HIPAA, 21CFR11 and GLB.
The regulatory environment
Two common threads running through many regulations are privacy protection (e.g., HIPAA, GLB, PIPEDA, EU Privacy Directive) and corporate governance (e.g., Sarbanes-Oxley, 21-CFR-11). Privacy applies to customers, patients, investors, employees and so forth. Good governance applies to financial data, clinical processes, safety procedures, etc.
Compliance requires AAA
Privacy protection and corporate governance both depend on effective internal controls. The challenge is to answer the questions:
Who can access sensitive data?
How are these users authenticated?
What can they see and modify?
|Are users held accountable for their actions?|
These requirements can be restated as AAA: authentication, authorization and audit.
Problems with AAA
AAA infrastructure is nothing new and has been built into every multi-user application for decades. The problem is that a growing number of systems and applications, combined with high staff mobility, have made it much harder to manage passwords and entitlements on which AAA rests.
With weak passwords, unreliable caller identification at the help desk, orphan accounts, inappropriate security entitlements and mismatched login IDs, AAA systems often wind up enforcing the wrong rules. The weakness is not in the authentication or authorization technology -- it's in the business process for managing security entitlements and credentials.
Addressing problems with AAA requires IAM
To address problems with AAA data, it is essential to implement robust processes to manage security, so that only the right users get access to the right data, at the right time.
This is accomplished with:
- Better control over how users acquire new entitlements and when entitlements are revoked.
- Correlating user IDs between systems and applications, so that audit logs can be related to real people.
- Periodic audits of entitlements, to verify that they remain business-appropriate.
- Logging of both current and historical entitlements, to support forensic audits.
- Stronger passwords and more robust authentication in general.