Regulatory compliance with legal requirements such as SOX, HIPAA, GLB, FDA 21-CFR-11, GDPR (EU) and PIPEDA (Canada) have created significant challenges for many organizations. At the same time, many organizations wish to implement standardized security controls, such as ISO27001/27002. While the focus of each of these is different, they share common threads: strong internal controls -- especially in relation to access to sensitive systems and data and privacy protection. While it is organizations, rather than software products, which must comply with these regulations, Hitachi ID Identity Manager provides a variety of capabilities that help organizations to meet these objectives.
Both corporate governance and privacy protection depend on strong security in applications and IT infrastructure. Without such security, internal controls cannot be relied upon and regulatory compliance cannot be assured.
IT security depends heavily on an infrastructure of user authentication, access authorization and audit, commonly referred to as AAA. AAA, in turn, depends on accurate and appropriate information about users -- who are they, how are they authenticated and what can they access?
It is in managing these entitlements where organizations have problems. There are too many users, accessing too many systems and they keep moving as a result of hiring, transfer and termination business processes. The result is that users sometimes have inappropriate access rights or weak credentials - which undermine the AAA infrastructure in systems and applications.
Identity Manager helps organizations to more securely manage identities, entitlements and credentials, so that AAA systems (embedded in systems/apps or shared infrastructure) can enforce the right rules at the right times, in support of security, corporate governance, privacy protection and ultimately regulatory compliance.
Identity Manager includes a variety of mechanisms to ensure that user access rights are business appropriate:
- Reports on both current and historical identities and access rights.
- Automated access deactivation, triggered by a system of record such as HR.
- A risk scoring system, for both users and entitlements.
- Reports to find orphan and dormant accounts and user profiles, which ought to be (manually or automatically) deactivated.
- An approvals workflow process, which applies policy to determine the identity and number of approvers required for any given request.
- Indefinite retention of history relating to identity attributes, access rights and change requests, including access rights detected on target systems (i.e., made out of band).
- Application of segregation-of-duties policy, both to access requests (preventive) and existing security entitlements (detective).
- Access certification and remediation, both periodic (e.g., manager reviews subordinates annually, group owner reviews membership quarterly, etc.) and event-driven (e.g., certify users after they change location, department or manager).
- Feedback from the reporting system to the request system, creating a closed loop due to actionable analytics.