Register | Submissions | Contact Us 
homearticleswebinarseventssponsorspartnersexpertsabout us

Identity Auditing: Key to Successful IT Compliance
 BY TOM REPEDE,
vice president of product development and research, JME Software

In today's business environment, the risk of being found noncompliant with one of the many new regulations out there is high. Just as high is the risk of your business experiencing financial or operational offenses, such as fraud, identity theft, loss of trade secrets or privacy problems. You need a way to protect yourself against all of the risks.

Internal controls, of course, are a start—they're crucial to accounting for an organization's ongoing operations. But Sarbanes-Oxley (SOX) has taken IT governance and operations accountability to a whole new level.

What's so challenging?

One big hurdle is securing users' access to the countless networks, operating systems, applications and databases that populate a distributed enterprise—and then accounting for it. Each of these systems has a unique way of authenticating users and controlling what access rights individuals are entitled to.

And to complicate matters further, it's common for one person to use different identities (IDs and passwords) for each system. These various identities are difficult enough for users to manage, and they pose a tough administration problem for IT departments, especially during a security audit or when they need to deprovision a user.

The burden on IT to account for identities and produce evidence regarding their use can be overwhelming.

In fact, one of the most scrutinized areas of compliance has to do with these identities and their access rights. Identity management is clearly vital to controlling users' access rights, and it's fast becoming the foundation for IT operations, linking business initiatives and processes. Identity auditing, then, is one of the keys to successful IT compliance.

Organizations are scrambling. They're desperate for powerful, nondisruptive, easy-to-implement solutions for identity auditing—and confused about how to reduce the costs and risks associated with compliance. Some new tools are entering the market. They're designed to explore the IT infrastructure to discover unique user IDs and related access permissions, then provide an intelligent way to associate those IDs with individuals. While these identity-auditing tools aren't yet fully automated, they are a step in the right direction.

Identity Auditing

Identity auditing is the process of documenting, reviewing and approving access controls, such as roles, separation-of-duties rules, and entitlements or privileges.

Identity auditing tracks who has access to what, who should have access to what, who reviewed and approved what, and who actually did what. Identity auditing relies on huge data collections from log files and systems reports.

Unfortunately, it's nearly impossible to analyze this data manually. Manual processes are expensive, recurring and error-prone— and are so resource-intensive that they can inhibit business growth and initiatives.

The answer, then, is to automate the process of provisioning, identity auditing and deprovisioning, making it continuous rather than periodic and incomplete. Automating the process significantly reduces the manual effort required of an IT department while also protecting critical areas from becoming compromised. Identity auditing can extend beyond users to protect assets, applications, transactions and data while ensuring compliance. It provides visibility into business transactions and verifiable proof of authorized activity as well as control of unauthorized, illegal activity. Obviously, the result is a reduction in both compliance costs and risks.

Identity-Auditing Solutions

Organizations can more easily pave the road to continuous compliance by becoming identity-focused and selecting a robust software solution to automate a repeatable process of provisioning and auditing.

To start, the software must be able to:
  • Combine security information across the enterprise from such disparate entities as directories, databases and other third-party applications into one central repository
  • Tie individuals to user IDs, groups and resources by matching real people by name to the user IDs assigned to them as well as to their group memberships to provide a view into resources and how, when and why they're used
  • Import existing data from other applications for an integrated solution
  • Provide a strong access-control infrastructure with business-level ownership of access-request approvals
  • Review privileges and entitlements regularly and monitor real-time access events
  • Identify conflicts and perform remediation on demand
  • Create and output custom and ad-hoc reports easily without a programming language
  • Offer provisioning capabilities for cost efficiency and audit tools for control and compliance tracking
  • Use business-oriented screens and a user-friendly interface
If you're looking for a solution, consider the above criteria a checklist, and remember identity auditing matters!

Sponsor/Partner Offers

University of Fairfax
Let your INFOSEC career soar! A Compliance Spectrumâ„¢ Fellowship can help you earn an INFOSEC MS/PhD online. Read more >>


HOME | ARTICLES | WEBINARS | SIGN UP | EVENTS | SPONSORS | EXPERTS | ABOUT | CONTACT
Copyright ©2008 The Compliance Authority, Inc. | Privacy Policy