control, and governance
Four Elements for an Integrated Security Compliance Platform/strong> strong="">/> strong="">/>>/> strong="">/>>/>>/>>/> strong="">/>>/>>/>>/>>/>>/>>/>>/> b="">/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>
Compliance platforms that provide identity management, provisioning, access management, and monitoring and audit activities can help organizations achieve strong IT controls and integrate security management efforts./strong> strong="">/> strong="">/>>/> strong="">/>>/>>/>>/> strong="">/>>/>>/>>/>>/>>/>>/>>/> b="">/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>
Director of Security Solutions Marketing, CA/strong> strong="">/> strong="">/>>/> strong="">/>>/>>/>>/> strong="">/>>/>>/>>/>>/>>/>>/>>/> b="">/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>>/>
In the past, many organizations dealt with regulatory requirements at the business unit level, thus creating compliance silos across the company. In these cases, there was much redundancy of compliance efforts, which increased compliance costs and reduced overall effectiveness. For compliance programs to be effective, they need to be implemented across the entire organization, using consistent strategies in all business units. Realizing this, some organizations have started to implement centralized, integrated management platforms that streamline companywide compliance activities. Knowing the elements for an effective integrated security management platform can help internal auditors provide recommendations that maximize compliance efforts and free up company resources for other ongoing initiatives.
A common requirement of all regulations is the implementation of IT controls that protect critical corporate assets. For compliance to take place, a strong security infrastructure is needed that protects systems, applications, data, and processes from unauthorized use or access. Many organizations are implementing integrated platforms to manage, audit, and monitor user identities and access to network resources. These integrated identity and access management platforms also are helping companies engage in compliance efforts that are effective and sustainable.
There are several reasons why an integrated platform can enhance compliance activities. First, certain core concepts exist that are common across the IT environment. For instance, concepts such as user roles, group membership, and access policies have applicability throughout the entire company. If each solution component were to define a role differently, it could be virtually impossible to monitor access rights for each role across the compliance platform. Second, it is essential for auditing and monitoring activities to depict an accurate state of the IT infrastructure without regard to the source of the event. Without this level of monitoring integration, it would be difficult to achieve a unified view of the entire environment. Finally, an integrated platform greatly eases management and increases security. This is because non-integrated components are more complex, difficult to manage, and prone to security holes than data that is maintained at a centralized location.
To achieve strong IT controls, internal auditors can recommend the use of an integrated security management compliance platform that incorporates the following four elements: identity management, provisioning, access management, and monitoring and auditing. The information below explores each of these elements.
Compliance is not a static, one-time effort - it is a process that must be improved continually so that the organization is ready for an audit at any time. To implement a sustainable compliance program, companies must be able to know who has access to which resources at any point in time and be able to audit access controls according to the requirements specified in the regulation. This implies that managing the entire identity lifecycle is essential for maintaining an effective and continuous integrated compliance platform.
For a sustainable compliance effort to function, companies should consider eliminating the manual processes used in previous compliance efforts. For example, manual collection of information about each user to determine the access rights of that user results in a massive effort and, more important, a weak set of internal controls. Therefore, centralization and automation of the identity management function can help organizations implement a sustainable compliance effort.
Several capabilities are essential for an identity management service to ease compliance efforts. These include:
Provisioning refers to the software that enables organizations to grant, modify, or remove access to digital or physical resources and offers companies several capabilities for regulatory compliance, including de-provisioning of user access, complete auditing of user access rights, provisioning of role-based resources, automated workflow, and identification of segregation of duty violations. This technology is important for regulatory compliance because it helps to strengthen internal controls by automating the process of granting and removing access rights.
Provisioning also helps to determine which access rights each person has and when and why those rights were allocated. Furthermore, provisioning provides validation that a prudent and consistent policy for management of user access rights is in place and an automated way exists for terminating access rights as individuals leave the company or change roles. For instance, a problem found in many companies is that of orphan accounts - accounts whose owner has left the company or changed roles within the company. The result could be a serious security problem because access rights exist for what is essentially a nonexistent identity. A provisioning solution can help with this problem by scanning existing accounts periodically, correlating accounts with valid user identities, and removing or flagging any accounts that appear to be abandoned.
One of the core capabilities of any compliance infrastructure is access control to IT systems and protected resources, such as files, applications, services, and databases. Hence, any set of effective internal controls must start with a strong access management component. The lack of one could hinder compliance with any regulation.
Any access management component for compliance needs to include two capabilities - authentication of users and authorization of their access to protected resources:
Monitoring and Auditing
One of the most difficult problems when managing security for a large environment is the abundance of security information that is generated by system components. Each component often generates its own event and audit log, uses a different format, and reports data to a different location. This flood of information can overwhelm security staff and make it difficult for them to understand the company's true state of security. In addition, because large amounts of data can hinder monitoring and compliance activities, an integrated security monitoring solution with the right features can help organizations synthesize, analyze, and present security information in a meaningful format to IT administrators. This not only increases administrative efficiency, thereby reducing costs, but also reduces the risk that an important security event will be overlooked.
To ease monitoring and audit activities, internal auditors can recommend that companies implement a centralized monitoring function that has the following minimum capabilities:
As noted above, providing audit and logging information to the administrator is necessary, but not sufficient, for regulatory compliance to take place. Services and facilities that allow information to be prioritized and presented in a way that is useful to the administrator also are essential to comply with internal and external requirements.
IT-related government regulations generally have many common requirements. The most common ones relate to the concept of knowing who users are, allocating access rights and restrictions based on user roles, monitoring all activities performed on network resources, and documenting when resources are accessed. For regulatory compliance to be effective, it should be viewed as a critical business component and as part of a larger governance initiative. When leveraged correctly, the process and technology changes brought on by compliance have the potential to impact a company significantly and positively. These changes will help increase the overall efficiency of companywide operations and help strengthen performance and agility.
One of the most effective ways to achieve this level of control is through an integrated security management platform. To this end, internal auditors can recommend the use of a security management platform that incorporates identity management, provisioning, access management, and monitoring and auditing. Once implemented, an automated security management platform can help organizations reduce compliance costs and improve compliance efforts regularly. Without compliance automation, manual, paper-based controls may limit the effectiveness of internal controls and hinder the effectiveness of compliance activities.
Sumner Blount is the director of security solutions marketing for CA, formerly known as Computer Associates, and has been developing software products for more than 25 years. Prior to working at CA, Blount managed the computer operating system development group at Digital Equipment and Prime Computer. More recently, he held a number of product management positions, including product manager at Netegrity.