Four Elements for an Integrated Security Compliance Platform

Compliance platforms that provide identity management, provisioning, access management, and monitoring and audit activities can help organizations achieve strong IT controls and integrate security management efforts.

Sumner Blount
Director of Security Solutions Marketing, CA

In the past, many organizations dealt with regulatory requirements at the business unit level, thus creating compliance silos across the company. In these cases, there was much redundancy of compliance efforts, which increased compliance costs and reduced overall effectiveness. For compliance programs to be effective, they need to be implemented across the entire organization, using consistent strategies in all business units. Realizing this, some organizations have started to implement centralized, integrated management platforms that streamline companywide compliance activities. Knowing the elements for an effective integrated security management platform can help internal auditors provide recommendations that maximize compliance efforts and free up company resources for other ongoing initiatives.

THE ELEMENTS

A common requirement of all regulations is the implementation of IT controls that protect critical corporate assets. For compliance to take place, a strong security infrastructure is needed that protects systems, applications, data, and processes from unauthorized use or access. Many organizations are implementing integrated platforms to manage, audit, and monitor user identities and access to network resources. These integrated identity and access management platforms also are helping companies engage in compliance efforts that are effective and sustainable.

There are several reasons why an integrated platform can enhance compliance activities. First, certain core concepts exist that are common across the IT environment. For instance, concepts such as user roles, group membership, and access policies have applicability throughout the entire company. If each solution component were to define a role differently, it could be virtually impossible to monitor access rights for each role across the compliance platform. Second, it is essential for auditing and monitoring activities to depict an accurate state of the IT infrastructure without regard to the source of the event. Without this level of monitoring integration, it would be difficult to achieve a unified view of the entire environment. Finally, an integrated platform greatly eases management and increases security. This is because non-integrated components are more complex, difficult to manage, and prone to security holes than data that is maintained at a centralized location.

To achieve strong IT controls, internal auditors can recommend the use of an integrated security management compliance platform that incorporates the following four elements: identity management, provisioning, access management, and monitoring and auditing. The information below explores each of these elements.

Identity Management
Compliance is not a static, one-time effort - it is a process that must be improved continually so that the organization is ready for an audit at any time. To implement a sustainable compliance program, companies must be able to know who has access to which resources at any point in time and be able to audit access controls according to the requirements specified in the regulation. This implies that managing the entire identity lifecycle is essential for maintaining an effective and continuous integrated compliance platform.

For a sustainable compliance effort to function, companies should consider eliminating the manual processes used in previous compliance efforts. For example, manual collection of information about each user to determine the access rights of that user results in a massive effort and, more important, a weak set of internal controls. Therefore, centralization and automation of the identity management function can help organizations implement a sustainable compliance effort.

Several capabilities are essential for an identity management service to ease compliance efforts. These include:

• Role-based policies. Specific user roles should determine the user's access rights. The linking of roles to access policies strengthens the controls and eases the auditing of user access rights.
• Delegated administration. Centralized management of all users, especially those in other business units or partner companies, can become quite difficult as the size of the user population increases. Therefore, delegating the management of subsets of the user population to those groups who own them is a more cost-effective approach. As a result, the ability to delegate administration of certain user groups becomes an important benefit of identity management.
• Automated workflow. Appropriate approvals for certain user actions, specifically requests for access rights, are required by most regulations. An automated workflow capability strengthens internal controls and makes access events easily auditable, thus enhancing compliance efforts.
• Administrative activity monitoring. Because certain improper or unauthorized administrative actions can pose destructive security threats, the privileges of each administrator and all administrative events should be audited closely and periodically. This can be accomplished if the platform provides logs of these events in a format that can be used by oversight personnel and that is available to auditors.

Provisioning
Provisioning refers to the software that enables organizations to grant, modify, or remove access to digital or physical resources and offers companies several capabilities for regulatory compliance, including de-provisioning of user access, complete auditing of user access rights, provisioning of role-based resources, automated workflow, and identification of segregation of duty violations. This technology is important for regulatory compliance because it helps to strengthen internal controls by automating the process of granting and removing access rights.

Provisioning also helps to determine which access rights each person has and when and why those rights were allocated. Furthermore, provisioning provides validation that a prudent and consistent policy for management of user access rights is in place and an automated way exists for terminating access rights as individuals leave the company or change roles. For instance, a problem found in many companies is that of orphan accounts - accounts whose owner has left the company or changed roles within the company. The result could be a serious security problem because access rights exist for what is essentially a nonexistent identity. A provisioning solution can help with this problem by scanning existing accounts periodically, correlating accounts with valid user identities, and removing or flagging any accounts that appear to be abandoned.

Access Management
One of the core capabilities of any compliance infrastructure is access control to IT systems and protected resources, such as files, applications, services, and databases. Hence, any set of effective internal controls must start with a strong access management component. The lack of one could hinder compliance with any regulation.

Any access management component for compliance needs to include two capabilities - authentication of users and authorization of their access to protected resources:

1. Compliance with any government regulation generally requires users to be identified in a unique way. Some regulations are not specific in terms of their requirements for authentication services, while others require specific authentication methods for compliance. Regardless of the specificity level required, several authentication capabilities are needed for a comprehensive compliance platform. These include the centralization of authentication controls, the use of a variety of authentication methods that are based on the sensitivity of the resource, and comprehensive password services.
2. Authorization of user access to protected applications, resources, and services is a critical element of all regulations. For instance, some companies have deployed a centralized way to manage and enforce access policies that determine who can access which resources and the conditions under which that access is allowed. To meet major regulation requirements, internal auditors can recommend that companies:

• Centralize authorization activities.
• Employ role-based authorization.
• Provide fine-grained authorization for superuser (i.e., administrator) privileges.
• Protect critical system files, applications, and data across all platforms.

Monitoring and Auditing
One of the most difficult problems when managing security for a large environment is the abundance of security information that is generated by system components. Each component often generates its own event and audit log, uses a different format, and reports data to a different location. This flood of information can overwhelm security staff and make it difficult for them to understand the company's true state of security. In addition, because large amounts of data can hinder monitoring and compliance activities, an integrated security monitoring solution with the right features can help organizations synthesize, analyze, and present security information in a meaningful format to IT administrators. This not only increases administrative efficiency, thereby reducing costs, but also reduces the risk that an important security event will be overlooked.

To ease monitoring and audit activities, internal auditors can recommend that companies implement a centralized monitoring function that has the following minimum capabilities:

• Rule-based aggregation, reduction, and correlation of security event information. Security event information from multiple platform components needs to be correlated to determine which events or combination of events represent serious security problems. Prioritizing and correlating these events can be environment specific. Therefore, a customizable, rule-based model is needed that can let each environment create its own rules on how to prioritize events.
• A consistent audit model that is implemented across all platforms. Auditing must be done across all platforms so that the company can aggregate and correlate platform events. Without this capability, a clear view of the environment's operation is not feasible, which reduces the environment's overall security.
• Advanced visualization capabilities. Reams of paper are not an effective way of solving a compliance problem. Visual displays that bring an administrator's attention to anomalies or suspicious event patterns better support the organization's ability to establish strong controls for security event responses.
• Report and log file customization. Pre-defined reports generally meet the needs of many environments. However, for compliance to take place, it is critical that reports and audit logs are customizable so that information or events that are of particular interest to the environment are reported in a meaningful way to the local administrator.
• Flexible alerting services. It is important for administrators to define which events are important in their local environments so that they can be reported appropriately. It is also important that procedures are implemented to ensure this information is distributed to the appropriate people, based on the event. Policy-based alerting services that use pagers, cell phones, or e-mails, for instance, can help create a strong set of response controls that can contribute to easier compliance.
• Vulnerability and forensic analysis. A proactive approach for improving the overall security of an environment will help reduce compliance audit difficulties. One way of doing this is by conducting an automated vulnerability analysis scans on the existing environment. Correction of these vulnerabilities can eliminate problems before they can be exploited. Similarly, capabilities that allow post-mortem analyses of security breaches can expedite the event's resolution and allow for a more effective remediation of the security breach.

As noted above, providing audit and logging information to the administrator is necessary, but not sufficient, for regulatory compliance to take place. Services and facilities that allow information to be prioritized and presented in a way that is useful to the administrator also are essential to comply with internal and external requirements.

MOVING FORWARD

IT-related government regulations generally have many common requirements. The most common ones relate to the concept of knowing who users are, allocating access rights and restrictions based on user roles, monitoring all activities performed on network resources, and documenting when resources are accessed. For regulatory compliance to be effective, it should be viewed as a critical business component and as part of a larger governance initiative. When leveraged correctly, the process and technology changes brought on by compliance have the potential to impact a company significantly and positively. These changes will help increase the overall efficiency of companywide operations and help strengthen performance and agility.

One of the most effective ways to achieve this level of control is through an integrated security management platform. To this end, internal auditors can recommend the use of a security management platform that incorporates identity management, provisioning, access management, and monitoring and auditing. Once implemented, an automated security management platform can help organizations reduce compliance costs and improve compliance efforts regularly. Without compliance automation, manual, paper-based controls may limit the effectiveness of internal controls and hinder the effectiveness of compliance activities.

Sumner Blount is the director of security solutions marketing for CA, formerly known as Computer Associates, and has been developing software products for more than 25 years. Prior to working at CA, Blount managed the computer operating system development group at Digital Equipment and Prime Computer. More recently, he held a number of product management positions, including product manager at Netegrity.