|
|
|
Features
< Back
Sarbanes Oxley : Technology : Identity Management
Achieving Compliance Through Identity Maturity
Where do you want to be and how do you get there?
By
Anshu Sharma
|
|
Anshu Sharma
Group Product Manager
Oracle
|
Security and identity management have become an important issue on the radar of CFO?s and CIO?s as wave after wave of regulations in the areas of financial controls, privacy protection, and identity theft prevention are adopted in various countries. US companies will spend upwards of $15 billion on technology products and professional services this year alone in order to adhere to new compliance regulations, according to AMR Research, Boston.
The initial response by organizations to these regulations has been to adopt a piecemeal approach but a duct-tape approach to fixing every possible identity and security loophole results in high expenditure without a sense of how close the business is getting to its end goal. The end goal is to be a secure, well-managed organization with optimized processes for employee on-boarding and off-boarding, and efficient controls that prevent fraud and detect problems in a timely manner. The path to this goal traverses through various levels of maturity.
Identity Management Maturity Model
A maturity model is a ?handbook? for process improvement. When you look across organizations, you see that there is a wide level of commonality in the generic capabilities. These commonalities are captured as maturity levels in a maturity model. An identity management maturity model serves as a means for you to understand the capabilities that are central to successful identity management, and a tool to help you chart your identity management plans. It also serves as a mechanism for you to start equating IT investments with business benefits while managing risk?since each increasing level of maturity has investment requirements and brings increasing benefits. The nature of any maturity model is that there is no right or wrong approach?any model is a framework that provides a set of benchmarks, which may be helpful to your organization in developing your own approach.
Identity Management is a journey and when you embark on a journey, you need to have these aspects covered:
? A Starting Point and a Checklist?Understand where you are starting out from and what you need to get you to your destination.
? A Destination?Know where you are heading. Have an end goal in mind!
? Milestones?Identify milestones on the way to your destination and make sure you measure progress as you go.
We have developed a maturity model that has three levels. The first level of maturity is tactical identity management and security. At this stage, a business is looking at specific problems in isolation such as securing Web applications or the high cost of password management. At this level, tactical problem-specific solutions and tools are deployed. A more mature approach is to look to identify and fix the processes that the business uses to manage identities and secure its assets. At the process-centric level, a company has evaluated and understood the processes associated with identity and security. It has adopted mechanisms and tools to automate the right processes to ensure compliance. This may include automated provisioning of accounts, attestation of roles and responsibilities, etc. However, the business still may not have a comprehensive view of risk at the enterprise scale. At the highest level of maturity, namely aligned, a risk-based approach to identity management and security are deployed. Let us look at the maturity levels in more depth.
Figure 1: Identity Management Maturity Model
Tactical
Over the last decade or so, with the advent of e-business that allows your suppliers, vendors, partners and employees to conduct business online, companies were exposed to new forms of threats from hackers and malevolent agents both internal and external. The typical response to these new threats was to attempt to fix problems as they became apparent. Many enterprises adopted Web access management tools to secure Web sites. Another area of concern was high cost of password management as users regularly forgot their passwords resulting in high call volume to IT helpdesks. In response, enterprises tried to reduce the number of passwords by deploying single sign-on tools and also automating password reset by use of provisioning tools. Similarly, certain sensitive data was encrypted by employing ad-hoc mechanisms ranging from modifying the application logic to using tools for encryption of backup tapes. This tactical approach to identity management and security was soon unable to meet two key demands- one, the ability to provide security that scales with growth in number of users and applications; and two, the need to meet regulatory pressures to demonstrate compliance. Without proper automation and documentation of processes, it was hard for businesses to articulate the internal controls and produce the necessary reports.
Process-centric
Even though many organizations spent millions of dollars securing access to their networks, applications and data, they had difficulty in meeting the demands of new regulations like Sarbanes-Oxley, HIPAA and FFIEC that required them to not only be secure and minimize risk but also be able to demonstrate the same through documentation of controls and audits. This requires an enterprise to have a thorough understanding and documentation of various business processes. A good example of this is employee on-boarding and off-boarding. When a new employee is hired, various accounts must be created and accesses and privileges granted to allow the employee to perform his or her duties. At many organizations, this was handled on a case-by-case basis with the employee or her manager requesting various privileges. The IT department would maintain checklists in the form of spreadsheets or text documents to ensure that the right approvals were obtained before granting said privileges. The process was implicit and therefore hard, if not impossible, to demonstrate to external auditors. Moreover, consolidated reports were hard to compile for who had access to what resources and why. Even worse, as employees moved on to new assignments internally or left the company, there was no rigorous automated process to systematically remove access to all the resources.
Most IT organizations removed access to email and some commonly used systems such as HR but it was nearly impossible for them to find out all the systems this user had access to. This problem of orphaned accounts (that are no longer owned by a valid user) is one of the biggest causes of unauthorized access and theft. This challenge can be addressed by deploying comprehensive provisioning tools that include functionality for provisioning and de-provisioning, reports for orphaned accounts and other key metrics, and workflow-based tools for attestation. It is possible to automate the workflow for attestation of roles and privileges and integrate it with the email systems to ensure compliance.
It is important to invest in understanding your processes before attempting to automate them. An organization needs to map out its identities, roles and processes before it can successfully deploy an identity management system. The key to a successful roll out of a provisioning solution is to get all three aspects- people, processes and tools right.
The process-centric approach must also be applied to how an enterprise collates and stores audit data, what practices are followed for securing sensitive customer and partner data and also be applied to the physical security realm. An enterprise that has reached full process-centric maturity level has not only identified and optimized the processes for managing identities and security but must have institutionalized the new processes through organizational change and application of appropriate tools including software.
Aligned
At the highest level of maturity, an enterprise must be able to meet its compliance requirements at a low-cost and have the organizational tools and IT systems in place to deal with any new demands be they regulatory or market-driven. Furthermore, the enterprise must have a holistic risk-based approach to identity management with ability to measure, monitor and mitigate risk. For example, recently FFIEC announced new guidelines for banks that require them to adopt security mechanisms stronger than username and passwords, and to have the ability to measure and mitigate risks to the customer. Banks that are only at the tactical or process-centric level of maturity will have to scramble to meet these new requirements. However, banks that have already reached the highest level of maturity and have processes and tools in place to measure, monitor and mitigate risk would be able to quickly identify any gaps to meet this new requirement.
Identity federation can allow your business to engage in partnerships and networks at a lower cost and reduced risk, further aligning your business goals with IT. With identity federation, a service provider is no longer responsible for managing identities as that responsibility is placed on the shoulders of the identity provider. For example, a large regional airline was able to increase productivity and reduce turn-around time for flights using federation. Before federation, the airline employees had to spend time performing multiple logons to the aircraft manufacturer?s service web site. The aircraft manufacturer and the airline agreed to implement federation with the airline acting as the identity provider and the manufacturer as the service provider. This allowed airline service workers to seamlessly connect to the manufacturer?s documentation site. In return, the manufacturer benefited by eliminating costs associated with maintaining identity data for the service workers.
As your organization looks to move up the ladder of maturity levels for identity management and security, you may wonder if you need to spend a lot of money or buy costly software or consulting services to move up. This is not necessarily true. Over the last decade or so, many of the problems such as provisioning have been widely studied and solved creating a vast body of knowledge around best practices and tools. In fact, as you gain an understanding of your risks and identify biggest weaknesses, you can focus your people and budget on solving those problems rather than following the latest trend.
Summary
The increasing focus on how identity information is handled by enterprises from consumers and governments is likely to continue to grow over the next few years. If you have not yet taken a strategic approach to security and identity management, your organization is likely to spend a lot of time, effort and money chasing after each new requirement. You should try and ascertain your organization?s current level of maturity and then work to create a roadmap to reach higher levels of maturity. As you do this, remember to keep the following guiding principles in mind:
? Ensure you know where your risks are and dedicate your resources accordingly;
? Focus on people, processes and tools, and in that order;
? Design your processes and systems so that they can be measured, monitored and optimized;
? Identify, map and optimize your processes linked to security and identity management. Utilize tools for automation of these processes; and
? Look for tools that are built on standards and a services-oriented architecture to keep costs low and prevent vendor lock in
As you embark on your next identity management project or initiative, you should evaluate where you are and how this project will help your business get to the next level of maturity. A fully aligned identity infrastructure can not only lower the cost of identity management and compliance and help you systematically manage risk but also enable your business for growth.
Anshu Sharma
Group Product Manager
Oracle
Anshu Sharma is Group Product Manager for Oracle Identity Management. He has held several positions over last 7 years in design, development and product management of enterprise software including SOA, integration and identity management. Sharma authors a blog on the Business of Software at http://wisezen.blogspot.com and is an advisor on technology to businesses in India and US. He holds a B.S. in Computer Science from Indian Institute of Technology, Kharagpur and M.S. in Computer Science from University of North Carolina, Chapel Hill.
|
|
|
|
|
