It all started with PCs in the workplace, then client-server architectures, then broad adoption of the internet with its openness and broad file-transfer capabilities and instant messaging and more.
With these little tools of the nether world (a.k.a. the ether world), IT security professionals had their first major headaches. Add to that hackers, phishing and other IT-based frauds and coordinated attacks designed to cripple networks, and you have an even bigger headache.
But these developments were just tiny tremors leading up to the earthquakes caused by Sept. 11, Enron, WorldCom, and other forces majeure, all of which can be summed up in one, simple, Motrin-friendly word that torments almost every IT security pro: compliance.
Adjusting priorities
As the corporate focus on compliance continues to evolve — with smaller public companies now required to comply with Sarbanes-Oxley (SOX) and oversight authorities currently considering new guidelines — IT security professionals continue adjusting their priorities to address the broader needs of the enterprise. A positive result for the organization is that SOX-related projects to evaluate and monitor risk and controls across business functions often uncover opportunities to reduce risk and increase efficiency via automation.
Consider the emerging best practice of compliant provisioning. Primarily an operational function, compliant provisioning refers to the discipline of using technology to help jointly manage several key compliance initiatives. These initiatives include ensuring that:
- The roles of IT security and business process owners are clearly identified in the automated provisioning process;
- Compliance applications integrate with identity management and provisioning systems;
- Financial and ERP systems provide for clear segregation of duties (SOD);
- User requests and role changes do not create SOD violations.
As an added benefit, compliant provisioning calls for coordinated, automated security measures to be built into the integration of a number of compliance-related technology solutions. So what security benefits can compliant provisioning deliver? To answer that question, first consider the security ramifications of Enterprise Resource Planning (ERP) implementations and operations.
Security and ERP
A strong security model is a critical component of any ERP implementation and its continuing operation. ERP security concerns run the gamut from unauthorized access, compliance issues, IP theft to financial misappropriations.
At a minimum, IT security administrators must grant users access to the functionality necessary to perform their jobs. Compliance and other regulatory and business requirements, however, demand limits on what users can do in the system. Effective role design, therefore, must ensure that controls are in place to prevent users from performing actions that fall outside of their functional responsibilities while still enabling them to do their jobs.
Moreover, it is not uncommon for ERP implementations to require tens of thousands of authorizations distributed among thousands of user accounts. Since role assignments and security models evolve and grow over time, answering straightforward questions about who can do what is rarely a simple task, making the security picture very complicated.
So to understand the system, examine the components.
Authorizations
ERP systems have enabled companies to automate myriad business processes. The interwoven business processes that make most companies run also create substantial challenges for managing user access rights or authorizations in the financial systems that support those processes. CIOs and CFOs, along with their IT security leaders, are now faced with the mandate of minimizing this risk by untangling overlapping system authorizations and ensuring proper SOD among users.
SOX has further heightened sensitivity around SOD and auditors now perform in-depth reviews of this key control during their control audits. But eliminating SOD conflicts is a tricky proposition, since the very ERP systems that empower users also make it complicated to determine where the problems lie, not to mention how to address them in an efficient manner.
Systems built around the practice of compliant provisioning can uncover and address user access issues throughout ERP and financial systems in a proactive and continuous manner.
User activity
Even when access-control violations have been eliminated and proper SOD has been assured, business requirements can still add security complications. Many enterprises dictate that some users maintain access that results in control violations. In addition, users who have properly segregated duties still need to conduct sensitive transactions that often need to be monitored for security reasons. The only cost effective way to eliminate risks from these realities is to establish compensating controls that monitor user activity and ensure that users are operating in a proper manner and not circumventing company policy.
Compliance solutions can continuously monitor transactions across ERP and financial systems to help IT security teams identify and even prevent, through data extraction and analysis, suspicious or unusual behavior. In addition, they can serve as a mitigating control that is relied on by auditors to monitor systems then alert managers whenever a transaction or a set of transactions occurs that could cause a violation. This helps mitigate all types of risk.
Role design
Traditional role design approaches have involved complex, error-prone processes shared among auditors, users and technical administrators. Technologies used to manage these processes often involve home-grown tools that are difficult to sync with the ERP system. In many cases, role design projects are focused on a single application, while most employees need access to multiple applications to do their jobs. As a result, most ERP systems operate with suboptimal security models that consume unnecessary resources to support and audit while introducing unwanted risk.
IT security professionals must be able to complete secure role design projects effectively and efficiently. A solid technology solution will not only be fast and foolproof but also allow IT security personnel to build role design best practices into their day-to-day processes so they can continuously tune the security model.
Access management
While audits are periodic, point-in-time events, ERP systems evolve and change every day. In the age of compliance this can often result in a redundant and error prone cycle of review and analysis. Unless all new user access requests and changes can be analyzed before they are approved, new violations will creep back into the system. With limited resources it is virtually impossible to ensure all user access changes are compliant without some form of automated analysis.
With a system built upon the principles of compliant provisioning, an enterprise can automate new user requests and role changes to its ERP system while ensuring that each request is thoroughly analyzed for potential control. Workflow capabilities can then automate the approval process and create an audit trail of all relevant activity. Once approved, changes can be automatically made in the ERP systems, eliminating the manual intervention normally passed along to security administrators.
Bringing it home
Solutions built around the disciplines of compliant provisioning carry a number of operational benefits, with efficiency topping the list. Additionally, these solutions enable IT security professionals to conduct comprehensive role design projects at a fraction of the time and cost of traditional methods by increasing collaboration across the business and avoiding painful user driven false positives and false negatives. Perhaps more importantly, they enable an enterprise to build role design best practices into day-to-day processes so security teams can continuously tune the security model to ensure it is aligned with evolving business requirements and compliance obligations.
With software in place to monitor for management concerns, IT staff can then dedicate more of their time to critical operational matters. And since security is more of a forethought and more integral to enterprise compliance efforts with these solutions, IT security personnel move from a responsive to a preventive posture, allowing them to better deploy resources toward specific issues instead of responding to an ever-changing environment of users, roles, and evolving compliance requirements.
Steve Elliott is CTO of Approva Corporation.
