In its earlier days, identity and access management (IAM) was an IT security framework to identify individuals within an organization who required access to data. Today, it's becoming a cornerstone of an enterprise compliance effort.
While important business drivers for IAM still include the need to maximize user productivity and reduce operational costs, the increasing need to create and implement policies that demonstrate compliance with both corporate and regulatory requirements has moved the compliance capabilities of IAM to the forefront of business operations and IT infrastructure requirements.
Demand is now being driven by the constant pressure of audit cycles required to demonstrate compliance with business policies or guidelines for regulations such as HIPAA, PCI DSS and SOX. All too often, organizations are scrambling to meet the next deadline to pass the current audit. This puts organizations into a "reactive mode," which comes at a cost from using precious resources to address the latest fire-drill to get through the audit of the day.
IAM, with its focus on who has access to what, and its ability to automate processes, has emerged as the foundation for improving security and achieving compliance cost-effectively. Business managers increasingly shouldering compliance responsibilities need to be able to proactively evaluate the risks associated with access created. This means being able to answer critical questions related to where the exposure is and what policy is being enforced, and in some cases, determine how they can go back and build policies around new access compliance exposures that are not currently being addressed. In order to achieve a more continuous, proactive approach to compliance, there are several steps your organization can take to ensure it is regulation ready.
To effectively manage against risk, organizations must be able to identify areas of exposure and apply appropriate policy, particularly as it relates to access. Effectively setting policy requires organizations to be able to map business needs to their IT infrastructure. In many cases, this means mapping policies to existing IAM systems. Traditionally, IAM solutions were relied on simply to provide the process and structure to manage digital identities. Today, these solutions also provide the process and infrastructure necessary to set and ensure appropriate access is tied to policy. Dynamic role management capabilities support an effective IAM strategy by enabling companies to set policies based on a particular business role or job category versus managing access by IT roles.
Easing policy enforcement can be achieved by automating the process of providing more granular entitlement information of not only who has access to what, but why they have it – and how the access was granted in the first place. As a result, appropriate provisioning or de-provisioning actions based on policy-defined roles can take place proactively, not after a policy infraction has occurred.
With automated IAM compliance systems, organizations can view and monitor log files to make sure a policy is doing what it's supposed to be doing, without having to rely on lengthy manual reviews. Additionally, automating regular reviews of access rights in association with user provisioning and role management functions ensures effective remediation and segregation of duties (SoD) checking, which are critical to passing audits and achieving continuous compliance. Enabling line-of-business managers to easily review and attest to role-based user access creates effective audit trails of manager attestation actions, enabling more efficient audits that are decidedly more time and cost effective than previously manual processes.
An effective compliance solution should offer strong controls for examining user access, helping determine how that access compares against policy, and automation for remediation and corrective action. Tools that are built to provide structure and automation around access compliance processes should be tightly integrated with core IAM functionality, including user provisioning, de-provisioning and role management.
With the use of automation to support risk assessment and policy enforcement, combined with best practices that empower business managers to create more compliant work environments, organizations can achieve real results that go beyond simply "passing the audit" to achieving a more proactive, continuous compliance stance. This strategy will ultimately improve operational efficiencies and service quality, while standing up to the rigors of today's complex technology environments, and beyond.
Kurt Johnson is VP of corporate development at Courion. He is responsible for Courion's strategic direction, product management and securing and managing the company's alliances and partnerships. Prior to Courion, Kurt was vice president of the service management strategies program at META Group, a leading industry research organization. At META, Kurt established himself as a leading authority on the help desk, IT service management, system management and IT outsourcing markets. Kurt is widely recognized as an authority on support automation and self-service operations.