Achieving Real Results on the Road to Access Compliance

Untitled Document

***Editor's Note: For an in-depth look at the next wave of attacks targeting your company, replay ebizQ's Threatscape 2008 right here.

IT controls around user access, regardless of the internal business policy or industry regulation, are the common denominator for surviving audits and ensuring compliance. However, the creation and enforcement of access policy for job-critical applications and systems is an increasingly complex undertaking, especially for organizations with large transient workforces. Adding to the complexity is the rapid adoption of new technologies that support increased enterprise collaboration and virtualized or remote access. In the coming years, organizations' approach to addressing compliance requirements will be put under a microscope, especially as high-profile data breaches continue to make headlines, and repercussions for non-compliance weigh heavily on companies' reputations and their bottom line.

With the constant pressure of audit cycles required to demonstrate compliance with business policies or guidelines such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry (PCI) Data Security Standard and the Sarbanes-Oxley Act (SOX), many organizations are being pushed into "reactive mode." They scramble to simply meet the next deadline, and pass the current audit -- not able to plan ahead for what the next one may entail. This often comes at a cost with many resources dedicated to the latest fire-drill approach to get through the audit of the day.

Fight back against security threats by getting ebizQ's Security Newsletter delivered to your inbox. Sign-up here.

In order to break out of that reactive rut, business mangers, who are increasingly shouldering compliance responsibilities, need to be able to proactively evaluate the risks associated with access created (intentionally or not) within new virtualized or collaborative work environments. This means being able to answer critical questions related to where the exposure is and what policy is being enforced, and in some cases, determine how they can go back and build policies around new access compliance exposures that are not currently being addressed.

In order to achieve a more continuous, proactive approach to compliance, following are several steps your organization can take to ensure it is regulation ready.

1. Determine Acceptable Levels of Risk
Many organizations analyze acceptable levels of risk based simply on their ability to pass an audit. But effective risk management is clearly a more complex beast. Organizations must be able to properly evaluate the point at which access reaches its tipping point, shifting from an asset to a liability. Consider access to private information, like patient records, or corporate information like financial data or competitive intelligence. Access by the wrong people at the wrong time can quickly result in a damaging data breach with significant legal and compliance implications.

Analyzing risk comes down to several key factors including determining where an organization's exposure is, what risk it can reasonably tolerate, and how it maintains and enforces policies in response to that risk.

Risk should not be limited only to exposure from regulatory compliance. Compliance and risk apply more broadly to include commercial compliance (the rules an organization must follow as a result of a business contract with other companies), and organizational compliance (compliance with internal company policies mandated by the business).

2. Set Policy to Manage Against Risk
To effectively manage against risk, organizations must be able to identify areas of exposure and apply appropriate policy, particularly as it relates to access. Effectively setting policy requires organizations to be able to map business needs to their IT infrastructure. For example, in many cases this means mapping policies to existing Identity and Access Management systems. Traditionally, Identity and Access Management solutions were relied on simply to provide the process and structure to manage digital identities. Today, these solutions also provide the process and infrastructure necessary to set and ensure appropriate access is tied to policy.

Dynamic role management capabilities support an effective Identity and Access Management strategy by enabling companies to set policies based on a particular business role or job category versus managing access by IT roles. Simply granting IT access for one individual by modeling the IT role after another can create policy infractions – rather than ensuring adherence to the guidelines established by true business need. The process of managing access by business role eliminates the risk of employees picking up access they shouldn’t throughout the duration of their employment.

Learn how to defend against targeted attacks and insider abuse by replaying Threatscape 2008!

3. Enforce Policy
Setting a policy and hoping for the best doesn't cut it when your organization is liable for maintaining confidential data. You must be sure that the policy is working. It cannot simply sit in a binder on the shelf. It must be actualized in day-to-day business operations. Easing policy enforcement can be achieved by automating the process of providing more granular entitlement information of not only who has access to what, but why they have it -- and how the access was granted in the first place. As a result, appropriate provisioning or de-provisioning actions based on policy-defined roles can take place proactively, not after a policy infraction has occurred.

4. Verify and Audit to Ensure Policies Are Being Followed
With automated Identity and Access Compliance systems, organizations should be able to easily view and monitor log files to make sure a policy is doing what it's supposed to be doing, without having to rely on lengthy manual reviews. Additionally, automating regular reviews of access rights in association with user provisioning and role management functions ensures effective remediation and Segregation of Duties (SoD) checking, which are critical to passing audits and achieving continuous compliance. Enabling line-of-business managers to easily review and attest to role-based user access creates effective audit trails of manager attestation actions, enabling more efficient audits that are decidedly more time and cost effective than previously manual processes.

Compliance-Driven Best Practices
In addition to these four steps, there are several access compliance best practices that organizations can institute. As previously referenced, business managers continue to take on a more visible role in helping their organizations maintain strong policy compliance. As that responsibility shifts from the IT department, one of the first best practices to implement is encouraging policy definition in terms the business user can understand, versus previous overreliance on IT "jargon." A simple example is defining access rights associated with "check writing" or "travel and expense approval." Without translating policies in terms business managers will understand, automation alone won't have much of an impact.

Another best practice is ensuring there is a quick and easy process for remedying access that is out of compliance. This can be established by first putting in place both preventative and detective controls based on particular policy and security risk levels. These controls can support automated reviews of access rights in order to flag events or actions that appear to be out of the norm. Depending on the organization, this may mean reviewing access rights every quarter or every six months to ensure there are no SoD or other policy violations when provisioning a new employee. Examples would be an employee in a company's finance department who can both approve expenses and has check writing capabilities; a physician who has access to patient records for patients outside their specific care; retail employees who can access customer credit card data outside a specific transaction; or a pharmaceutical firm executive who has the ability to edit clinical trial results.

Fight back against security threats by getting ebizQ's Security Newsletter delivered to your inbox. Sign-up here.

In summary, an effective compliance solution should offer strong controls for examining user access, helping determine how that access compares against policy, and automation for remediation and corrective action. Tools that are built to provide structure and automation around access compliance processes should be tightly integrated with core Identity and Access Management functionality, including user provisioning, de-provisioning and role management. With the use of automation to support risk assessment and policy enforcement, combined with best practices that empower business managers to create more compliant work environments, organizations can achieve real results that go beyond simply "passing the audit" to achieving a more proactive, continuous compliance stance. This strategy will ultimately improve operational efficiencies and service quality, while standing up to the rigors of today's complex technology environments, and beyond.

About the Author

Kurt Johnson is responsible for Courion's strategic direction, product management, and securing and managing Courion's alliances and partnerships. Prior to Courion, he was vice president of the Service Management Strategies program at META Group, a leading industry research organization, where he established himself as a leading authority on the help desk, IT service management, system management and IT outsourcing markets. Johnson is widely recognized as an authority on support automation and self-service operations.

More by Kurt Johnson

About Courion

Courion’s award-winning Access Assurance solutions are used by more than four hundred organizations and over 9 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at, our blog at, or on Twitter at