Friday, February 15, 2013

3 ways to use Identity & Access Management software for audits


HIPAA, Basel II, SarBox… and the list goes one. Organizations are evaluated for compliance with various standards, legislations and regulations. These evaluations are called audits and sooner or later, your organization will be one. If you are an IT manager and faced with an audit, you should be able to demonstrate you have your network fully under control. Among other things, this means that you:
  1. Must be able to demonstrate at any time who is allowed to do what in the network, and when network actions have been performed (authorizations and reporting). For instance, you should be able to indicate which employees are allowed to approve and pay invoices and who reset employee X’s password and when.
  2. Must have implemented a strong password policy.

The Identity & Access Management (IAM) solutions by Tools4ever provide you with additional support in legislative and regulatory compliance, to wit:

Who can do what?
Role Based Access Control (RBAC) is a technique for setting up authorization management in an organization and for providing insight into the questions of ‘who is and is not allowed to do what in the network’. With RBAC, authorizations are not assigned to individual staff members but to RBAC roles, which in turn comprise the employee’s department, title, location and cost center. RBAC reduces the chance of error because network actions and changes can only be performed by people who are authorized to do so based on their role/title.

Many organizations already use RBAC to a greater or lesser degree: discovery, project, implementation, population or management. Tools4ever assists dozens of organizations in setting up an RBAC authorization matrix. This is a hugely labor-intensive, complex and costly process. Tools4ever’s smart software makes it possible to automate the majority of the population of the RBAC authorization matrix.

Using UMRA, the so-called organizational roles - the way in which employees are designated in the HR system, particularly in terms of their title, department and cost center - are matched against the technical roles - applications and folders - present across the organization. Tools4ever can help organizations match their HR system and network, as well as analyze the current authorizations for each organizational role. This allows the organization to decide which HR attributes should be used for each role.

The result of this alignment could be, say, that 90% of a particular role, e.g. the role of nurse at the Cardiology department, involves particular authorizations. The logical step would then be to automatically assign all new employees in this role the same authorizations. By letting the majority govern the assignment of authorizations, a first step can be made towards populating the RBAC matrix in a very simple way. This approach can save you a great amount of time and money.

Strong password policy
Many laws and regulations require the implementation of a strong password policy (strong authorization). To achieve this, it is possible to activate the complexity rules in Windows Active Directory. However, you should first ask yourself whether this complexity is desirable for your organization, as this may have major consequences for your end users.

The default Windows Active Directory password complexity rules are often insufficient. Systems administrators need a more flexible solution that, among other things, makes it possible to determine individually, which rules are applied and when. For this type of scenario, Tools4ever offers Password Complexity Manager (PCM). PCM makes it possible to implement different security levels for different types of end users, based on their organizational roles and titles.

As mentioned, earlier, implementing a stricter password policy has major implications for end users as well as the organization as a whole. End users will need to remember more complex passwords and since most of them will have trouble in doing so, the helpdesk is bound to receive more password reset calls.

To reduce the number of password reset calls, Tools4ever offers Self Service Reset Password Management (SSRPM), which lets end users reset their passwords independently by providing answers to a series of simple, predefined questions.

A stricter password policy also has consequences for the productivity of employees. They will have to remember more complex passwords for all of their applications, and will be far from happy with the situation. For this reason, many organizations choose to implement a SSO solution to cater for the needs of their end users.

Our Enterprise Single Sign On Manager solution (E-SSOM) - allows end users to log in once, after which they are automatically assigned access to all applications and resources across the network, without having to log in again. E-SSOM functions as an additional software layer that handles all login processes and automatically enters the required credentials (automatic login). E-SSOM also ensures that, in addition to Active Directory, a strong password is automatically used for all the underlying applications.

For organizations that do not use SSO but nevertheless want to make sure their end users are less hindered by a stricter password policy, Password Synchronization Manager (PSM) is an eminently suitable solution. It allows end users to use a single password for each system or application. When an end user’s Active Directory password is reset, PSM ensures that all linked systems and applications receive and use the new password.

Two-factor authentication
When implementing a strong password policy is insufficient in itself (e.g. because end users end up jotting down their passwords), it is possible to use strong (two-factor) authentication. Rather than entering their user name and password, users will log in by holding a card against a card reader and entering a PIN code. This results in strong authentication, as two-factor authentication is based on something the user has (the card) and knows (the PIN code). In this set-up, the card ID is linked to the user’s Active Directory credentials.

It is also possible to implement strong authentication without having to purchase additional hardware. In this scenario, the use of smartphones takes on an important role. This is because smartphones offer various authentication capabilities, such as facial recognition (using the camera), voice recognition (using sound recordings) and geographical positioning (using GPS). This type of Low Cost Authentication is the latest trend in the field of authentication.

Automated logging
The solutions by Tools4ever ensure that all processes leave an audit trail. For each action, the system automatically logs who has performed which management activity at which moment. In this way, the organization can verify previous processes at any time and evaluate these retroactively. This is indispensable, as sound registration is a precondition for a successful audit.
For more information, please visit our website

No comments:

Post a Comment