Using Identity and Access Management Software for Audits

Regulation such as HIPAA, Basel II and Sarbanes-Oxley continues to overwhelm every business sector as organizations are continuously evaluated for their compliance with various standards, legislations and regulations. These evaluations, or audits, will sooner or later affect nearly every organization.

However, it’s not just top line executives that are affected by audits. In fact, ever more increasingly, IT departments are being brought into the audit response process, which means IT managers faced with an audit must be able to demonstrate full control of the data in which they manage.

Simply put, this means:

• IT departments must be able to demonstrate at any time who has access to what systems in the network, and when network actions have been performed (authorizations and reporting). For instance, IT manager should be able to indicate which employees are allowed to approve and pay invoices and who has reset employee X’s password and when.

• IT departments must implement a strong password policy.

Identity and access management (IAM) solutions provide IT administrators with support for legislative and regulatory compliance and are able to help them manage any audits such that:

Who Can Do What in a System?

Role-based access control (RBAC) is a technique for setting up authorization management in an organization and for providing insight into the questions of “who is allowed to do what in the network” and especially “who is not allowed to do so.” With RBAC, authorizations are not assigned to individual staff members but to RBAC roles, which in turn comprise the employee’s department, title, location and cost center. RBAC reduces the chance of error because network actions and changes can only be performed by people who are authorized to do so, based on their role or title.

Many organizations already use RBAC to a greater or lesser extent for: discovery, project implementation and population management. With the right solutions, organizations are able to reduce the hugely labor-intensive, complex and costly process with smart software that makes it possible to automate the majority of the population in an RBAC authorization matrix.

Using an RBAC system, the so-called organizational roles (the way in which employees are figured in the human resources database system, particularly in terms of title, department and cost center) are matched against the technical roles such as applications and folders present across the organization. Organizational partners and vendors can help organizations match their HR system and network, as well as analyze the current authorizations for each organizational role. This allows the organization to decide which HR attributes should be used for each organizational role.

The result of this alignment could be, say, that 90 percent of a particular organizational role (e.g. the role of nurse at the Cardiology department) involves particular authorizations. The logical step would then be to automatically assign all new employees in this role the same authorizations. By letting the occupancy rate govern the assignment of authorizations, a first step can be made toward populating the RBAC matrix in a very simple way. This approach can save you a great amount of time and money.

Strong password policy

Many laws and regulations require the implementation of a strong password policy (strong authorization). To achieve this, it is possible to activate the complexity rules in Windows Active Directory. However, you should first ask yourself whether this complexity is desirable for your organization, as this may have major consequences for your end users.

The default Windows Active Directory password complexity rules are often insufficient. Systems administrators need a more flexible solution that, among other things, makes it possible to determine individually, which rules are applied and when.

As mentioned, earlier, implementing a stricter password policy has major implications for end users, as well as the organization as a whole. End users will need to remember more complex passwords and since most of them will have trouble in doing so, the helpdesk is bound to receive more password reset calls.

To reduce the number of password reset calls, Tools4ever offers SSRPM (Self Service Reset Password Management), which lets end users reset their passwords independently by providing answers to a series of simple, predefined questions.

A stricter password policy also has consequences for the productivity of employees. They will have to remember more complex passwords for all of their applications, and will be far from happy with the situation. For this reason, many organizations choose to implement a single sign-on solution to cater for the needs of their end users.

A single sign-on solution (SSO) allows end users to log in once, after which they are automatically assigned access to all applications and resources across the network, without having to log in again. SSO functions as an additional software layer that handles all login processes and automatically enters the required credentials (automatic login). SSO also ensures that, in addition to Active Directory, a strong password is automatically used for all the underlying applications.

Two-factor authentication

When implementing a strong password policy is insufficient in itself (e.g. because end users end up jotting down their passwords), it is possible to use strong (two-factor) authentication. Rather than entering their user name and password, users will log in by holding a card against a card reader and entering a PIN code. This results in strong authentication, as two-factor authentication is based on something the user has (the card) and knows (the PIN code). In this set up, the card ID is linked to the user’s Active Directory credentials.

It is also possible to implement strong authentication without having to purchase additional hardware. In this scenario, the use of smartphones takes on an important role. This is because smartphones offer various authentication capabilities, such as facial recognition (using the camera), voice recognition (using sound recordings) and geographical positioning (using GPS). This type of low-cost authentication is the latest trend in the field of authentication.

For more details, please visit our website.