Increasing regulatory requirements demand enhanced security and information technology oversight. Regulators want to know not only where the sensitive data came from, but also who might have seen it or changed it. Today’s regulations look beyond financial data into the business processes. This expanded scope, and the attestation requirements that Sarbanes-Oxley levies on publicly traded firms, broadens the risk portfolio that enterprises and their security operations must manage.

The largest new area of risk concerns people. Specifically, the greatest exposure resides in attesting to the integrity of the personnel systems. Who had physical and computer access to financial data? Who granted them that access? When was it granted? When was it revoked, if ever?

The key question: How can CFOs, CSOs, CISOs, CIOs and auditors confidently attest that user entitlements accurately reflect their organization’s privacy and business policies if they cannot clearly see into the provisioning process itself?

Seeing’s believing

Simplifying attestation begins with an understanding of what is required (or reasonable) to establish confidence. Auditors verify whether reporting is accurate through several steps. Auditors verify:

  • The sources of the data
  • The path that information follows
  • Which personnel are involved in those systems
  • The business processes by which those individuals are granted physical and computer access
  • The oversight and security measures in place that govern granting access
  • The process of denying access (i.e., Is access denied/removed? Who is notified?)
  • How access is removed when no longer appropriate
To perform this verification, the auditor needs to see the business process itself. Identity management solutions automate the provisioning of user entitlements to IT and other resources. If an executive or auditor is to be able to confidently attest that entitlements to critical systems have been provisioned appropriately, the system must provide full and intuitive visibility into provisioning processes. Two product requirements in particular will determine the solution’s ability to enable simple and confident attestation.

The Best Advice

Fully research competing offerings before buying identification, physical access and IT security solutions. What is the underlying architectural model? How much extra effort and cost is an audit capability? Does the solution force a static view of all identity data across all systems, or can it integrate with a dynamic operational environment?

Is a unitary, cohesive, holistic architecture underlying all functions within the suite? Once a system is provisioned, are all its provisioning actions auditable?

An efficient identity management system will allow senior leadership and the auditor to understand and rely on its functioning. As enterprises and their chief security officers realize benefits of transparency and clarity that effective identity management systems offer, deployments will move beyond those systems directly concerned with compliance to the wider infrastructure. A well-designed identity management system will be ready and able to take on that greater responsibility.

Programming-free workflow creation. User entitlement instructions are executed within identity management objects called “workflows.” Avoid solutions that require access and entitlements to be programmed into workflows. Auditors must work with consultants to decipher the program’s intent and outcome, resulting in significant delays, increased risk, reduced confidence and greater cost.

Programming-free workflows are robust.They enable the entire provisioning process to be visually illustrated end-to-end, and implemented using graphical tools without resorting to any programming or scripting. The result is a self-documenting provisioning process that can be easily and quickly validated.

Immediate and centralized logging of identity-related events. Unfortunately, nearly all identity management offerings today result from the acquisition of generations of diverse products, each with its own unique underlying architecture, data structures, scripting and programming environments.

Audit trail challenges

The largest problem from an audit and compliance perspective lies in the logging (or absence of logging) of each piece-part offered. Disparate or absent log data creates uncertainty and risk for an organization because no amount of testing can prove that the system is functioning correctly. For example, assuming audit records exist, the auditor must attempt to correlate disparate log entries with provisioning requests as they proceed through the system. This makes the auditor’s job complex, risky, error-prone and costly.

The only resolution is architectural integration, something not possible with pre-2005 solutions. Organizations should only consider security and IT solutions whose integration results from a unitary, cohesive, holistic architecture underlying all functions where any and all identity-related events can be centrally recorded in real-time. This enables comprehensive audit as a core capability, not as an expensive add-on product, and provides the clarity auditors need.