Use (ISC)2 logo online & print
Identity management: an employee-centric approach
By Matt Came, CISSP
Organisations have had five years of grappling with
Sarbanes Oxley (SOX) since it was first introduced, aiming to
provide shareholder protection from accounting fraud. Over this
time companies have been trying to rationalise their SOX investment
to reduce the cost of annual compliance. Technology of various
kinds has been thrown at the problem with varying levels of
success. Today, as the european and Japanese equivalents, EuroSox
and J-Sox, are introduced, companies should learn the lessons of
those that have already blazed the trail.
Enterprise Identity management (IDM) has been heavily marketed
as a SOX panacea by a number of vendors, but clients who have
followed this route have found that things don't always go
smoothly. The breadth of the sector means no single vendor can
provide a complete solution. Coverage has improved recently due to
market consolidation and emerging identity standards, but
independent vendors still blaze a trail in many areas that are
relevant to regulatory compliance.
Identity management was relatively successful when applied to
automating account creation and deletion in response to staff
leaving and joining a company. Some companies did struggle, but the
successful ones made sure to standardise processes as much as
possible, respect HR's sovereignty over employee records to avoid a
political battle and try not to be over-ambitious. This solved part
of the problem, but it was the easier part.
The second, more difficult, part where IDM has been applied is
in defining and enforcing segregation of duties between different
business applications. The size and complexity of this problem in a
large multinational organisation can be enormous preventing "toxic
combinations" of access is a real issue. Understanding it and
ensuring compliance is a major undertaking, which will only be
solved by approaching the problem in a holistic manner that
considers organisation and processes along with technology.
Identity management products are only a small part of the
solution.
Initial attempts to automatically enforce segregation of duties
across applications were very often technology focussed projects
sponsored by IT. This was, after all, one of the IT general
controls, and therefore IT's problem. This approach often failed to
deliver because of limitations in the IDM tools available at the
time, constraints in the existing legacy applications and also
because of an application centred approach to the problem.
Taking this approach meant that an individual's access and
entitlements were presented on an application basis isolated from
the supported business processes. Business users who then had to
review access lists to approve access couldn't see the whole
picture. This led to an access recertification process that was
ineffective although access lists were approved, the approver
wasn't really sure that there were no conflicts across
applications.
These lessons have been learned and clients are now achieving
more success by taking a user-centric view of entitlements.
Sophisticated tools from companies such as Avenska,
Eurekify, and
Sailpoint provide access
and entitlement certification as well as some role mining
functionality are starting to gain a foothold in the access
governance and compliance market. Building on a solid
organisational understanding of where the access and entitlements
toxic combinations are across the business and modelling this using
these tools allows recertification to take place on a user by user
basis, improving visibility and business accountability.
Such an employee-centric approach to identity management means
that transparency, ownership and accountability for compliance are
increased.
Matt Came, CISSP, is a performance improvement management
consultant, PricewaterhouseCoopers LLP