Use (ISC)2 logo online & print
Identity management: an employee-centric approach
By Matt Came, CISSP
Organisations have had five years of grappling with Sarbanes Oxley (SOX) since it was first introduced, aiming to provide shareholder protection from accounting fraud. Over this time companies have been trying to rationalise their SOX investment to reduce the cost of annual compliance. Technology of various kinds has been thrown at the problem with varying levels of success. Today, as the european and Japanese equivalents, EuroSox and J-Sox, are introduced, companies should learn the lessons of those that have already blazed the trail.
Enterprise Identity management (IDM) has been heavily marketed as a SOX panacea by a number of vendors, but clients who have followed this route have found that things don't always go smoothly. The breadth of the sector means no single vendor can provide a complete solution. Coverage has improved recently due to market consolidation and emerging identity standards, but independent vendors still blaze a trail in many areas that are relevant to regulatory compliance.
Identity management was relatively successful when applied to automating account creation and deletion in response to staff leaving and joining a company. Some companies did struggle, but the successful ones made sure to standardise processes as much as possible, respect HR's sovereignty over employee records to avoid a political battle and try not to be over-ambitious. This solved part of the problem, but it was the easier part.
The second, more difficult, part where IDM has been applied is in defining and enforcing segregation of duties between different business applications. The size and complexity of this problem in a large multinational organisation can be enormous preventing "toxic combinations" of access is a real issue. Understanding it and ensuring compliance is a major undertaking, which will only be solved by approaching the problem in a holistic manner that considers organisation and processes along with technology. Identity management products are only a small part of the solution.
Initial attempts to automatically enforce segregation of duties across applications were very often technology focussed projects sponsored by IT. This was, after all, one of the IT general controls, and therefore IT's problem. This approach often failed to deliver because of limitations in the IDM tools available at the time, constraints in the existing legacy applications and also because of an application centred approach to the problem.
Taking this approach meant that an individual's access and entitlements were presented on an application basis isolated from the supported business processes. Business users who then had to review access lists to approve access couldn't see the whole picture. This led to an access recertification process that was ineffective although access lists were approved, the approver wasn't really sure that there were no conflicts across applications.
These lessons have been learned and clients are now achieving more success by taking a user-centric view of entitlements. Sophisticated tools from companies such as Avenska, Eurekify, and Sailpoint provide access and entitlement certification as well as some role mining functionality are starting to gain a foothold in the access governance and compliance market. Building on a solid organisational understanding of where the access and entitlements toxic combinations are across the business and modelling this using these tools allows recertification to take place on a user by user basis, improving visibility and business accountability.
Such an employee-centric approach to identity management means that transparency, ownership and accountability for compliance are increased.
Matt Came, CISSP, is a performance improvement management consultant, PricewaterhouseCoopers LLP