Identity Management and Access Control for Compliance
April 2009
Identity Management and Access Control are essential to organizations with compliance needs. Whether your concern is HIPAA for health care, PCI for the Credit Card Industry, or SOX, as a public company you need to provide appropriate controls and solutions.
RBAC
RBAC
Role Based Access Control (RBAC) is a best practice for securing access to applications and data. Be sure that your Identity Management (IdM) processes define roles for users that simplify your compliance. Adopt access control technologies that utilize the roles defined in your IdM systems. For example, PCI DSS calls for “Validation of proper role-based access control (RBAC)”.
Separation of Duties
Most rules and regulations call for Separation of Duties. Almost every industry has employees or other constituencies that are restricted in not accessing systems or data used by other constituencies in order to avoid conflicts of interest. So called “Chinese Walls” ensure separation of investment banking from brokerage operations, keeps software developers from directly manipulating production systems, and reduces conflicts of interest in pharmaceutical clinical trials. RBAC, and in some cases, rule-based access controls should be part of your IT footprint.
Need to Know
Most rules and regulations have provisions based on “Need to Know”. For example, HIPAA calls for electronic protected health information (EPHI) to be restricted to only those employees who have a need for it to complete their job function. Access Control is essential to this function.
Authentication
Authentication, the process of confirming a person’s identity, is an essential step in systems that restrict access to systems or data (or even physical access). For example, PCI DSS calls for secure authentication based on industry best practices. It is important to adopt technologies that support current needs and can keep up with evolving best practices and computing trends.
Audit Logging
Audit Logging involves the secure recording of data about audit-worthy activities such as transactions and access to protected data. It also addresses related activities such as privileged account management, user provisioning, and policy administration. Audit Logging, sometimes in combination with such tools as event correlation, Security Information and Event Management, and Data Loss Prevention, is important to compliance. For example, PCI stipulates Security Information and Event Management (SEIM) requirements that require appropriate technology.
SaaS Computing
The changing landscape of compliance is underscored by recent discussions of privacy and other concerns as increasing amounts of personal data are migrating into systems based on Software as a Service. This concern was debated at the recent FTC conference, “Securing Personal Data in the Global Economy." While there are many opinions about how to ensure compliance with SaaS and the global marketplace, most will agree that it creates new demand for new solutions. So when planning how your organization provides the above-mentioned capabilities, be sure you have a solution that also addresses SaaS.
Coby Royer, Technical Product Director
Symplified | The Cloud Security Company