4.2. Antecedentes de la propuesta
4.5.4. Pedagógico
As personally identifiable information has increasingly become subject to government regulations, the risk to organizations of failing to comply has increased as well. Identity and access management solutions provide a way organizations can try to manage this risk. In this section, we explore the importance of identity and access management to securing and managing the organization’s sensitive data. The topics covered include improving visibility into the organization’s IT environment and ensuring data access to the right entities when needed, improving operational efficiency through identity and access management automation, and the importance of consistent enforcement of identity and access management policies.
1.5.1 Critical data: Ensuring authorized access only when needed
Governance of identity and access management both within and across organizational boundaries entails the ability to verify both the identity and entitlements of the users and services attempting to access resources in the IT environment. A system must be able to grant or deny access based on the entitlements of these users. Additionally, system administrators must be able to grant or revoke new entitlements to users and groups and propagate those changes throughout the entire system.Furthermore, organizations need to be able to manage access control not only on the application level, but also at the sub-application level with entitlements on individual operations within an application. These entitlements specify who is allowed access, what they are allowed to do, and under which contextual circumstances. For example, an online banking application might provide the following operations:
check_balance(account_id)
transfer_amount(src_account_id, dest_account_id, amount)
For simplicity, assume that there are only two groups of users: customers and bank staff. Bank staff should reasonably be allowed to check the balance of any account ID, while customers should only be allowed to check the balance on their own account. Similarly, bank staff should be able to transfer money between accounts in such a way that the transaction is logged so that it can be reflected in the account’s statements and audited later if necessary. Conversely, customers should only be able to transfer funds from their own accounts to destination accounts with the same auditability of the transaction. These requirements constitute the business rules that should be used to govern this simple banking application.
Translating these business rules into an actionable form is an essential challenge to overcome. With the proliferation of both client entities and protectable resources within most IT environments, overlaying business rules while managing the identity records and access entitlements can quickly become a cumbersome and complicated task.
1.5.2 Driving operational efficiency through automation
Intelligent identity and access management solutions can ease the burdens of assigning roles and entitlements by automating the discovery, pre-processing, and collation of identity data. These data include business roles, entitlements, and other attributes, giving system administrators a reasonable basis from which to build an identity and access control system.
To extend the previous banking application example, suppose the bank’s managers have invested for the first time in an identity and access management system. It should be able to scan the user registry and automatically assign users to the appropriate roles, with the correct entitlements.
As the business requirements evolve, so must the business rules that make up the system of identity and access management governance. When the business rules change, so must the roles, entitlements, and other identity attributes. The identity and access management system can reduce the manual intervention required to complete these changes by automating the life cycle of roles and entitlements.
1.5.3 Enforcing consistent policy enforcement across the IT
environment
A policy-based approach is the most direct way to conceptualize a group of business rules into an actionable directive. Collecting business rules for identity and access management and translating them into an enforceable form results in the production of a comprehensive IT security policy. This policy governs the IT resources of the organization and determines who is allowed access to each resource and under which contextual circumstances. In order for this policy to be an effective tool of governance, it must be enforced consistently across the IT environment.
Many IT environments are heterogeneous, with systems running existing applications on old hardware integrated with modern systems and new
application types. As discussed earlier, service-oriented architectures can help to loosely couple these systems and facilitate communication between them.
However, it is important to be able to enforce IT security policy consistently, regardless of the technology endpoint involved. For example, the same identity and access management policy used to govern a composite web service application on a distributed application server platform should also be applied to an existing application running on the mainframe.
Consistent policy enforcement across the application and IT environment can reduce the complexity of identity and access management governance, as well as the cost of compliance with privacy and security regulations.
In addition, consistent policy enforcement can help to drive business workflow and automate business processes, resulting in less human intervention, greater efficiency, and reduced cost to manage the organization.
1.6 Compliance management
Organizations must be able to prove they are in compliance, for example, with regulations that govern the use of sensitive information. Compliance
management can help to reduce the adverse consequences to an organization of failing to meet the requirements of these regulations. This section examines the importance of compliance management for application, process, data, and information security, discussing the impact of regulation and privacy concerns, assessing compliance requirements, and the relationship between compliance and governance.
1.6.1 Regulation and privacy concerns
In recent years, high profile corporate financial scandals and the increasing migration of personal information to online systems have ushered in a new era of government regulation of information. Such regulations include the
Sarbanes-Oxley (SOX) Act, which introduced strict new financial reporting requirements. In the healthcare sector, the Healthcare Information Portability and Accountability Act (HIPAA) places strict constraints on how patient data is stored, transmitted, and shared. In the financial sector, the Basel II Framework promotes basic standards for banks worldwide.4
4 Basel II Framework: Devised by the Bank for International Settlements to set minimum capital
adequacy requirements. For more information, refer to the following address:
With the emergence of social networking tools, unprecedented amounts of personal information has been uploaded to networks such as Facebook5, LinkedIn6, and Twitter7. For individuals, these online networks constitute an efficient way to communicate with friends, family, and professional associates. However, the risk to privacy can result in the inadvertent disclosure of personal information, which can cause damage to lives and careers, in some cases. For organizations, these networks represent a new avenue for the accidental release of sensitive corporate data to unintended audiences. The demand for a high degree of privacy control and business policies to prevent data leaks places new governance requirements on organizations.
Failure to comply with government regulations and to meet the privacy needs of users can result in fines, litigation, and loss of revenue and customers. This can present a significant business risk; managers who do not handle this risk effectively do so at the peril of their careers and the organizations they manage.
1.6.2 Assessing compliance: The audit trail
Compliance depends on being able to verify that the organization is adhering to the regulations and following its own policies as well. Adherence to the rules can be verified only if the business functions implemented in the IT environment leave transparent audit records that can be independently verified later by an auditor.
Auditability of services ensures accountability for actions taken within the organization’s systems, and it provides two primary benefits: verifiable evidence of compliance and a source of event data should problems arise.
Just as identity and access management benefits greatly from a policy-based approach, so does compliance management. Asserting in a policy which operations require an audit record helps the business manager to translate the compliance requirements of government regulations into an enforceable business rule.
5 Facebook is a popular social networking website. For more information, refer to the following
address: http://www.facebook.com
6 LinkedIn is the leading professional networking website. For more information, refer to the following
address: http://www.linkedin.com
Ideally, this audit data is collected in a central repository, from which managers can generate reports, both to gather business intelligence and to demonstrate compliance. Effective compliance management requires the ability to assert rules, record the enforcement of those rules in audit records, and use the audit data to demonstrate proper enforcement. However, compliance management entails not only looking to past audit records to verify compliance, but also monitoring the system’s enforcement points in real time for possible infractions of the business rules.These management, enforcement, and reporting tasks can be disaggregated and delegated to appropriate roles within the organization, leading to greater flexibility and the possibility for greater alignment between the compliance management IT systems and the business roles of the organization.
1.6.3 Relating compliance management and governance
Compliance is inextricably related to governance and organizational control. In a complex IT environment, an application may be composed of both internal and external services, with the distinction not visible to the user. Nonetheless, these intraorganizational connections may impose both complex identity and access management and regulatory compliance requirements. A responsible manager will need to cope with these requirements, while providing a usable and compelling service to users. Compliance and organizational control are two related concepts that are important to understand.
Note: Being compliant versus being in control: If you have ever been audited
(or audited someone), you probably know that there is a difference between being:
In compliance
: All your systems and processes are operated and delivered according to the security policies and standards (and you have evidence for that).
In control
: You know what is in compliance and what is not, you know why, and you have a plan of action.Now, what is more important? Being
in control
is. Because you could be in compliance by accident. Further, if you are compliant, but not in control, chances are high that you will not stay compliant for long.If you are in control, you will end up being compliant eventually. Or at least you will have it on record why you are not compliant.
And if you are not compliant and not in control, gaining control should be your primary goal.
Managing this complexity requires a normative statement as to how each component of the application should be accessed, what information can be shared across the organizational boundary, by whom, and what records of the transaction should be retained. Using a policy-based approach, this normative statement can be translated into a comprehensive IT security policy that can be centrally managed, distributed, enforced, and audited across a heterogeneous environment. Approaching compliance in this manner results in disciplined governance and vice versa.
Effective compliance management can result in better governance, reduced technological complexity, and lower cost of compliance.