It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Some of the earliest PCs came with a lock and key. They were installed to prevent anyone except the owner from using it. Isn’t that interesting? Still, the fact that someone thought to literally lock the PC showed that access control was an afterthought for the budding personal computer industry. Prior to that, access to computers was self-limiting. If you weren’t a guy with a crew cut and a pocket protector, or maybe some long-haired Unix hippie, it was pretty clear you didn’t get access to the computer.
The proliferation of inexpensive PCs across the corporate world made access control a real problem. The issue was exacerbated first by the advent of LANs, but truly exploded into view with the rise of the Internet. With the Internet, pretty much anyone could access any device from any place. This is hugely risky, of course. At this point, companies wanted to know exactly who was who, and who was allowed access to each application and data resource. This was when Identity and Access Management (IAM) systems came of age.
What is Identity and Access Management?
Gartner refers to IAM as a “security discipline,” which is a good way of thinking about the work of staying on top of who people are and what digital assets they can access. IAM is a mix of technology, policy and process. The basic idea of IAM is pretty easy to understand. There’s a directory of users, which is mostly employees but may also include some contractors and third parties like IT consultants. The directory describes the systems each user has authorization to use.
IAM can get pretty complicated from there, however. People tend to move around inside of companies. With changes in roles come changes in authorizations. Then, there are varying levels of access within a system. For example, in an international company, users in a specific region should only be able to see data related to that region, and not others. The IAM solution and practices must stay on top of such policies.
Why would you need systematic IAM? You could, if you wanted, manually manage all identities and access controls. Small companies do this all the time. For any sizable organization, though, manual identity management is not a wise approach to staying secure. IAM is also required for certain aspects of compliance. Auditors want to see if you’re methodical about access management.
Doing IAM the right way leads to a reduction of data breach risk. This is true both for internal and external breaches. Use of an IAM solution makes it possible to define and enforce security policies related to access control equally across all users. You can authenticate each user as he or she logs into the network and then allow access according to defined privileges. This makes it less likely that a user will gain unauthorized access to confidential data. Similarly, an external attacker who penetrates the network will not automatically have access to any data that he or she wants to steal.
IAM also contribute to greater efficiency in security and IT operations. They do this by automating the initiating, capturing, recording and managing of user identities as well as their associated access privileges. Automating the process means less IT admin time spent on this aspect of security and compliance.
The Identity and Access Management Solution
IAM solutions usually comprise more than one system. In some cases, a single system will perform all the required functions. Usually, though, more than one system is needed. For example, an IAM solution might need to include systems for Single Sign-On, Multi-Factor Authentication (MFA), directory management and so forth. In our experience, an IAM solution should offer the following:
- All necessary controls and tools for the capture and recording of user login information—including management of the enterprise database of user identities
- Assignment and revocation of user access privileges, e.g. a centralized directory service with visibility into the complete company user base
- Simplified user provisioning and account setup, e.g. an automated workflow with administrator visibility into the process
- Multiple levels of review to enable effective checking of access requests
- Ability to create role-based access and establish groups with specific privileges for different roles
Cloud Identity and Access Management
One major challenge in IAM today is the need to extend access controls across multiple hosting environments. For instance, a user today might need to log into System A, which is hosted on-premises, System B, which is hosted on the Azure Cloud and System C, which is on AWS. To keep secure and avoid the nuisance of having the user log in separately to each environment, the IAM solution should work seamlessly in all three places. Most of the leading IAM solutions are making this capability available today.
IAM and SAP
IAM for SAP landscapes is critical for compliance as well as for maintaining a strong security posture. Given the criticality of data held on the SAP, it’s imperative to keep track of who has system access. And, you have to be in control of which system functionality and data each user can access. All the major IAM solutions work with SAP on-premises as well as in cloud-based and hybrid cloud architectures. The challenge is to understand how to make IAM work properly on SAP. This is an area where we can help.
IAM and GRC for SAP
Identity and Access Management figures prominently into the Governance, Risk Management and Compliance (GRC) activities that affect SAP. For example, IAM is essential for SoD. SoD mitigates fraud risk by separating user privileges for different stages of a financial transaction. (E.g. you can’t both request and approve a check.) Compliance regulations like Sarbanes Oxley (SOX) require establishment and auditing of SoD. As a result, SoD is part of the GRC function.
We work with many companies on implementing SoD through IAM systems in conjunction with our ControlPanelGRC solution. With ControlPanelGRC, we can do SoD risk analysis. We can examine users and their respective roles in the SAP environment, identifying access privilege conflicts that could constitute an SoD risk. ControlPanelGRC’s Access Controls Suite provides continuous monitoring of access risk and SoD violations.
Talk to Symmetry to learn more about ControlPanelGRC and how the Access Controls Suite can help you make IAM an effective part of your GRC processes.