By now it's been pretty well established that compliance is a driving force behind many Windows management and security initiatives. It's an approach I don't agree with, but it's still the reality.
Whether it's tactical or strategic, you need to be able to justify expenditures related to compliance. Identity and access management (IAM) is one of those technologies that makes such justifications pretty simple.
First, it's important to understand that compliance, as we know it in IT, is the act of adhering to certain established government and industry regulations. Looking deeper, compliance is really about implementing a system of technologies, documentation and processes that helps demonstrate that the business is doing what it's supposed to be doing to keep information private and secure. Visibility, control and automation are key to making it all work.
Given the criticality of user provisioning and controlling access to sensitive information, IAM is arguably one of the most important technologies to have -- that is if you want to be in compliance with HIPAA/HITECH, PCI DSS, GLBA, and so on. Just how does identity and access management play into the compliance equation? Here are several good reasons:
- Managing a large number of users is tedious and repetitive. Numerous Windows operating systems
and applications mean several data entry points and a greater opportunity for errors. The
regulators and auditors probably won't spare any pity since you can mostly automate this process
using the right IAM technology.
- The mantra of many regulations is to ensure that users have a "business need to know." Identity and access management technologies allow you to focus on roles rather than people, so you can get it right the first time and not have to continually tweak user rights.
- The visibility, control, and automation necessary for compliance also happen to be the cornerstones of change management. Managing changes in a large Windows user base both efficiently and effectively is only possible with good IAM technologies and business processes.
- Compliance has its roots in policies, but those policies are only as good as their level of enforcement. In all but the smallest of organizations, policies for user provisioning and access control can only be reasonably enforced using identity and access management tools.
- System auditing -- being able to prove something did or did not occur -- is key for compliance. Relying on tools built-in to Windows and related applications for audit insight can be futile. A good IAM product solves this problem.
- Being able to demonstrate compliance within your user administration processes requires consistency, timeliness and integrity -- three things that are at the heart of identity and access management.
Compliance isn't a one-time deal but rather an ongoing mode of operation. By using solid IAM tools to your advantage, they'll not only pay for themselves but also provide you the consistency needed to achieve and maintain compliance down the road. This ultimately helps minimize business risk, which is one of the reasons those of us in IT exist anyway. Everyone wins.
ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.
This was first published in July 2010