Wave Systems Corp. (fka WAVXQ)

[dude_danny]

Leveraging an Identity Map for Regulatory IT Compliance
2005-10-17 12:00:00.0 CDT

http://www.s-ox.com/Feature/detail.cfm?articleID=1159

Sorry if posted.

By Brian Milas

In striving to meet regulatory requirements, reduce costs or improve security and user productivity through automated provisioning and password management projects, companies often find themselves facing a seemingly insurmountable problem of dispersed and inconsistent information on users' identities and resources. Mapping corporate identities allows enterprises to associate people with their resources and access permissions ("who has what?"). This helps establish a clean authoritative source of who has access to specific information.

Regulatory requirements such as HIPAA, Sarbanes-Oxley, and Graham-Leach-Bliley, focus on the identification of digital assets and access rights. Automated provisioning software assists in enforcing access requirements by addressing authentication, access controls, user account management, and real time auditing and reporting capabilities.

Enterprise provisioning software can manage users’ digital identities, access rights, and resources through their entire corporate lifecycle - from on-boarding, internal change, and termination. This is accomplished by looking at who is present (Authentication Management and Access Control), how they are managed (User Management, Delegated Administration, Workflow) and what do they really need access to (User Provisioning and De-Provisioning) - all in a self-service manner that puts the information in the hands of those who know it best - the business line managers.

This article explores identity mapping and how to establish processes that will enhance an enterprise’s ability to ensure consistently updated information, authoritatively identify each resource to which a user has access, and provide detailed audit information to achieve regulatory compliance.

WHAT IS AN IDENTITY MAP?
Mapping corporate identities allows enterprises to associate people with their user identities and resources (“who has what?”) in order to establish a single authoritative source. Identity mapping projects are designed to identify many different kinds of resources including valid and assigned resources, orphaned resources, dormant (unused) resources, administrative resources or system resources.

User provisioning and password management software that is directly linked with an identity map ensures the secure association of people and resources required for secure, self-service, pre-approved or delegated identity management. This association of resources means that users can only manage the accounts that are appropriate for the person(s) being managed. The result of this automated identity management approach is increased efficiency and reduced support costs, as well as improved security and the ability to achieve regulatory compliance.

USINNG IDENTITY MAPPING TO IMPROVE SECURITY AND DECREASE COSTS
Having a map of all users and their associated resources allows enterprises to immediately act upon vulnerable accounts according to their security policies. For example, orphaned accounts - credentials on systems that are not associated with a valid subject in the organization – create a security loophole and access verification challenge.

Orphaned or unassigned accounts are typically remnants from an employee who has left the company, an employee who has transitioned to another role, or a contractor whose engagement has ended. Duplicate accounts may also be identified in organizations where seasonal workers return to a job and a new account is established instead of simply re-enabling the worker’s previously assigned account. Duplicate accounts are vulnerable to abuse from both internal and external sources. Security analysts estimate that as many as 20-25 percent of the accounts within an enterprise fall into the orphaned category. Having a map of all users and their associated resources allows enterprises to immediately act upon vulnerable accounts according to their security policies.

Automated provisioning and de-provisioning enables the business manager or IT Security staff to deactivate all of the access rights of employees, partners, and contractors as soon as their relationship is terminated. This immediate termination of access rights dramatically improves security. By automatically terminating access rights, enterprises can decrease costs associated with security breaches

An identity map may extend beyond traditional accounts to include other IT and non IT resources such as software licenses, cell phones, cell phone plans, computers, desks, or other non-IT assets. Timely and correct termination, de-allocation, or return to inventory of these resources can help reduce operation costs associated with items that are no longer in use. With integrated identity management software, enterprises are able to tighten security and reduce costs while efficiently solving a complex IT problem.

USING AN IDENTITY MAP TO ACHIEVE REGULATORY COMPLIANCE
Regulatory requirements such as HIPAA, Sarbanes-Oxley, and Graham-Leach-Bliley, put more focus on the identification of digital assets and access rights. Automated identity management software assists in enforcing access requirements by addressing authentication, access controls, user account management, and real time auditing and reporting capabilities. Identity management software can manage user’s digital identities and access rights through their entire corporate lifecycle by looking at who is there (Authentication Management and Access Control), how they are managed (User Management, Delegated Administration, Workflow) and what they really need access to (User Provisioning and De-Provisioning) – all in a self-service manner that puts the information in the hands of those who know it best – the business line managers.

The problem with compliance from an IT perspective is that identity information is scattered throughout the enterprise. Corporations have a variety of users as well as many different types of applications and different identities across different platforms such as Active Directory, UNIX, and mainframe.

Achieving regulatory compliance today requires IT to:

• Establish consistent and repeatable business processes;

• Ensure that sensitive information can only be accessed by employees who need it to perform their job;

• Immediately delete access to information upon employee termination;

• Provide detailed audit information.

By establishing consistent identity mapping processes, enterprises can ensure consistently updated information, identify each account to which a user has access, and enhance their ability to achieve regulatory compliance.

OVERCOMING POLITICAL BARRIERS WITH IDENTITY MAPPING
By definition, effective identity management initiatives cross organizational and operational boundaries. The ability to pull information from different identity sources and utilize that information with disparate views to drive policies is both the blessing and curse of identity mapping processes. In order to successfully manage effective identity management and mapping initiatives, the IT department needs to present them as a solution that aligns to corporate initiatives, improves the existing business processes, provides technology that maps to the business, and ultimately provides the flexibility to match the way the company works today, as well as into the future.

In order to gain cross-functional support, IT is also wise to ensure that the identity mapping and larger identity management initiative is not intrusive to the lines of business. By being able to align the project with business goals and initiatives, IT can demonstrate how implementing identity mapping can help the enterprise run more efficiently and show incremental and measurable returns along the way.

An important component of identity management and identity mapping solutions that will impact the ultimate success of the overall projects is the requirement to not force a schema or process onto the business based on the proposed technology – but in fact to do just the opposite – utilize technology whose schema and processes adapt to the existing organization. This also ties into the need to be able to demonstrate real flexibility in making the identity mapping and larger identity management initiative map to the way the enterprise works today, and to show that it has the flexibility to mirror the inevitable changes that the organization will encounter moving forward.

Successful cross-functional deployments are all about the politics of reducing risk, reducing costs, minimizing impact and maximizing return. Identity mapping provides an excellent way for IT to introduce larger identity management initiatives to the enterprise, easing concerns and gaining cross-functional support.

BUILDING AN EFFECTIVE IDENTITY MAP
At its core, an identity map identifies “who has what”. Several different techniques may be used to construct the identity map - from a fully automated approach to a manual approach. Each offers pros and cons to be weighed against the requirements of the business and the user community being targeted. Once in place, the identity map is updated by the provisioning system as resources are added or deleted from the infrastructure.

The key to implementing a successful identity mapping process is to link a person’s profile to the accounts and resources assigned to them and store this information in a data repository. Identity management solutions leverage this capability to enable individuals, managers, security, or support staff to manage the resources appropriate to their profile for use in compliance, provisioning or password management activities.

Automated Approach
An automated approach to building an identity map involves using mapping rules to determine “who has what”. First, resources in the infrastructure (usually accounts) are discovered and inventoried. Next, mapping rules are applied to associate accounts on the target systems to individuals in the organization. Mapping rules typically use information about people (first name, last name, email address, location) and resources to locate the accounts that they are using. The rules accommodate the different naming conventions on target systems and name conflicts such as John Q. Smith and John A. Smith. The map is built and maintained on a scheduled basis making mapped resources available for use in provisioning, compliance and password actions.

Automated identity mapping generally consists of four steps: 1. Discover the accounts on systems in the infrastructure and move to a staging area.

2. Apply exclusions on accounts and profiles that are not part of identity management (i.e. system, admin or other sensitive accounts).

3. Run mapping rules that match profiles and accounts. Mapping rules may vary by company, business unit, geography, platform, etc. The mapping rules must be able to handle this level of complexity to be effective.

4. Apply manual mappings that have been pre-defined in the system Typically resolved by an administrator, these mapping represent conflict resolution or mapping of accounts that are not covered by any rules.

PROS: The automated approach provides the most streamlined end user experience, as the individuals are not required to take any action. The map quickly provides a view of orphaned resources that could not be associated with a person.

CONS: With this technique the administrator is responsible for refining the mapping rules, resolving conflicts, resolving unmapped resources, and excluding administrative resources.

Manual Approach
A manual approach, or resource claiming, requires owners to identify or “claim” the resources that they use or manage. The claiming process may require the owner to validate that they are entitled to “own” the resource. For example, when the resource is an account, the owner can be challenged to login and authenticate with its credentials. Once authenticated, the identity map associates the account with the owner.

Another variation is an administrative claim, or assignment of a resource to an owner. For example, an IT security administrator might simply assign accounts to John Q. Public without authenticating to the accounts. This approach is useful when a privileged user needs to manage the identity map, adding and removing entries in a manual fashion.

PROS: Resource claiming provides a quick way to deploy and begin building an identity map. Mapping rules and conflict resolution rules are not required to for the claiming process. When authentication is used with claiming, the additional verification provides a level of protection to ensure correct assignment of resources to owners in the identity map.

CONS: This technique increases the time it takes to build a complete identity map, depending on the rate at which users adopt the new process and claim their resources. This approach relies on resource owners (users) adding resources to the map. It also places some burden on the end users. End users must understand how systems and applications are named, then submit their account names and credentials for verification. Thus, the completeness of the resources available in the identity map for compliance, provisioning or password management may be delayed as well. Because orphan and unused resources are based on the identity map, their identification may be delayed as well.

Hybrid Model
By combining elements of automated identity mapping with elements of claiming, a hybrid model can be used to build the identity map. Suggestions are used in the context of claiming to propose the resource that the system believes should be associated with an individual. These suggestions are based on mapping rules that are similar to those used in the fully automated approach. Once resources are selected from the suggestion list, the various claiming methods are employed to add the resources to the identity map. Suggestions help guide the end users through the claiming process, reducing some of the complexity of a pure claiming approach. The speed at which the identity map is built and the time to completion is still, in part, dependent on the adoption rate of claiming.

The identity mapping process, no matter which approach is taken, generates a list of unmapped accounts where no profile was matched - conflicts where two or more profiles were matched or other aspects of the rules may have moved them into the unmapped category. The set of unmapped accounts is the candidate list of orphaned accounts that can then be dealt with according to the security policy.

IMPROVING ACCOUNTABILITY WITH IDENTITY MAPPING
In today’s constantly evolving marketplace, the ability to perform identity mapping across an enterprise has become a corporate imperative. An identity map provides a central view of “who has what” that is leveraged for performing compliance and attestation actions, provisioning actions and password management. By tracking “who has what,” the identity map also shows resources that are not owned by a subject. These orphaned or unused resources are a potential security risk that can be addressed with deprovisioning or disablement.

Identity mapping solutions can help to ensure consistently updated information. It allows enterprises to authoritatively identify each resource to which a user has access and provide detailed audit information to achieve regulatory compliance while reducing operational costs and improving security.

dude_danny