The Sarbanes-Oxley Act (SOX) has profoundly affected IT governance and operations, especially Section 404: Management Assessment of Internal Controls. Organizations of all sizes are struggling to put the processes and infrastructure in place to address SOX compliance needs.
Analysts project 2005 compliance related IT spending in the range from $1.5 billion to $5 billion. Early indications are that for many companies the cost of compliance is eroding profit margins. No one can predict what the impact of meeting SOX compliance requirements will be.
Conventional IT management approaches and traditional perimeter-based security models for managing SOX compliance fall short in solving both short and long-term compliance challenges. And those organizations that have taken the required steps to meet SOX compliance deadlines are asking – what now?
A new method for addressing SOX compliance needs is required; one that integrates into the existing infrastructure while providing new levels of control and visibility that will make the IT component of compliance continuous and ongoing. Compliance is driving innovation, and much of the innovation is focused on the role of identity and the ability to monitor and control interactions by identity.
The most important component of compliance concerns the management of risk. Risk management addresses how a company protects its operational and financial well-being. Ensuring the ongoing operations of an organization has always been difficult, but in today’s market the dramatic rise in interdependencies coupled with the large increase in operational complexities have greatly increased the risk factors.
A driving concept of section 404 of SOX is effectiveness of internal controls. Many organizations are trying to address this requirement by collecting and maintaining a massive amount of data from log files and system reports. Unfortunately, it’s nearly impossible to analyze this data. Companies hope that auditors will give tacit approval, but what if the data contains early indicators of actual problems? That just adds risk to the equation.
Manual processes are expensive, recurring, and prone to errors, exposing risk and depleting resources required to roll out new business initiatives. Ultimately, the internal control structure must be automated and continuous rather than periodic and incomplete.
Many executives believe they have satisfied the initial requirements of SOX through extensive use of manual processes that provide a snapshot of the IT infrastructure. Some have undergone tuning and added elements of access control. Most, however, acknowledge that these measures are incomplete and realize that they’ll be back at it again.
The deployment of so many IT infrastructure solutions has led to a nearly unmanageable collection of products, connections, skills and knowledge gaps that increase risk while compromising and limiting the ability to roll out new services. Managing all the layers and data logs is challenging, and viewing it holistically is nearly impossible. The problem is that SOX expects organizations not only to take an aggregated look at their IT environment, but also to tie it back to business processes.
In preparing to meet SOX regulations, organizations should be able to answer the following questions confidently: Can you clearly state who all your users are, do you know what they have access to, and can you show all the interactions among users, assets and applications? Do you have verifiable evidence that controls are working, that you took appropriate action when a policy infraction occurred, and can you provide it in minutes rather than months? A company that can’t answer these questions affirmatively should consider a new method.
With the adoption of identity management (IdM) and user provisioning solutions, the role of identity is clearly becoming central to managing users’ interactions. Provisioning automates and streamlines the process of establishing user accounts and assigning privileges to users and provides account permission data which makes it a useful compliance tool.
An identity-focused solution, however, takes the role of identity to the next level and provides a more feasible long-term solution. In such a solution, identity becomes the foundation for IT operations, representing the actual link to business initiatives and processes. By attaching identity to every interaction and making it pervasive, risk is brought under control and the system is continuously monitored for compliance. Such capabilities are currently available from innovative vendors who offer IdM technology in the form of a software and appliance solution.
Two types of automated controls – identity auditing and identity control – dramatically drive down manual IT audit activity while reducing critical areas that can be compromised. In such an environment identity extends beyond users to include assets, applications, transactions and data. Injecting identity at the network layer provides IT organizations with the knowledge of who is accessing what assets from where, both within and across enterprise boundaries. It uses this visibility to protect critical assets and ensure compliance, as well as the reporting to prove it, resulting in the simultaneous reduction of cost and risk.
By the way it functions all the way down to the network layer, the identity-focused enterprise actually improves on the performance of existing security and identity solutions. Such pervasive identity becomes the foundation for identity auditing and control by providing full visibility into the business transactions and establishing unequivocal proof of authorized actions and the response and control of unauthorized, illegal behavior. These are the automated controls that become the framework for SOX 404.
Four steps to becoming an identity-focused enterprise
Following are four recommended steps that can help to build an identity-focused enterprise.
1. Change your concept of identity
Many business and IT leaders correlate identities with users. This is only part of the equation. The concept of identity must be expanded beyond users to include systems, servers, applications, data and even entities such as transactions and events. In other words, everything should have an identity. As organizations analyze business processes and assess new business initiatives, they’ll see that all the business components can be assigned identities. Identity links business processes with the IT infrastructure, making identity the conduit for addressing compliance between them as well. With the deployment of pervasive identity, the road to continuous compliance becomes much more attainable.
2. Introduce identity auditing
Most decision makers try to address identity issues with broad-ranging directory initiatives or ambitious user provisioning projects. Although directories and user provisioning systems are essential and requisite IdM components, there are several distinct challenges when deploying them. The same holds true for other components of IdM such as single sign-on (SSO) and federated identity. Companies struggle to ascertain and identify the users, assets and applications necessary for provisioning, making the preliminary work difficult and expensive.
Controlling identity activity is nearly impossible, and some may argue that it’s the nature of the IT ecosystem. Unfortunately, in the regulatory and compliance world, that reasoning won’t protect a company. Moreover, reporting on perceived, known resources invites compliance disaster, for it is the unknown components that introduce risk.
Effective identity auditing, the process of identifying and controlling users, assets and applications by identity, establishes the critical foundation for successfully deploying user provisioning, isolating the components that need to be associated (such as user to application or user to asset).
Identity auditing has been a manually-intensive ad hoc process. Given the constant flux of IT infrastructure, the information compiled will already be out-of-date. Using this information for a compliance audit ignores risk factors and feeds into a provisioning system that is partially blind to reality.
3. Integrate identity management
Automation ultimately requires the ability to inject identity and track its activity and transactions across an enterprise and beyond, and to integrate this ability with existing IT infrastructure.
To successfully accomplish such integration, organizations must first determine all users, assets and applications in an identity-centric and consistent manner, making certain that the user provisioning solution is not compromised by unknown activity and that it aligns with the broader IT environment. Only properly provisioned users and applications based on policy should be able to communicate, providing full control and an audit trail. The organization must be able to confirm that all de-provisioned entities are eliminated with no access to IT resources, reducing the risk of invalid user actions.
The pairing of identity auditing with user provisioning provides an effective framework for real-time, proactive identity management that is continuously compliant and operationally effective. Bringing in a third party resource that is experienced in these processes and methods provides the means to ensure that the user provisioning project is operational.
4. Control identity operation
With so many organizations producing so many log files and report data, sometimes the style of compliance takes precedence over the substance of the audit. The reality is that many IT organizations don’t have the resources to process the logs, nor do they have the means to correlate information from disparate sources. The newer security event management (SEM) systems have improved, but the fundamental problem still exists. Essentially, it’s unproductive to apply security technology to solve an identity management problem.
Identity control is the foremost component in the IdM arsenal. Think of identity control as the IdM watchdog guarding the enterprise IT infrastructure. Identity control monitors users, assets, applications and transactions in real-time and ensures that all the identity-based user interaction is recognized and in alignment with business process requirements. This ties business operations to compliance and ensures that IT operates within business rules.
Compliance requirements aren’t going away and manual processes are an ineffectual solution. For business leaders, identity auditing and control solutions provide a valid alternative. A disciplined approach to addressing SOX 404 through the use of identity for automated controls provides an effective method. Automation is the key to expediting the compliance process and creating clear tracking for future auditing and accountability.
An identity-focused approach to Sarbanes-Oxley compliance eliminates having to rely on manual and complex processes. It helps not only to enable successful compliance, but also to control the ongoing costs of maintaining compliance. And, as we continue to witness merger and acquisition activity in the IdM space, new and innovative identity-focused companies and technologies are emerging whose products are rapidly maturing through deployment experience.