Wednesday, June 22, 2005

ID and Access Management

Paraphrasing a friend of mine, it used to be called good business practice. Now it’s called “Sarbanes-Oxley compliance.”

The Sarbanes-Oxley law impacts public companies, companies that want to go public, and companies that have public debt. Basically, it says that the CEOs and CFOs of these companies must vouch for their quarterly financial statements. If the statements happen to be misstatements, these officers can be personally fined, and face jail time in extreme cases.

There’s more. Anything pervasive, that permeates the company and its functions, must be managed to an industry standard. This includes Information Technology (IT) for most companies, because of the prevalence of PCs, laptops, networks, and customer data that must be managed and protected. Unfortunately, Sarbanes-Oxley does not establish the standards. A company has to decide on a standard, such as COBIT, ISO or ITIL. The company then has to figure out what parts of the standard it will adopt, what parts it won’t, and be able to explain why such decisions were made.

When outside auditors look at a company’s IT department, IT’s security stance will be one of the first places they look for a material weakness—a flaw big enough to consider the company to be dangerously out of compliance. One of the easiest places to find a problem is in the area of ID and Access Management.

Many organizations have trouble controlling the development and deployment of ad hoc systems in their departments. It’s often easy for a department manager to decide they have a need, and implement an off the shelf solution—especially if IT has been relegated to merely supporting networks, phone systems, and desktop users.

What happens next is that there is no strong process or follow-up (control) to ensure that when personnel leave, their ID and access will be removed from the various applications they have access to. This leaves a large security risk if they happen to figure out how to get back on an application and create mayhem.

Sometimes there’s a process in place, but no reconciliation effort for when the process breaks down. Let’s imagine that there is some way the word gets around when an individual leaves, and usually their access is shut down. Is there any reconciliation process that compares current personnel with the lists of IDs on various applications on a regular basis? Probably not. It is more complicated by the fact that employees and temporaries may be tracked differently, and therefore there is no comprehensive list to compare to.

As a solution, the standard-bearers advocate a single function—in IT or a related department—to perform ID and Access Management from a central office and computer console. There are a number of consulting companies out there that specialize in helping clients find the right technology fit for the situation. One of the best ways to attack the problem is to use an independent consulting company to help determine the technical solution that fits your particular situation. If you go to Microsoft or Sunn, they'll sell you the Microsoft or Sunn solutions, respectively.

Since this is a relatively new field, don't be afraid to look at small boutique firms that specialize on this niche. Here in Dallas, I'm aware of at least two: Logic Trends and PathMaker.

© 2005 InterDimension Strategies Inc., M. A. “Ryan” Yuhas