Compliance: The New Fact of IT Life

Regulatory compliance isn't exactly a glamorous topic, but it is one that demands your attention. Organizations that fail to meet the applicable industry or government regulations face severe financial penalties or closure, and their officers may be liable for hefty fines or even imprisonment. Companies that fail to comply with regulations suffer bad publicity with a consequent loss of reputation, downwards pressure on their share prices, and companies unwilling to do business with them.

With corporate governance issues front and center in the wake of scandals like Enron and Tyco, compliance is quickly becoming an issue for most organizations as new regulations impact more and more companies. For example, all publicly traded companies in the U.S. must comply with the stringent financial reporting requirements of the Sarbanes-Oxley Act, which aims to establish monitoring capabilities to help ensure the integrity of corporate financial information and protect shareholders against fraud. Financial service organizations also have to contend with the Basel II regulations, companies doing business in the European Union need to comply with the European Data Protection Directive, and U.S. healthcare companies must comply with the Health insurance portability and Accountability Act (HIPAA). And so it goes on.

While the various regulations have different specific requirements, all involve the need to protect data, to ensure that access to data is restricted to those who need to access to it, and to ensure that access events are monitored to provide an audit trail. In other words, most regulations include the need for three A's: Authentication, Authorization and Auditing.

An Ongoing IT Challenge
A major challenge that most organizations face is that regulatory compliance is not a single hurdle that has to be overcome once. It's a continuous process and has to be guaranteed and demonstrated over time. Many regulations also call for ongoing risk analysis and the development and enforcement of consistent security policies. Clearly, compliance is an issue that could cost a lot of time and money to tackle, so the real challenge for every organization is to formulate a strategy that ensures that any investments provide the best possible value for the money. Price should not be the only concern though; the right technology to support compliance can also have the additional effect of increasing information security, employee productivity and organizational agility.

Stop! Who Goes There? One of the IT controls at the heart of many compliance initiatives is authentication - ensuring that users are properly identified and that these identities are validated to IT resources. This is typically done with a user name and password combination, although the use of more stringent authentication based on smart cards or biometrics is becoming more commonplace. The problem for most users is that they are often given multiple user names and passwords to access each individual application, which makes them difficult to keep track of. This is inherently insecure and problematic for the help desk.

For an organization faced with supporting compliance with regulations, this can also be a nightmare. With multiple passwords to manage for hundreds or even thousands of employees, and different systems administered by different staff in disparate locations, how can management be guaranteed that employees are accessing only applications they need? Furthermore, how can an IT department ensure that when an employee's role changes, access to applications that are no longer required for the job function are revoked? How can you ensure that security policies are enforced and adhered to consistently across the IT infrastructure, and that changes to access rights are tracked and logged to support reporting requirements for compliance?

The only practical way to address these issues is to make them more manageable. This calls for an integrated identity management solution that works across all the systems with an organization, wherever they may be physically located. When combined with access management, which controls access to systems, this provides a solid framework on which to build a strategy for complying with a broad range of regulations.

A comprehensive identity and access management foundation makes it easier to enforce consistent security policies and provides increased visibility into how resources are being used. When the role of an individual changes, his or her access rights can be modified automatically in real time. These changes are then automatically logged, ensuring continued and auditable IT controls to support compliance.

Not Just for Compliance
Controlling and managing access to applications and ensuring that changes can be carried out efficiently and quickly is not something that only helps with an organization's compliance efforts — it's also a good business practice. When access privileges can be changed easily and automatically propagated throughout the organization in real time, this has important productivity benefits for your employees and IT staff. It also has important security benefits as former employees can be locked out of all applications as soon as they leave the organization.

Compliance is a big issue for many organizations, and not one that will be going away any time soon. Identity and access management provide the IT controls that are at the heart of any effective compliance policy.