Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

Transcription

1 Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, :00 AM

2 Agenda Laura Robinson, Industry Analyst, RSA Security Definition of Identity and Access Management (I&AM) Overview of Regulations Requirements Addressed by I&AM Sharon Dietz, Senior Manager, Accenture Best Practices in Identity and Access Management: A Global Approach

3 Definition of Identity and Access Management (I&AM) The people, processes and technologies dedicated to creating, managing and revoking digital identities, as well as developing and enforcing policies governing authentication and access to information systems both inside and outside the enterprise.

4 Overview of Regulations US SOX (public) GLB (finance) HIPAA (healthcare) EU 21 CFR Part 11 (life sciences) Annex 11 (life sciences) I&AM provides an effective way to address many of the regulations requirements Data Protection Directive (general) Japan Data Protection Law (general)

5 US: Sarbanes-Oxley (SOX) Public Company Accounting Reform and Investor Protection Act Applies to public companies Compliance begins June 2004 but will be on-going Section 302 : certify accuracy of financial statements Section 404: perform annual assessment of internal controls over financial reporting and obtain attestation from external auditors COSO* framework referenced Sources for specific IT controls: CobiT**,ISO 17799, NIST Requirements (CobiT) addressed by I&AM include: Authentication, access controls, user account management, credential lifecycle management, and audit controls *Committee of Sponsoring Organizations of Treadway Commission **Control objectives for information and related technology (IT Governance Institute)

6 US: Gramm - Leach - Bliley (GLB) Financial Services Modernization Act Applies to all financial institutions regulated by OCC Compliance began July 2001 Mandates the protection of consumer financial information Requires the establishment of Administrative, Physical and Technical safeguards to protect the security, confidentiality and integrity of consumer financial information Requirements that can be addressed by I&AM include: Authentication, access controls, and audit controls * Office of the Comptroller of the Currency

7 US: HIPAA Privacy and Security Regulations Health Insurance Portability and Accountability Act Applies to all healthcare providers, payers, and clearinghouses HIPAA Privacy Rule Covers privacy rights; uses and disclosures of protected health information (PHI) Compliance deadline was April 14, 2003 HIPAA Security Rule Sets standards for Administrative, Physical and Technical safeguards Compliance deadline is April 21, 2005 Requirements that can be addressed by I&AM include: Privacy: minimum necessary provisions: RBAC Security: authentication, access controls, audit controls

8 US: 21 CFR Part 11 Electronic records; electronic signatures Applies to all organizations regulated by the FDA* (pharmaceutical, biotech, medical devices, food, cosmetics) Original compliance deadline of 1997 Released Final Guidance for Industry August 2003 Re-examination of Part 11: narrowed the scope Enforcement discretion for some provisions Requirements that can be addressed by I&AM include: Procedures and controls designed to ensure the authenticity, integrity, and confidentiality of electronic records including limiting system access to authorized individuals *Food and Drug Administration

9 EU: Annex 11 Computerized Systems Directives for GMP Applies to all organizations producing medicinal products Adopted in 1998 Part of the Directives for Good Manufacturing Practices (GMP) Central considerations are that records are accurate, protected against loss or damage or unauthorized alteration; and there is a clear and accurate audit trail Requirements that can be addressed by I&AM include: Data only entered or amended by authorized persons; access control; credential lifecycle management; logging unauthorized attempts; recording identity of operators; authority checks; and audit trails

10 EU: 95/46/EC Data Protection Directive European Union (EU) harmonized level of adequate data protection Council of EU adopted in October 1995 Includes Conditions for processing of personal data Individual s rights and organization s obligations for notification Confidentiality and security of processing Provisions for transfer to third country: US Safe Habor Arrangement Requirements that can be addressed by I&AM include: Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access

11 Japan: Data Protection Directive Applies to private companies which handle personal information Media and writers exempt Compliance (enforcement and penalties) is May 2005 Basic principals came in affect as of enactment in May 2003 To be followed by specific legislation for healthcare, finance and telecom industries Obligations include: specify purposes for which data will be used and notify individual that data has been acquired Requirements that can be addressed by I&AM include: Safe-keep personal data against loss, system failure and leakage i.e. unauthorized disclosures

12 Regulations: Common Threads Requirements that can be addressed by I&AM include: Authentication Access controls Audit controls Do risk analysis Develop and enforce security policy Use best practices

13 I&AM Solutions for Regulatory Compliance Regulations define required services that I&AM provides: Identity Management Access Management Building blocks to provide the services needed for specific business requirements Diverse global regulations require centralized, policy driven model with local flexibility I&AM is just part of an overall solution for regulatory compliance

14 I&AM Framework Technology is only a part of an I&AM solution. Understanding the transformational nature of the processes and aligning the solution with the people in the organization is critical to the success of the I&AM solution. Intranet People Permissions Model Responsibility Changes Organizational Changes Training I&AM Technology Access Control Identity Management Provisioning Process Enterprise Directories Permission Management Compliance Monitoring Self & Delegated Administration Application Security Management Resource Provisioning Internet ERP CRM Supply Chain Physical Asset

15 I&AM Framework - Process People Process I&AM Technology I&AM solutions transform the existing business processes that support the management of identities in the environment. Where possible, manual processes are automated and IT processes are simplified or distributed to the business owners. Compliance Monitoring HR Accounts Partners Others Identity Management Self Administration Delegated Administration Resource Mgmt Application Security Management Resource Provisioning Permission Management

16 I&AM Framework - People People Process I&AM Technology Permissions Model Responsibility Changes Initial Organization Help Desk HR Dept. Reduced Help Desk Responsibility Financial Dept. Marketing Dept. New Organization HR Dept. Financial Dept. Marketing Dept. I&AM Organizational Changes Training Employees Customers and Partners Security Admin for each app. Employees Customers and Partners Central Security Admin Self & Delegated Admin by all users

17 I&AM Framework - Technology The key technologies of I&AM include Identity Management, Access Control, Provisioning and Directories. People Process I&AM Technology Applications Users Web Services Federated Identities Employees (Int/Ext) Customers Business Partners Authorization Authentication Access Control Applications Resources Others Data Platforms Identity Management Registration Enrollment Self Services Delegated Administration Supporting Security Technologies Provisioning Workflow Application Integration Identity & Policy Repositories Meta-Directory Services Policy & Audit Database Directories ID Sources Partner DB Customers DB HRDB Public Key Infrastructure (PKI), strong authentication, hardware tokens, smart cards, biometrics, encryption algorithms, etc

18 Solution Principles Deploy an enterprise-wide unified identity management solution supporting all user types, all IT domains and all modes of administration (centralized, delegated and self-help) through a phased delivery plan. Automate the administration of the maximum number of tasks Incrementally integrate the target systems and applications into the solution, thus minimizing the need for separate administrations Link with master sources of identity information and propagate changes automatically Provide all user- and administrator-facing identity management services over a web interface for access ubiquity Support centralized control of access policies and extensive central auditing and reporting of all administrative events Support workflows for managing the approval of access rights Deliver the solution via market-proven software packages, minimizing in-house development

19 Success Factors A successful identity and access management implementation requires a strategic vision, coupled with a strong knowledge of the business and application environments. Realize the strategic nature of identity management, and assess its impact on the organization Focus on processes and people, technology is only an enabler Define explicit security policies that drive the definition of rules and workflows Invest in defining a comprehensive and workable role and entitlements model Obtain strong upper management support and buy-in by all those impacted by the process re-engineering Get developers on board early on for integration with consolidated authentication, authorization and identity services Put in place a comprehensive change management and communication plan Follow a phased approach for the integration of target systems and to support different types of users Select the core identity and access management software carefully, based on a requirements analysis

20 Questions? For more information contact: Laura Robinson, Industry Analyst, RSA Security Sharon Dietz, Senior Manager, Accenture