IDM a Good First Step Towards SOX Compliance

While there is no magic bullet for Sarbanes Oxley (SOX) compliance, identity and access management (IDM) suites can take you a long way towards that goal.

Once thought too unwieldy to implement because of the negative perceptions brought about by early failures in single-sign on (SSO) — just one aspect of IDM — IDM suites today are easier to implement and encompass a wide range of SOX friendly technologies and features such as authentication, authorization, segregation of duties (SoD) watch-dogging, roles and responsibilities, event tracking, and, of course, SSO for the front end to name a few.

“I agree … that it is not a silver bullet,” said David Coker, an IT security manager at Horn, Murdock & Cole, a business and IT consultancy, “however it is definitely a foundation. Obviously, the key for SOX is accountability and you can’t have accountability if you don’t know who did what.”

Coupled with strong reporting and a real effort on the part of IT to rationalize the number of applications throughout the enterprise, IDM — also known as IAM (identity and access management) — can and does take a big bite out of SOX, said Sean Karcklauer, a senior director with the Hackett Group.

Taken in isolation an IDM suite will help with SOX efforts by giving auditors a single trail to follow when tracking down who has access to what applications and if there is a conflict of interest with that access; the segregation of duties issue. But, to get the most out of IDM and other SOX-related application suites, they have to be coupled with an enterprise-wide effort to reign in sprawling infrastructures, systems and applications.

“You’ve got to have very strong configuration management, you’ve got to have very strong change management practices … the physical security piece of your technology environment; that’s all very important,” said Forrester’s Mike Rasmussan, vice president of Enterprise Risk and Compliance Management.

Companies should also seek to reduce the number of control points in their infrastructure and systems, agreed David Hebert, a senior director with Hackett.

“Anyone who has more than a thousand (controls),” said Karcklauer, “that’s probably a good place in terms of assisting them in cutting down on their SOX efforts going forward.”

To look at IDM as just another tool would to miss the larger implications, said Oracle’s Wynn White, a senior director in the Technology Marketing division. SOX is about governance, not technology. The technology is there only to support the larger governance effort; to codify it, automate it, and make it transparent, traceable and, perhaps most importantly, repeatable.

“IDM if you look at the roots to it … it really is one of those technologies that provides a framework to enforce greater governance over not only the access to your applications but the user privileges and their authentication and their capacities, he said.

“It provides a mechanism to deliver greater governance and greater control over your environment. And it’s just happened to have coincided with this resurgence of increased regulation.”

According to Gartner, White’s observations are right on the money — literally. In a March report, Gartner noted the SoD clause in SOX section 404 will drive up IDM adoption 60% by 2007.

Six components make up the core of most IDM offerings, according to Toffer Winslow, a director of Product Management at RSA Security.

  • Authentication that makes sure you are who you are.
  • Access authorities that control what you can see and use.
  • A provisioning engine to push out ID information to all the different applications on the network.
  • Integration engine to interface with the network and application front ends.
  • Management of roles and responsibilities to deal with SoD issues.
  • Integration with user databases and directories for the management of employees.
  • “What these solutions can do is facilitate and automate your attempts to be in compliance,” said Winslow. “By itself and/(or) implemented incorrectly it’s not going to guarantee compliance but, when implemented correctly and done in conjunction with another set of security best practices, it’s a very strong foundation.”