Enabling Transformation Quickly With Agile Project Management

Enabling Transformation Quickly With Agile Project Management

Agile Project Management Lack of understanding and fear of failure in an enterprise setting is a combination that leaves most organizations paralyzed when trying to develop a digital strategy. In a survey conducted at the 2018 Enaxis Leadership Forum, most business leaders viewed digital transformation as
GDPR Compliance

SOC Reporting Requirements You Need to Know in a Cloud Environment

SOC Reporting Requirements Security lapses in some of the world's biggest companies continue to appear in news headlines, and information security is top of mind for businesses. Perhaps as a result, SOC reports are becoming a standard due diligence request before companies procure the services
Cloud Access Management

Managing Cloud Applications Among The Business Regulations

Managing  Cloud Business Regulations

Cloud applications must be managed in a way that complies with the many different government standards in the United States. As more cloud applications are being implemented in businesses of every industry, companies need a way to ensure compliance. Some of these regulations include the Health Insurance Portability and Accountability Act (HIPPA), the Control Objectives for Information and Related Technology (COBIT) and Sarbanes Oxley Act (SOX).

These each require businesses to ensure certain standards within their organizations, including protection of data and full disclosure. While organizations might know how to handle compliance for in-house applications, how do leaders handle cloud applications? What, if anything changes?

Managing Cloud Applications

healthcare

There are several important compliance requirements that businesses are required to follow depending on which industry they are in. For example, for the healthcare industry, HIPAA protects the use and disclosure of patient data and ensures that healthcare organizations have the correct security measures in place to protect patient data, as well as requiring a complete audit trail of all users at an organization. HIPAA compliance also states that upon termination, the company must have processes in place to revoke access to systems and applications. SOX is another standard for general business that also requires all information about user’s actions, including document/data access, password changes, logins and logouts and any changes made to be recorded. Still another, COBIT, which is published by the IT Governance Institute provides “a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users and IS audit control and security practitioners.” These are only a few of the many different rules and compliance regulations which organizations need to follow.

All of these can be extremely time consuming, confusing, and difficult to easily achieve. Especially when organizations start to implement many different cloud applications at their company it can be difficult to manage them in accordance with compliance rules.

Many organizations implement identity and access management (IAM) solutions that ensure that data is easily secure and that these standards are met. Many IAM solutions work seamlessly with both in house and cloud applications so that the overall process can be managed effectively without several different solutions to ensure correct compliance. How does this work?

Ensuring Security and Correct Access Rights

When dealing with many different cloud applications, it is common for access rights for a user to be incorrect. This is either from being set incorrectly from the beginning when the employees account was set up, or during their time with the organization they acquired incorrect access rights over time, which can be a major compliance issue.

security-community

(Image Source: Shutterstock)

One way that an IAM solution combats this is by ensuring that access is correct from the beginning. Since setting up employee accounts in all applications, including cloud applications is time consuming, human resources or the account admin often uses a template account or copy an account of an employee with a similar position. This then leads to the employee often accumulating rights which they should not have. Depending on the different roles within the organization, a certain access profile can be set with an IAM solution. For example, an in-house employee working as an assistant in the finance department will have a certain set of rights that they are supposed to have. When the employee is added to the source system, depending on their role, their access rights and accounts in each application are automatically generated and set up for them. An email can then be sent to their manager with all of their access rights and accounts. If for any reason this is incorrect the manager can then easily edit the employees account.

IAM Workflow

Another compliance issue is that often the employee gains incorrect rights over time. Either they request access from someone who does not have the authorization to give it or they are lent someone’s credentials. This situation can be prevented with an IAM workflow. A workflow can be set up by the organization so that only the correct authorized managers can give access to secure applications. For example, if an employee needs access to a certain secure application for a project they can easily make the request through a portal. The request is then sent to the appropriate manager, who can either accept or deny the request. If needed, there can also be several levels of approval required. This ensures that only the correct authorized people are giving access rights.

security2-workflow

(Image source: http://www.isaca.org)

Many companies complete this procedure with an entirely paper-driven processes and each time at a SOX audit, the IT department would spend weeks of digging through the papers with the auditor. With an automated workflow system, all granting of access is traceable and documented in the identity and access management solution, so that when it comes to audit time there is an electronic paper trail. If needed, the solution can also generate an overview of all users and the rights which they have in the organization. This allows the organization to see exactly who has access to what and any changes that they made in the network.

Lastly, an automated account management solution ensures that access in all applications is revoked once the employee is no longer with the organization, which as a requirement of many compliance regulations. A manager simply disables the account in the source system and all connected accounts are automatically disabled. This ensures that the employee can no longer access the organizations network, and that removal is not accidentally overlooked.

Segregation of Responsibility

Another compliance issue is segregation of duty or role collision. One aspect of SOX compliancy requires that certain tasks cannot be performed by one and the same person. For example, an order may be placed by person X but this should be validated by person Y. If this happens the system will automatically block or alert a manager whenever two of such authorizations are being granted to one and the same user. This ensures that SOX is easily met.

All of these IAM tasks can be handled completely in a portal in the cloud. So, an employee who works remotely with only cloud applications can still benefit and the organization can still easily manage that users account. This is the same for managers, as they can accept or deny requests for anywhere at any time. Many IAM solutions work seamlessly with both in house and cloud applications so that the organization can easily ensure they are efficiently managing all applications and are in accordance with compliance rules.

By Dean Wiech

Dean Wiech

Dean Wiech is managing director at Tools4ever US. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management solutions.

View Website

TOP ARCHIVES

What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The ...
10 Charts That Will Change Your Perspective Of Big Data’s Growth

10 Charts That Will Change Your Perspective Of Big Data’s Growth

Big Data’s Growth Worldwide Big Data market revenues for software and services are projected to increase from $42B in 2018 ...
Cloud Services Are Vulnerable Without End-To-End Encryption

Cloud Services Are Vulnerable Without End-To-End Encryption

End-To-End Encryption The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, ...
How Blockchain Has Unexpectedly Improved Big Data Integrity

How Blockchain Has Unexpectedly Improved Big Data Integrity

Big Data Integrity Blockchain technology was developed to improve the integrity of bitcoin. However, as bitcoin became more popular, its ...
Google Cloud Platform: Enabling APIs

Google Cloud Platform: Enabling APIs

Enabling Google APIs The Google Cloud Platform is a comprehensive tool that helps companies manage their IT resources. Completing software ...

PARNTER LEARNING

$1,499.00Enroll Now

Cyber Security Expert Master's Program

Cyber Security Expert Master’s Program

The course will teach you: Advanced hacking concepts that can help you manage information security better. Architectures of frame cloud data storage and security strategies. You will learn how to use them to find and analyze risks. How to install, ...

$2,899.00Enroll Now

CEH (v10) – Certified Ethical Hacker Training Course

CEH (v10) – Certified Ethical Hacker Training Course

The course will help you: To understand the tactics and methodologies that hackers use to attack and penetrate any network. Understand honeypots, wireless hacking, firewall, and IDS. Become an expert in the hacking concepts, including smartphone hacking, writing virus codes, ...