Dean Weich

Managing Cloud Applications Among The Business Regulations

Managing  Cloud Business Regulations

Cloud applications must be managed in a way that complies with the many different government standards in the United States. As more cloud applications are being implemented in businesses of every industry, companies need a way to ensure compliance. Some of these regulations include the Health Insurance Portability and Accountability Act (HIPPA), the Control Objectives for Information and Related Technology (COBIT) and Sarbanes Oxley Act (SOX).

These each require businesses to ensure certain standards within their organizations, including protection of data and full disclosure. While organizations might know how to handle compliance for in-house applications, how do leaders handle cloud applications? What, if anything changes?

Managing Cloud Applications

healthcare

There are several important compliance requirements that businesses are required to follow depending on which industry they are in. For example, for the healthcare industry, HIPAA protects the use and disclosure of patient data and ensures that healthcare organizations have the correct security measures in place to protect patient data, as well as requiring a complete audit trail of all users at an organization. HIPAA compliance also states that upon termination, the company must have processes in place to revoke access to systems and applications. SOX is another standard for general business that also requires all information about user’s actions, including document/data access, password changes, logins and logouts and any changes made to be recorded. Still another, COBIT, which is published by the IT Governance Institute provides “a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users and IS audit control and security practitioners.” These are only a few of the many different rules and compliance regulations which organizations need to follow.

All of these can be extremely time consuming, confusing, and difficult to easily achieve. Especially when organizations start to implement many different cloud applications at their company it can be difficult to manage them in accordance with compliance rules.

Many organizations implement identity and access management (IAM) solutions that ensure that data is easily secure and that these standards are met. Many IAM solutions work seamlessly with both in house and cloud applications so that the overall process can be managed effectively without several different solutions to ensure correct compliance. How does this work?

Ensuring Security and Correct Access Rights

When dealing with many different cloud applications, it is common for access rights for a user to be incorrect. This is either from being set incorrectly from the beginning when the employees account was set up, or during their time with the organization they acquired incorrect access rights over time, which can be a major compliance issue.

security-community

(Image Source: Shutterstock)

One way that an IAM solution combats this is by ensuring that access is correct from the beginning. Since setting up employee accounts in all applications, including cloud applications is time consuming, human resources or the account admin often uses a template account or copy an account of an employee with a similar position. This then leads to the employee often accumulating rights which they should not have. Depending on the different roles within the organization, a certain access profile can be set with an IAM solution. For example, an in-house employee working as an assistant in the finance department will have a certain set of rights that they are supposed to have. When the employee is added to the source system, depending on their role, their access rights and accounts in each application are automatically generated and set up for them. An email can then be sent to their manager with all of their access rights and accounts. If for any reason this is incorrect the manager can then easily edit the employees account.

IAM Workflow

Another compliance issue is that often the employee gains incorrect rights over time. Either they request access from someone who does not have the authorization to give it or they are lent someone’s credentials. This situation can be prevented with an IAM workflow. A workflow can be set up by the organization so that only the correct authorized managers can give access to secure applications. For example, if an employee needs access to a certain secure application for a project they can easily make the request through a portal. The request is then sent to the appropriate manager, who can either accept or deny the request. If needed, there can also be several levels of approval required. This ensures that only the correct authorized people are giving access rights.

security2-workflow

(Image source: http://www.isaca.org)

Many companies complete this procedure with an entirely paper-driven processes and each time at a SOX audit, the IT department would spend weeks of digging through the papers with the auditor. With an automated workflow system, all granting of access is traceable and documented in the identity and access management solution, so that when it comes to audit time there is an electronic paper trail. If needed, the solution can also generate an overview of all users and the rights which they have in the organization. This allows the organization to see exactly who has access to what and any changes that they made in the network.

Lastly, an automated account management solution ensures that access in all applications is revoked once the employee is no longer with the organization, which as a requirement of many compliance regulations. A manager simply disables the account in the source system and all connected accounts are automatically disabled. This ensures that the employee can no longer access the organizations network, and that removal is not accidentally overlooked.

Segregation of Responsibility

Another compliance issue is segregation of duty or role collision. One aspect of SOX compliancy requires that certain tasks cannot be performed by one and the same person. For example, an order may be placed by person X but this should be validated by person Y. If this happens the system will automatically block or alert a manager whenever two of such authorizations are being granted to one and the same user. This ensures that SOX is easily met.

All of these IAM tasks can be handled completely in a portal in the cloud. So, an employee who works remotely with only cloud applications can still benefit and the organization can still easily manage that users account. This is the same for managers, as they can accept or deny requests for anywhere at any time. Many IAM solutions work seamlessly with both in house and cloud applications so that the organization can easily ensure they are efficiently managing all applications and are in accordance with compliance rules.

By Dean Wiech

Dean Wiech

Dean Wiech is managing director at Tools4ever US. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management solutions.

View Website

CONTRIBUTORS

Three Reasons Cloud Adoption Can Close The Federal Government’s Tech Gap

Three Reasons Cloud Adoption Can Close The Federal Government’s Tech Gap

Federal Government Cloud Adoption No one has ever accused the U.S. government of being technologically savvy. Aging software, systems and processes, ...
Ransomware's Great Lessons

Ransomware’s Great Lessons

Ransomware The vision is chilling. It's another busy day. An employee arrives and logs on to the network only to ...
GDPR Compliance: A Network Perspective

GDPR Compliance: A Network Perspective

GDPR Compliance Regulations can be a tricky thing. For the most part, they’re well thought out in terms of mandating ...
Cloud Migration Strategies and Their Impact on Security and Governance

Cloud Migration Strategies and Their Impact on Security and Governance

Cloud Migration Strategies Public cloud migrations come in different shapes and sizes, but I see three major approaches. Each of ...
Having Your Cybersecurity And Eating It Too

Having Your Cybersecurity And Eating It Too

The Catch 22 The very same year Marc Andreessen famously said that software was eating the world, the Chief Information ...
Part 2 - Identity Assurance by Our Own Volition and Memory

Part 2 – Identity Assurance by Our Own Volition and Memory

Identity Assurance by Our Own Volition and Memory We believe that the reliable identity assurance (See part 1) must be ...
The Fully Aware, Hybrid-Cloud Approach

The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have ...
The New Kids On The Block: Data Protection Officers

The New Kids On The Block: Data Protection Officers

Data Protection Officers The General Data Protection Regulation (GDPR) is officially here. Yet, organizations are still unaware, are ignoring, or ...
Data Privacy Day (Cue The Parade)!

Data Privacy Day (Cue The Parade)!

Data Privacy Day On Sunday, January 28, the United States, Canada, India and 47 European countries will celebrate Data Privacy ...
How Big Data Is Aiding Police And Security Officers

How Big Data Is Aiding Police And Security Officers

Big Data Is Aiding Police Officers Big data has become a trusted resource for people in industries ranging from health ...