Cloud applications must be managed in a way that complies with the many different government standards in the United States. As more cloud applications are being implemented in businesses of every industry, companies need a way to ensure compliance. Some of these regulations include the Health Insurance Portability and Accountability Act (HIPPA), the Control Objectives for Information and Related Technology (COBIT) and Sarbanes Oxley Act (SOX).
These each require businesses to ensure certain standards within their organizations, including protection of data and full disclosure. While organizations might know how to handle compliance for in-house applications, how do leaders handle cloud applications? What, if anything changes?
There are several important compliance requirements that businesses are required to follow depending on which industry they are in. For example, for the healthcare industry, HIPAA protects the use and disclosure of patient data and ensures that healthcare organizations have the correct security measures in place to protect patient data, as well as requiring a complete audit trail of all users at an organization. HIPAA compliance also states that upon termination, the company must have processes in place to revoke access to systems and applications. SOX is another standard for general business that also requires all information about user’s actions, including document/data access, password changes, logins and logouts and any changes made to be recorded. Still another, COBIT, which is published by the IT Governance Institute provides “a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users and IS audit control and security practitioners.” These are only a few of the many different rules and compliance regulations which organizations need to follow.
All of these can be extremely time consuming, confusing, and difficult to easily achieve. Especially when organizations start to implement many different cloud applications at their company it can be difficult to manage them in accordance with compliance rules.
Many organizations implement identity and access management (IAM) solutions that ensure that data is easily secure and that these standards are met. Many IAM solutions work seamlessly with both in house and cloud applications so that the overall process can be managed effectively without several different solutions to ensure correct compliance. How does this work?
When dealing with many different cloud applications, it is common for access rights for a user to be incorrect. This is either from being set incorrectly from the beginning when the employees account was set up, or during their time with the organization they acquired incorrect access rights over time, which can be a major compliance issue.
One way that an IAM solution combats this is by ensuring that access is correct from the beginning. Since setting up employee accounts in all applications, including cloud applications is time consuming, human resources or the account admin often uses a template account or copy an account of an employee with a similar position. This then leads to the employee often accumulating rights which they should not have. Depending on the different roles within the organization, a certain access profile can be set with an IAM solution. For example, an in-house employee working as an assistant in the finance department will have a certain set of rights that they are supposed to have. When the employee is added to the source system, depending on their role, their access rights and accounts in each application are automatically generated and set up for them. An email can then be sent to their manager with all of their access rights and accounts. If for any reason this is incorrect the manager can then easily edit the employees account.
Another compliance issue is that often the employee gains incorrect rights over time. Either they request access from someone who does not have the authorization to give it or they are lent someone’s credentials. This situation can be prevented with an IAM workflow. A workflow can be set up by the organization so that only the correct authorized managers can give access to secure applications. For example, if an employee needs access to a certain secure application for a project they can easily make the request through a portal. The request is then sent to the appropriate manager, who can either accept or deny the request. If needed, there can also be several levels of approval required. This ensures that only the correct authorized people are giving access rights.
Many companies complete this procedure with an entirely paper-driven processes and each time at a SOX audit, the IT department would spend weeks of digging through the papers with the auditor. With an automated workflow system, all granting of access is traceable and documented in the identity and access management solution, so that when it comes to audit time there is an electronic paper trail. If needed, the solution can also generate an overview of all users and the rights which they have in the organization. This allows the organization to see exactly who has access to what and any changes that they made in the network.
Lastly, an automated account management solution ensures that access in all applications is revoked once the employee is no longer with the organization, which as a requirement of many compliance regulations. A manager simply disables the account in the source system and all connected accounts are automatically disabled. This ensures that the employee can no longer access the organizations network, and that removal is not accidentally overlooked.
Another compliance issue is segregation of duty or role collision. One aspect of SOX compliancy requires that certain tasks cannot be performed by one and the same person. For example, an order may be placed by person X but this should be validated by person Y. If this happens the system will automatically block or alert a manager whenever two of such authorizations are being granted to one and the same user. This ensures that SOX is easily met.
All of these IAM tasks can be handled completely in a portal in the cloud. So, an employee who works remotely with only cloud applications can still benefit and the organization can still easily manage that users account. This is the same for managers, as they can accept or deny requests for anywhere at any time. Many IAM solutions work seamlessly with both in house and cloud applications so that the organization can easily ensure they are efficiently managing all applications and are in accordance with compliance rules.
By Dean Wiech
