By Ben Goodman
Every organization needs to be compliant with something these days. The problem is that they have to wrestle with enforcing, maintaining, and demonstrating compliance; there is no one tool or vendor that can do it all.
Are there tools out there that will aggregate data and show you if you are compliant, for example? Certainly there are. But the data these systems use comes from somewhere else and that “somewhere else” always translates into additional tools, additional people, and additional work effort.
In recent years, organizations have begun turning to identity management systems to help them address this compliance complexity. As a result upwards of 85% of new identity and access management deployments are, according to Sally Hudson of IDC, driven by compliance.
The problem there is, although identity management systems can help by automating many aspects of compliance, they were never designed to be compliance solutions in and of themselves. Still, they can serve as a critical component and even a cornerstone of compliance infrastructure if people are willing to think about compliance a little differently.
And “thinking differently” in terms of compliance calls for a paradigm shift.
This paradigm shift involves, first of all, thinking about compliance not in terms of this or that technology, or even in terms of this or that specific set of regulations (PCI, Sarbanes-Oxley, FISMA, HIPAA, etc.), but in terms of a compliance framework.
A framework-centric approach gets us out of the trap of chasing the next regulation (and the next tool to support it) by providing us with an open, flexible compliance architecture that can accommodate whatever new requirements or new technologies come down the pike next.
This paradigm shift requires that we recognize how compliance can be boiled down into a set of basic controls. One control element for PCI, for example, may be that passwords have to conform to certain standards in terms of strength. One control element for Sarbanes-Oxley might be that a separation of duties, when it comes to access, needs to be maintained. And so on.
The great thing is that if you apply this framework approach and boil regulations down into a set of controls, you’ll find that a lot of these regulations actually have many of the same controls!
That is, even though there may be dozens of regulations you need to comply with as an enterprise, when you get down to the control level, the variance between one regulation and another may much smaller then you anticipated. As an example, Sarbanes Oxley (SOX) has 271 I.T. Controls, while the The Health Insurance Portability and Accountability Act (HIPAA) has 160 IT Controls. However, 66 controls, or over a third of HIPAA’s controls overlap with SOX.
In other words, approaching compliance from the control level makes it easy and more manageable to expand the system to include any new regulations or compliance-related needs that may arise, because, basically, the building blocks are already in place.
One interesting aspect of this paradigm shift towards a control-focused compliance framework is that it turns issues of identity and access management into issues of content.
In order for a control-focused compliance framework to provide real value, it must be filled with content. What do we mean by content?
On the input side, the specific controls you need to implement are examples of content. You feed them into an identity and access management system, for example, in order to automate them. This is key because, frankly, the only way to enforce compliance in an accurate and reliable way is if the process is automated. Manual enforcement of compliance controls is simply too cumbersome and costly and because of that, it is not sustainable. In order to use it in this way, your identity and access management systems must be intelligent enough to “understand” this content and know how to use it.
On the output side, this content will govern the reports that you will generate in order to demonstrate to auditors that you not only have the controls in place, but that they are effective.
So, in a sense, your compliance framework’s success will be highly dependent on its ability to leverage a content framework.
Until now, operationalizing this paradigm shift was beyond the capabilities of any identity management system. The good news is that we are entering an era where it is not only becoming possible to do so, but where doing it any other way is quickly becoming unimaginable.
So, are you ready for a paradigm shift?