Compliance demands are everywhere, we can’t escape them, and they only seem to be getting worse.
It used to be only banks, publicly-traded companies, and those in the healthcare industry that were the ones needing to worry about compliance. But today, virtually every organisation – public and private, large and small, for-profit and not – must deal with regulatory pressure in one form or another.
The logical reaction is to seek a line-by-line assessment of compliance (or non-compliance) often involving an auditor snooping around followed by a mad scramble to find a way to remediate the violation. But compliance doesn’t have to be that complex, and above-all it doesn’t have to be so reactive.
Five simple tactics – if followed – can dramatically improve your chances of passing the next audit.
1. Get one, strong password
Inconsistent password strength, a single user having several disparate passwords, and IT spending too much time helping users establish and maintain access, all contribute to the password mess. Any effort you put in to unify password policy, eliminate non-secure practices, and automate the management of those passwords will remove one of the key areas of risk auditors look for.
- Eliminate as many passwords as possible through identity unification, single sign-on, and synchronisation.
- Base all password policy (regardless of system) on an established, compliant system
- Empower end-users to securely manage their own passwords to eliminate the temptation to write them down.
2. Make authentication strong
Closely related to weak password practices is weak authentication, a common audit finding that can be easily overcome.
Virtually every regulation requires that authentication, which includes the transmission of passwords, be secured to a level that prevents malicious parties from gaining unauthorised access (such as through sniffing out and using an unencrypted password).
- Eliminate unencrypted password transmission (such as those with legacy Unix systems using NIS) by unifying authentication with more secure, and already compliant sources (such as Active Directory).
- Implement multi-factor authentication, such as the addition of one-time passwords (OTP) for those systems and situation that regulations demand stronger authentication for.
3. Remember that de-provisioning is more important than provisioning
While setting up user accounts (provisioning) in a timely and efficient manner is vital for operations and productivity, regulations require immediate and complete revocation of access for terminated employees. This is called de-provisioning and is perhaps the most often overlooked and highly scrutinised area of compliance.
- Automate provisioning and de-provisioning so that when an employee’s status changes in an authoritative data source (for example the HR system) access is immediately and completely terminated.
- Unify identities (similar to the password issue discussed above) so there are fewer places that must be de-provisioned and the risk of orphaned accounts is reduced.
4. Don’t ignore privileged accounts
Privileged accounts – those that grant system-level access – are one of the primary sources of security breaches and one of the first places auditors look for compliance weakness. Due to the fact that these accounts are all-powerful, absolutely necessary for system operation and management, and are not tied to an individual (i.e. they are most often shared across all administrators that must use them), privileged – or superuser – accounts are the primary target for malicious activity that regulations seek to address.
- Eliminate the sharing or administrator passwords and credentials through technologies that enforce a policy-based request, approval, issuance, return, and resetting of administrative passwords.
- Delegate day-to-day administrative access to enforce a least-privilege model that only enables administrators the rights necessary to do their job – nothing more, nothing less.
- Watch what administrators do with either an issued full credential or delegated rights to assign individual accountability to previously anonymous activities.
- Consider adding two-factor authentication to your privileged access management strategy.
5. Base access rights on something other than the individual
One of the major common themes to all regulations is the concept of separation of duties (SoD). This can mean that a person approving an expenditure cannot be the same person writing the check or that the person in billing should not have access to sensitive medical information on the patient and the care-giver does not have access to the patient’s payment history.
Manually enforcing SoD is extremely difficult to achieve and very error-prone particularly when jobs change or temporary access is needed.
- Unify roles across the entire organisation so that one role in one system means the same thing in all others.
- Tie access rights to provisioning in a holistic and unified manner so that a single action grants appropriate rights across all systems.
- Make attestation (or the periodic recertification of access rights) an intuitive process that puts the power in the hands of those that know who should have rights to what (line of business personnel) not those that simply know how to set things up and get to the data (IT).
By addressing these five simple areas, compliance will be much easier to achieve and maintain. By solving the fundamental issues, you can avoid the line-by-line, one finding at a time stance that many, many organisations are forced to take when an auditor comes calling.
About the Author
Ian Hodge is the General Manager, Dell Software Australia