Regulatory Compliance Using Identity Management
|
|
- Jonas Morgan
- 8 years ago
- Views:
Transcription
1 Regulatory Compliance Using Identity Management 2015 Hitachi ID Systems, Inc. All rights reserved.
2 Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive business processes. Regulations such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection Directive 2002/58/EC require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively. Security in every multi-user application depends on authentication, authorization and audit infrastructure (AAA). In turn, this infrastructure depends on complete, current and accurate data about users. In particular, dormant and orphan accounts must be reliably deactivated, and privilege creep must be addressed. Identity management systems enable reliable maintenance of data about users and their security rights. In turn, this supports reliable AAA and therefore regulatory compliance. Contents 1 Introduction 1 2 Identity Management System Components Enterprise Identity Management Business Processes Functional Components Authentication Overview Vulnerabilities Security Benefits of Identity Management Summary Authorization Overview Vulnerabilities Security Benefits of Identity Management Summary Audit Overview Vulnerabilities Security Benefits of Identity Management Summary i
3 6 Summary 12 7 References Hitachi ID Systems, Inc. All rights reserved.
4 1 Introduction Corporations and non-profit organizations, such as Universities or Government agencies, are increasingly subject to regulations that have an impact on IT governance. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive business processes. Regulations such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection Directive 2002/58/EC require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively. The common theme in all of these regulations is that IT security is crucial, to protect both corporate governance and privacy. Since every multi-user computer system depends on authentication, access controls and audit logs (AAA) for its security, it follows that the regulatory environment mandates an effective AAA infrastructure. AAA is not new: one form of AAA or another has been embedded into every multi-user application since early mainframes in the 1960s. The weakness in most systems is not their ability to authenticate users, control their access rights and audit their actions, but rather in the fact that these run-time decisions depend on accurate and reliable user data. As the number of users in a typical enterprise IT environment has grown, and as the number of systems and applications has multiplied, it has become increasingly difficult to maintain accurate and reliable data about very user on every system. Identity management systems are intended to overcome this problem, by automating user administration processes, so that data about users, how they are authenticated, and what rights they have can be maintained more efficiently and reliably. This document outlines a variety of problems that can arise with user profile data, the impact of those problems on the efficacy of an enterprise AAA infrastructure, and the solutions that an identity management system can bring to bear to eliminate those problems. The remainder of this document is organized as follows: Identity Management System Components Describes the elements of an identity management system that may be deployed in an enterprise network. Authentication Describes user authentication processes, how they can fail, and what identity management systems can do to eliminate these failures. Authorization Describes access authorization processes, how they depend on user profile data, and what identity management systems can do to ensure that user profile data is accurate and reliable. Audit Describes access audit processes, their limitations and how those limitations can be overcome using an identity management system. Summary A summary of the concepts presented earlier Hitachi ID Systems, Inc. All rights reserved. 1
5 2 Identity Management System Components 2.1 Enterprise Identity Management This document focuses primarily on identity management inside the enterprise, managing internal users employees, contractors, vendors, etc. Internal users are qualitatively different than external users, in that they are relatively few (thousands, not millions), and complex (having tens of login accounts and user objects each, many of which may be inaccurate, uncorrelated or obsolete). Without an identity management system, users are managed by separate administrators, using separate software tools, and often separate business processes, on each system. This is illustrated in Figure 1. Business Processes IT Processes Hire Retire Resign Finish Contract New Application Retire Application Transfer Fire Start Contract Password Expiry Password Reset Users Passwords Operating System Directory Application Database System ERP Legacy App Mainframe Groups Attributes Systems and Applications Figure 1: Managing Each Application in its own Silo An identity management system is used to externalize the administration of user objects, replacing processes that are implemented within each system and application with new processes that apply uniformly to all users, on all systems. This simpler process is illustrated in Figure Hitachi ID Systems, Inc. All rights reserved. 2
6 Business Processes IT Processes Hire Retire Resign Finish Contract New Application Retire Application Transfer Fire Start Contract Password Expiry Password Reset Identity and Access Management System Users Passwords Operating System Directory Application Database System ERP Legacy App Mainframe Groups Attributes Systems and Applications Figure 2: Externalizing the Management of Users and Entitlements 2015 Hitachi ID Systems, Inc. All rights reserved. 3
7 2.2 Business Processes As illustrated in Figure 2, an identity management system connects to multiple, existing systems where user objects are stored, and manages them cohesively. It does this as the end-product of one or more business processes, which drive changes to user definitions. Identity management systems may implement any of the following business processes: Auto-provisioning, deactivation: Detect new user records on a system of record (SoR, such as HR) and automatically provision those users with appropriate access on other systems and applications. Detect deleted or deactivated users on the SoR and automatically deactivate those users across integrated systems and applications. Self-service requests: Enable users to update their own profiles (e.g., new home phone number) and to request new entitlements (e.g., access to an application or share). Delegated administration: Enable managers, application owners and other stake-holders to modify users and entitlements within their scope of authority. Access certification: Periodically invite managers and application owners to review users and security entitlements within their scope of authority, flagging inappropriate entries for removal. Identity synchronization: Detect changes to attributes, such as phone numbers or department codes on one system and automatically copy to others. Authorization workflow: Validate all proposed changes, regardless of their origin and invite business stake-holders to approve them before they are applied to integrated systems and applications. 2.3 Functional Components Breaking processes down further, enterprise identity management systems may expose some subset of the following functions: Identity administration and governance: Connectors, to read current state from and write updates to user objects on integrated systems and applications. Automatically propagate changes from one system (such as HR) to other systems (such as directories, mail systems, databases, servers, etc.). A request portal, where users can ask to change their own or others profiles and can request additional access rights. An authorization workflow engine, to route change requests to appropriate business stakeholders for approval Hitachi ID Systems, Inc. All rights reserved. 4
8 Various policy engines, to enforce rules such as segregation of duties or role based access control. Access certification / attestation. Reports, dashboards and analytics, to examine current state, historical access rights, trends and more. Credential management: Self-service management of passwords, security questions and other authentication factors by users. Managed enrollment of data such as security questions or voice biometrics. Assisted service, enabling help desk and other privileged users to reset user passwords or clear intruder lockouts without needing full administrative rights. Privileged access management: Automatic discovery and classification of systems and accounts. Scheduled and event-triggered randomization of passwords on privileged accounts. Encrypted and replicated storage of privileged credentials. Temporary privilege escalation for existing users. Single sign-on and other access disclosure mechanisms, allowing administrators to connect to shared, privileged accounts conveniently, securely and with clear audit records. Integration with unattended infrastructure, such as Windows service accounts and applicationto-application accounts, to reduce the prevalence of embedded, plaintext passwords. Identity management systems are closely related to access management systems, which may consolidate or strengthen user authentication processes (i.e., single, strong sign-on) and may enforce authorization policies at run-time. These include: Strong authentication, using smart cards, tokens and biometrics. Web single sign-on (Web-SSO), typically using cookies to maintain session state, but increasingly using federation protocols such as SAML and WS-Security. Web access management (Web-AM), typically integrated with Web-SSO, which enforce runtime decisions about whether users should be allowed to access specific servers, URLs or application features Hitachi ID Systems, Inc. All rights reserved. 5
9 3 Authentication 3.1 Overview Users typically sign into systems and directories by typing a personal login ID and password. In most organizations, if a user forgets his password, or inadvertently mistypes it often enough to trigger an intruder lockout, the user may call the help desk, identify himself, and request a new password. 3.2 Vulnerabilities This process can create multiple security vulnerabilities, exposing sensitive systems and data to access by unauthorized users: Weak passwords: Short, simple or static passwords can be cracked by password guessing programs, or by patient intruders. Too many passwords: Users with too many passwords will write them down, and so reduce systems security to be equivalent to physical security. In many organizations, a large physical perimeter means that physical security is very weak. Caller authentication: Help desks often fail to reliably authenticate callers, and so can be convinced by an intruder to mistakenly reset an intended victim s password. Many help desks authenticate callers by asking for some part of their social security numbers or birth-dates neither of which are hard for an intruder to acquire. Credential proliferation: In many help desks, a large number of support staff have administrative rights to target systems, required to provide the password reset service. This is contrary to security best practice, which is to minimize the number of people with administrative rights (reducing the attack surface). Turnover among support staff also creates security security concerns. Audit logs: Few systems log administrative password resets, or attribute them to specific support staff. Consequently, there is no accountability for who reset whose password, when and why, as would be required in response to a security incident. 3.3 Security Benefits of Identity Management All of the above problems can be addressed by an effective identity management system: Weak passwords: Password synchronization systems can enforce a strong password policy, including minimum length, frequent expiry, history and complexity whenever a user changes passwords. This ensures that passwords are difficult to crack, and expire long before the time required to crack them. Strong authentication products also works to eliminate weak passwords, typically requiring that users submit multiple authentication factors Hitachi ID Systems, Inc. All rights reserved. 6
10 Too many passwords: Both password synchronization and single signon systems eliminate the need for users to remember multiple passwords. A single, strong, regularly changed password is much more secure than multiple passwords written down. Caller authentication: Self-service and assisted password reset systems can be configured to implement a robust process for authenticating users who forgot or locked out their password. This may include a prompting users to answer a combination of user-defined and standard questions, or resort to another authentication factor, such as a hardware token or biometric sample, prior to a password reset. Credential proliferation: By delegating the right to reset passwords, separately from other privileges, password reset systems eliminate the need to give support staff administrative rights. Audit logs: Password reset systems can audit all password resets, both self-service and assisted. 3.4 Summary Vulnerabilities in a typical password-based authentication infrastructure can be eliminated using a combination of: Password synchronization. Self-service and assisted password reset. Single sign-on. Multi-factor authentication Hitachi ID Systems, Inc. All rights reserved. 7
11 4 Authorization 4.1 Overview Most systems control user access to data by first authenticating users (see previous section), and then checking each attempted user action against a privilege model. Users gain access to sensitive systems and data first by having a login account on the system in question, and secondarily by having specific privileges on that system. Users may be granted privileges directly, or in relation to specific resources (e.g., folders, shares, printers, screens, menus, etc.). Users may acquire privileges by virtue of membership in a security group, which itself has been assigned privileges. Most large systems rely heavily on user groups to manage privileges, since assigning fine-grained rights individually to many users is too onerous. As a result, the rights a user has across multiple systems in an organization can usually be expressed as a function of which accounts the user has, and what security groups the user belongs to on each system. 4.2 Vulnerabilities The authorization infrastructure in most systems and applications is technically effective, but relies on data about user rights, which may be inaccurate: Login accounts: Accounts may be orphaned meaning that their users have left the organization, or dormant meaning that the user no longer needs them. Accounts may be active, but have no known owner, which eliminates the possibility of making users accountable for their actions. Security group memberships: Users may be assigned inappropriate privileges, either due to failure to standardize access rights in conformance with policy, or in compliance with out-of-date policies. Users may belong to groups which grant them no-longer-needed privileges. This is a result of privilege accumulation, whereby users gain new rights as their responsibilities change, but where their old (and no longer needed) rights are not reliably deactivated. This compromises the security principle of least privilege. Conflicting privileges: Users may have multiple privileges, which are reasonable individually but violate the need for separation of duties in combination. A traditional example for this is a user who can both submit purchase orders and issue payments, thereby circumventing traditional accounting controls. 4.3 Security Benefits of Identity Management The above problems can be addressed by an effective identity management system: Orphan accounts: 2015 Hitachi ID Systems, Inc. All rights reserved. 8
12 One function of any enterprise identity management system is to construct enterprise-wide user profiles, which connect user objects on multiple systems to single owners. Orphan accounts can be identified once this process is complete, as they are the accounts with no known owners. Typically a user provisioning system will be used to first deactivate orphan accounts, and wait to see their (legitimate) owners complain. After some time, orphan accounts can be removed, reducing the security attack surface and possibly also software licensing costs, where they are tied to the number of user objects. Dormant accounts: A user provisioning system can be used to identify dormant accounts, by inspecting the last-login-time attribute of each user. Dormant accounts can be eliminated in the same way as orphan accounts. On systems where there is no record of last login time, accounts can be connected to user profiles, and if the primary login account in the profile is inactive, it may be assumed that all other accounts are likewise dormant. Standardized privileges: By creating accounts through the user provisioning system, rather than directly using a variety of native user administration tools, organizations can enforce standards regarding login account configuration, to ensure that new users get appropriate privileges when their login IDs are created. Privilege accumulation: A privilege auditing system can be used to periodically review the rights of all users. Managers, application owners and group owners can identify and remove inappropriate privileges, that were either improperly assigned or retained beyond their relevance. The same system can also be used to identify orphan and dormant accounts. Separation of duties: A user provisioning system can be used to prevent users from acquiring inappropriate privilege combinations. It can also be used to report on such combinations where they exist prior to deployment of the system, so that some or all of the offending privileges can be removed. 4.4 Summary The combination of a user provisioning system and a privilege auditing system can be used to find and remove: Orphan and dormant accounts. Inappropriate privileges, whether accumulated over time or improperly granted at account creation time. Inappropriate combinations of rights, that would violate rules requiring separation of duties Hitachi ID Systems, Inc. All rights reserved. 9
13 5 Audit 5.1 Overview Audit logs are intended to make users accountable for their actions. Various regulations that impact IT security require logging of changes to financial data, attempts to access private information, various authorizations and digital signatures. The degree to which common systems and applications log events of interest is variable. For example, most systems record failed login attempts and user lockouts, but not all systems record successful user logins. Financial and clinical systems log authorizations and signatures, but other systems don t. Many systems do not log user administration actions, such as the creation of new users, changes to user privileges or deactivation of user access. In almost all cases, audit logs are internal to systems and applications. Events on different systems may be difficult or impossible to correlate, as would be required in a forensic audit to establish a pattern of activity. Beyond local storage, a challenge for event correlation is that users often have different login IDs on different systems, and so audit logs on one system cannot be readily connected to those on another. 5.2 Vulnerabilities Limited, system-specific audit logs present some security challenges to enterprises who must protect multiple, sensitive systems: Event correlation: It is difficult to match security events on one system to those on another if user identifiers are different and not otherwise correlated. Privilege audit: It is difficult to quickly answer the question who has the following privileges? when the privileges span multiple systems. Privilege history: It is impossible to quickly answer the question who had the following privileges at a given date? when systems do not log privilege changes. Record of authorization: Most systems do not audit security change requests or authorization, since these happen out of band with respect to the administrative user interface. Moreover, use of generic administrator accounts and limited audit capabilities mean that most systems cannot even report on when a given privilege was assigned to a user, or by whom. Appropriate privileges: Systems and applications cannot determine whether privileges granted to their own users are appropriate. Instead, administrators are presumed to assign privileges in a manner appropriate to business requirements. 5.3 Security Benefits of Identity Management An identity management system can resolve all of these audit challenges: 2015 Hitachi ID Systems, Inc. All rights reserved. 10
14 Event correlation: Login ID reconciliation is pre-requisite to the deployment of any enterprise identity management system. Consequently, data from any enterprise identity management system can be used to correlate event logs between multiple systems and applications. Privilege audit and history: A user provisioning system, configured to monitor and manage privileges on multiple systems, can be used to report on current and historical privileges. Record of authorization: Where the user provisioning system is used to request and authorize security changes (e.g., using a workflow engine), it can report on this change history. Where changes are made through an automated process, it can at least report on which system of record triggered changes. Where a consolidated or delegated user administration model is used, the user provisioning system can report on which administrator initiated the change. Appropriate privileges: A privilege audit system engages business stakeholders, such as managers, application owners and group owners, to review privileges and make an informed decision about whether they are appropriate. 5.4 Summary A user provisioning system, combined with a privilege auditing system, can significantly improve the ability of an organization to create accountability, and to find and remove inappropriate security privileges Hitachi ID Systems, Inc. All rights reserved. 11
15 6 Summary Regulations increasingly demand that corporations and non-profit organizations implement sound IT security to protect privacy and ensure sound governance. Most systems and applications already incorporate authentication, authorization, and audit (AAA) infrastructure with which to do this. Unfortunately, AAA infrastructure is vulnerable to weaknesses in security-related business processes and to improper user privilege definitions. An identity management system, including user provisioning, password synchronization and reset and privilege audit can be used to address shortcomings in security business processes and inappropriate user privileges, which would otherwise undermine a AAA infrastructure. These identity management features can be supplemented by strong authentication technology, single signon and web access management systems Hitachi ID Systems, Inc. All rights reserved. 12
16 7 References Hitachi ID is an enterprise identity management software vendor: Hitachi ID Identity Manager is a user provisioning solution from Hitachi ID: Hitachi ID Password Manager is a password synchronization and password reset solution from Hitachi ID: Hitachi ID Access Certifier is a privilege audit solution from Hitachi ID: , Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: June 20, 2005 File: /pub/wp/documents/idm-compliance/idm-compliance-1.tex
1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing
1 Introduction to Identity Management Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications An overview of business drivers and technology solutions. 2 Identity and Access Needs
More information1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges
1 Building an Identity Management Business Case Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Justifying investment in identity management automation. 2 Agenda Business challenges
More informationIntegrating Hitachi ID Suite with WebSSO Systems
Integrating Hitachi ID Suite with WebSSO Systems 2015 Hitachi ID Systems, Inc. All rights reserved. Web single sign-on (WebSSO) systems are a widely deployed technology for managing user authentication
More informationPassword Management Before User Provisioning
Password Management Before User Provisioning 2015 Hitachi ID Systems, Inc. All rights reserved. Identity management spans technologies including password management, user profile management, user provisioning
More informationApproaches to Enterprise Identity Management: Best of Breed vs. Suites
Approaches to Enterprise Identity Management: Best of Breed vs. Suites 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Executive Summary 1 3 Background 2 3.1 Enterprise Identity
More informationUser Provisioning Best Practices
2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Terminology and Concepts 2 2.1 What is Identity Management?................................... 2 2.2 What is Enterprise Identity
More informationHitachi ID Password Manager Telephony Integration
Hitachi ID Password Manager Telephony Integration 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Functional integration 2 2.1 Self-service password reset....................................
More informationSelf-Service, Anywhere
2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Mobile users warned of password expiry 2 3 Reset forgotten, cached password while away from the office 2 4 Unlock encrypted
More informationIdentity Management Terminology
2015 Hitachi ID Systems, Inc. All rights reserved. Identity management is an important technology for managing user objects, identity attributes, authentication factors and security entitlements. This
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationService Offering: Outsourced IdM Administrator Service
Service Offering: Outsourced IdM Administrator Service 2014 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 The Outsourced IdM Administrator Service 2 2.1 Hitachi ID Systems and
More information1 Hitachi ID Password Manager
1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Integrated Credential Management for Users: Passwords, encryption keys, tokens, smart cards and
More informationHitachi ID Password Manager Frequently Asked Questions for Help Desk Managers
Hitachi ID Password Manager Frequently Asked Questions for Help Desk Managers 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 What kind of call volume reduction can I expect? 1 2 Can I integrate
More informationIdentity Access Management: Beyond Convenience
Identity Access Management: Beyond Convenience June 1st, 2014 Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are looking
More informationChoosing an SSO Solution Ten Smart Questions
Choosing an SSO Solution Ten Smart Questions Looking for the best SSO solution? Asking these ten questions first can give your users the simple, secure access they need, save time and money, and improve
More informationSelf-Service Active Directory Group Management
Self-Service Active Directory Group Management 2015 Hitachi ID Systems, Inc. All rights reserved. Hitachi ID Group Manager is a self-service group membership request portal. It allows users to request
More informationHow can Identity and Access Management help me to improve compliance and drive business performance?
SOLUTION BRIEF: IDENTITY AND ACCESS MANAGEMENT (IAM) How can Identity and Access Management help me to improve compliance and drive business performance? CA Identity and Access Management automates the
More informationWeb Applications Access Control Single Sign On
Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,
More informationIdentity Management Project Roadmap
2016 Hitachi ID Systems, Inc. All rights reserved. This document will guide you through the entire life of a successful Identity Management project, including: A needs analysis. Who to involve in the project.
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationSuccessful Enterprise Single Sign-on Addressing Deployment Challenges
Successful Enterprise Single Sign-on Addressing Deployment Challenges 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Background: User Problems with Passwords 2 3 Approaches
More informationBest Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM
Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of
More informationCritical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management
Security Comparison Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309
More informationDrawbacks to Traditional Approaches When Securing Cloud Environments
WHITE PAPER Drawbacks to Traditional Approaches When Securing Cloud Environments Drawbacks to Traditional Approaches When Securing Cloud Environments Exec Summary Exec Summary Securing the VMware vsphere
More informationSecure network guest access with the Avaya Identity Engines portfolio
Secure network guest access with the Avaya Identity Engines portfolio Table of Contents Executive summary... 1 Overview... 1 The solution... 2 Key solution features... 2 Guest Access Administration...
More informationWHITEPAPER. Identity Access Management: Beyond Convenience
WHITEPAPER Identity Access Management: Beyond Convenience INTRODUCTION Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationEnhanced Security for Online Banking
Enhanced Security for Online Banking MidSouth Bank is focused on protecting your personal and account information at all times. As instances of internet fraud increase, it is no longer sufficient to use
More informationCITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT
CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration
More informationThe Benefits of an Industry Standard Platform for Enterprise Sign-On
white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationP-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc.
P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc. Product Category: Password Management/Provisioning Validation Date: TBD Product Abstract M-Tech software streamlines
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationBest Practices for Identity Management Projects
Best Practices for Identity Management Projects 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Overview: Defining Identity Management 2 3 Long Term Commitment 3 4 Focus
More informationCA Technologies Solutions for Criminal Justice Information Security Compliance
WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL
More informationAUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY
More informationAlleviating Password Management Demands on Your IT Service Desk SOLUTION WHITE PAPER
Alleviating Password Management Demands on Your IT Service Desk SOLUTION WHITE PAPER Table of Contents Executive Summary...1 The Importance of Automation...2 The Role of Password Management in Modern Business...3
More informationNCSU SSO. Case Study
NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must
More informationIDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationW H IT E P A P E R. Salesforce CRM Security Audit Guide
W HITEPAPER Salesforce CRM Security Audit Guide Contents Introduction...1 Background...1 Security and Compliance Related Settings...1 Password Settings... 2 Audit and Recommendation... 2 Session Settings...
More informationMulti-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access
Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access CONTENTS What is Authentication? Implementing Multi-Factor Authentication Token and Smart Card Technologies
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationFoundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS HEALTHCARE: A UNIQUELY COMPLEX ENVIRONMENT
Foundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS The promise of reduced administrative costs and improved caregiver satisfaction associated with user provisioning
More informationDepartment of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government
Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax
More informationLots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them.
Lots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them. imprivata OneSign The Converged Authentication and Access Management Platform The
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationSmart Identity Security: The Next Generation of Identity and Access Management
I D C V E N D O R S P O T L I G H T Smart Identity Security: The Next Generation of Identity and Access Management February 2006 Adapted from Worldwide Identity and Access Management 2005-2009 Forecast
More informationSimplify Identity Management with the CA Identity Suite
SOLUTION BRIEF CA DATABASE IDENTITY SUITE MANAGEMENT IDENTITY FOR MANAGEMENT DB2 FOR z/os DRAFT Answer the cover question by stating how the solution can deliver the desired benefits; typically, technical
More informationOracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009
Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 EXECUTIVE OVERVIEW Enterprises these days generally have Microsoft Windows desktop users accessing diverse enterprise applications
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationSecurity management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.
Security management White paper Develop effective user management to demonstrate compliance efforts and achieve business value. September 2008 2 Contents 2 Overview 3 Understand the challenges of user
More information2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.
Purpose and Scope The purpose of this policy is to define the roles and responsibilities on implementing the Homeland Security Presidential Directive 12 (HSPD-12) Logical Access Control (LAC) throughout
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on
More informationIDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach
IDENTITY MANAGEMENT AND WEB SECURITY A Customer s Pragmatic Approach AGENDA What is Identity Management (IDM) or Identity and Access Management (IAM)? Benefits of IDM IDM Best Practices Challenges to Implement
More informationBusiness-Driven, Compliant Identity Management
SAP Solution in Detail SAP NetWeaver SAP Identity Management Business-Driven, Compliant Identity Management Table of Contents 3 Quick Facts 4 Business Challenges: Managing Costs, Process Change, and Compliance
More informationIBM Security Privileged Identity Manager helps prevent insider threats
IBM Security Privileged Identity Manager helps prevent insider threats Securely provision, manage, automate and track privileged access to critical enterprise resources Highlights Centrally manage privileged
More information1 Maximizing Value. 2 Economics of self-service. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications
1 Maximizing Value Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Getting value from Hitachi ID Password Manager by improving user adoption. 2 Economics of self-service 2015
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationIDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience
IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse
More informationSolihull Metropolitan Borough Council. IT Audit Findings Report September 2015
Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control
More informationTECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management
TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for
More informationPasslogix Sign-On Platform
Passlogix Sign-On Platform The emerging ESSO standard deployed by leading enterprises Extends identity management to the application and authentication device level No modifications to existing infrastructure
More informationSOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management
SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management improving SAP security with CA Identity and Access Management The CA Identity and Access Management (IAM) suite can help you
More informationTable of Contents. Page 1 of 6 (Last updated 30 July 2015)
Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationEntrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003
Entrust Secure Web Portal Solution Livio Merlo Security Consultant September 25th, 2003 1 Entrust Secure Web Portal Solution Only the Entrust Secure Web Portal solution provides Security Services coupled
More informationWHITEPAPER. Identity Management ROI Calculation Case Study. T h i n k I D e n t i t y. March 2006
Identity Management ROI Calculation Case Study March 2006 T h i n k I D e n t i t y Table of Contents INTRODUCTION...3 IDENTITY & ACCESS MANAGEMENT COMPONENTS...4 THE BENEFITS OF IDENTITY & ACCESS MANAGEMENT...4
More informationThe Role of Password Management in Achieving Compliance
White Paper The Role of Password Management in Achieving Compliance PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 617.674.2727 E-mail: sales@portalguard.com Website: www.portalguard.com
More informationFrom Password Reset to Authentication Management: the Evolution of Password Management Technology
From Password Reset to Authentication Management: the Evolution of Password Management Technology 2010 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 In the Beginning: A Simple
More informationOracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007
Oracle Identity Management for SAP in Heterogeneous IT Environments An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments Executive Overview... 3 Introduction...
More informationThe Return on Investment (ROI) for Forefront Identity Manager
The Return on Investment (ROI) for Forefront Identity Manager July 2009 2009 Edgile, Inc All Rights Reserved INTRODUCTION Managing identities within organizations and ensuring appropriate access to information
More informationDirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet
Technical Data Sheet DirX Identity V8.5 Secure and flexible Password Management DirX Identity provides a comprehensive password management solution for enterprises and organizations. It delivers self-service
More informationData Replication in Privileged Credential Vaults
Data Replication in Privileged Credential Vaults 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Background: Securing Privileged Accounts 2 2 The Business Challenge 3 3 Solution Approaches
More informationSTRONGER AUTHENTICATION for CA SiteMinder
STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive
More informationIdentity & Access Management in the Cloud: Fewer passwords, more productivity
WHITE PAPER Strategic Marketing Services Identity & Access Management in the Cloud: Fewer passwords, more productivity Cloud services are a natural for small and midsize businesses, with their ability
More informationDirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet
Technical Data Sheet DirX Identity V8.4 Secure and flexible Password Management DirX Identity provides a comprehensive password management solution for enterprises and organizations. It delivers self-service
More informationQuest One Identity Solution. Simplifying Identity and Access Management
Quest One Identity Solution Simplifying Identity and Access Management Identity and Access Management Challenges Operational Efficiency Security Compliance Too many identities, passwords, roles, directories,
More informationIdentity and Access Management Point of View
Identity and Access Management Point of View Agenda What is Identity and Access Management (IAM)? Business Drivers and Challenges Compliance and Business Benefits IAM Solution Framework IAM Implementation
More informationEnterprise Identity Management Reference Architecture
Enterprise Identity Management Reference Architecture Umut Ceyhan Principal Sales Consultant, IDM SEE Agenda Introduction Virtualization Access Management Provisioning Demo Architecture
More informationRSA Authentication Manager 8.1 Help Desk Administrator s Guide
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationSelf-Service Password Manager
WWW.ROSE-HULMAN.EDU/EIT OFFICE OF ENTERPRISE INFORMATION TECHNOLOGY Self-Service Password Manager Rose-Hulman Institute of Technology has implemented a self-service password manager that provides an easy-to-use
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationA HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD
A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD By Gail Coury, Vice President, Risk Management, Oracle Managed Cloud Services 2014 W W W. OU T S O U R C IN G - CEN T E R. C O M Outsourcing
More informationTrust but Verify: Best Practices for Monitoring Privileged Users
Trust but Verify: Best Practices for Monitoring Privileged Users Olaf Stullich, Product Manager (olaf.stullich@oracle.com) Arun Theebaprakasam, Development Manager Chirag Andani, Vice President, Identity
More informationSecuring the Healthcare Enterprise for Compliance with Cloud-based Identity Management
Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Leveraging Common Resources and Investments to Achieve Premium Levels of Security Summary The ecosystem of traditional
More information1 The intersection of IAM and the cloud
1 The intersection of IAM and the cloud Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Theory, practice, pros and cons with a focus on enterprise deployments of IAM and cloud
More informationSecuring Remote Vendor Access with Privileged Account Security
Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials
More informationEnabling Fast and Secure Clinician Workflows with One-Touch Desktop Roaming W H I T E P A P E R
Enabling Fast and Secure Clinician Workflows with One-Touch Desktop Roaming W H I T E P A P E R Table of Contents Introduction.......................................................... 3 The Challenge
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationThe Essentials of Enterprise Password Management. FastPass Password Manager V 3.4 Enterprise & Service Provider Editions
The Essentials of Enterprise Password Management FastPass Password Manager V 3.4 Enterprise & Service Provider Editions FastPassCorp 2012 FPC0 FastPassCorp Page 1 of 14 OVERVIEW When deciding on a new
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationManaging Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform
Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World
More informationThe Need for ESSO W h i T E pa p E r
The Need for ESSO W h i t e pa p e r The Missing Link in Password Management Every information security executive is familiar with the problems of password fatigue, password inflation, and the associated
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More information