Compliance Architecture

Many organizations today are implementing a strategy of building a compliance architecture, whose core component is an identity management system, to ensure that they can satisfy requirements of the compliance auditors. The business driver for these efforts is to design and implement an identity management strategy that will satisfy both current and future regulatory and policy requirements, rather than addressing ever-changing regulatory rules one at a time.

The efficiency of building a compliance architecture is derived from significant overlap in requirements raised by many corporate governance and privacy regulations. Common requirements in such regulations include:

Strong and reliable authentication. (read more)
Effective controls over user access to systems and data, including automatic access termination. (read more)
Audit trails that record user access rights across a heterogeneous environment, and over time. (read more)
Periodic reviews of user rights, with integrated workflow to remove inappropriate access. (read more)
Secure management of administrative credentials to workstations, servers and applications. (read more)

By building a single compliance architecture, IT departments can leverage these commonalities, addressing the broader set of requirements up front, and avoiding future effort to meet every new regulation.

A sophisticated identity management system that reaches across a broad range of multiple corporate IT infrastructure can meet these requirements:

Requirement:	Security Infrastructure Impact:
Strong and reliable authentication	Password policy enforcement. Strong authentication prior to password resets. Strong authentication when enrolling new authentication factors, such as filling in Q&A profiles, collecting biometric samples or handing out hardware tokens.

Effective controls over user access to systems and data	Controlled authorization prior to creating or modifying login IDs, using a workflow engine that includes strong authentication of requesters and authorizers. Reliable access termination, including automated termination triggered by removals from a system of record, and scheduled terminations. Cross-directory login ID reconciliation, to connect user objects to people, and make it possible to manage access in a consolidated fashion, rather than one system at a time. Consolidated user administration, to support prompt access termination when required.

Extensive audit trails	Cross-directory login ID reconciliation, supporting consolidated access reporting. Regular monitoring of user login accounts, including alarms triggered by unauthorized changes. Open-ended audit trails, tracking all change requests by time, date, requester, recipient, authorizer and resource.