By Greg Keller Posted January 9, 2017
Many organizations are now subject to compliance regulations. With the dramatic rise in identity theft and security compromises, government agencies and various corporate entities are forcing network security regulations on organizations. While some of these regulations can be broad and far-reaching across privacy and data security concepts, others are much more focused on monetary transactions. Regardless of their focus, the goal of compliance regulations is largely the same – protect confidential and private information.
The secret to solving the compliance conundrum for organizations is that compliance starts with identity management.
Compliance and Identity Management
Fundamentally, compliance regulations are focused on ensuring that confidential data is only accessible to the appropriate people. All others should not have access. Narrowing the scope of access is the first step toward compliance. Of course, the regulations also know this and focus on controlling access, especially to critical systems, applications, and data. Some of the most popular regulations (PCI, HIPAA, SOX, ISO 27001, GLBA, and FISMA) focus on controlling the identity.
The number one attack vector is compromised identities. A compromised set of credentials can allow hackers to access confidential information. As a result, compliance statutes focus on protecting those identities and controlling who has access to IT resources. The common theme across many of these compliance regulations includes the following attributes:
Users should have strong passwords. This includes making them long and complex. Of course, a longer password is always a better password. Many regulations will also force password rotation, limitation of login attempts before being locked out, and password reuse. A lot of these regulations make for excellent password hygiene. And they will not only help achieve compliance but also support strong security.
One of the most powerful steps that any organization can take with security is to leverage multi-factor authentication with their systems and applications. Many compliance statutes are now embracing this significant identity security step. With the proper MFA technique attached to the right systems and critical applications, user accounts and system access can be extremely secure.
Protecting the system is a critical part of creating compliance. Compromised systems can then be turned into launch pads for other attacks. Systems also often contain identities and other confidential information. Many compliance regulations will require that systems are protected with antivirus systems and patched on a regular basis.
Logging Data of Authentication Events
While actually doing the work of protecting your organization is important, compliance regulations also want proof that you are doing that. Logging of authentication events is a critical aspect of that proof. Knowing when users have been logging into your systems and what they have been doing are important aspects of security.
There are, of course, many other features to compliance, but it starts with protecting your digital assets by controlling who can access them. Identity management platforms are an important tool in the fight to keep organizations secure and compliant. Many IT admins are looking for cloud solutions to solve their compliance problems. The less infrastructure on-prem the better it is for IT organizations.
JumpCloud® Puts You On The Path To Compliance
A key solution on the path to compliance is Directory-as-a-Service®. As a cloud-hosted directory service, Directory-as-a-Service gives IT organizations centralized control over user identities and what those identities can access, including systems, applications, and networks. Cloud infrastructure, such as AWS, is becoming more popular and controlling user access to remote cloud servers is seamless. The same level of control is also available for the system itself across Windows, Mac, and Linux platforms. IT admins can easily control password complexity, multi-factor authentication on systems and applications, and detailed event logging.
It’s easy to see how Directory-as-a-Service can become a central tool in your quest to become compliant:
If you would like to learn more about why compliance starts with identity management, drop us a note. Also, feel free to check out our IDaaS platform and see what security controls we can help with as you focus on becoming compliant with PCI, HIPAA, SOX, and other statutes.