By Rajat Bhargava Posted December 10, 2015
Compliance is a hot topic these days, no matter what industry you’re in. With security breach after security breach being reported, regulators and governing bodies have created thresholds that organizations must adhere to in order to be found compliant. These statutes come from federal, state, and local officials, as well as major industry organizations like the Payment Card Industry (PCI). By instituting minimum compliance requirements for organizations, the belief is that these required statutes will help decrease the number of security breaches, thus protecting consumers and their personal data.
Required Compliance Standards
Does mandating compliance actually improve security? That’s the current debate for people who work in security. Regardless of the answer, the reality is that organizations are now required to meet these new compliance regulations, which range from the PCI DSS to HIPAA to FISMA, and many other acronyms. Years ago, these compliance standards were put in place but lacked any real teeth. Meaning, they were used as guidelines, and the lack of compliance was often a slap on the wrist. However, years of online breaches, and their increasing severity, have changed that stance. Compliance regulations are now required, and the penalties for lack of compliance are severe.
Compliance is a broad topic. To understand the depth and scope of compliance standards nowadays, a good example to review is the PCI DSS, perhaps the most prescriptive and specific resource that covers a great deal of ground. One particular area that stands out is identity management compliance. Controlling access to confidential data and systems is an obvious way to decrease the chances of a security breach. That said, security systems must be in place around the core identity management security to prevent security breaches. In short, compliance creates layers of security.
3 Layers of Identity Management Security Compliance
The layers of identity management security boil down to one key component: who can access the data and applications. With confidential data, only the people who need to access the data should be allowed access. This first step in identity management compliance ensures that privilege access is used. More so, the fewer the number of people who can access confidential data, the better.
After minimizing the number of people who can access confidential systems and data, the next step is to ensure that only those people are the ones accessing the confidential information. This is done by increasing the strength of credentials and using techniques and technology that confirm, through required protocols, that the person accessing the systems is the one that should have access. Common security techniques include enforcing strong passwords, rotating passwords, eliminating password reuse, and leveraging multi-factor authentication.
Thirdly, monitoring is a critical component of compliance. Systems need to be put in place that watch who has accessed data and what they have done while logged into confidential systems. Once you have validated who should have access and enforced security techniques to prevent breaches, you must monitor access points and behavior. Auditors and regulating bodies look for evidence that your controls work, and monitoring your security measures closely is how to demonstrate your identity management security layers work..
Compliance is a critical area for all organizations today. Identity management plays a central role in those compliance activities. If you would like to learn more about how identity management solutions, such as Directory-as-a-Service, can play a significant role in your compliance programs, drop us a note. We’d be happy to chat with you about it.