Many IT organizations are struggling going through IT audits. With security and compliance a “make-or-break” issue, IT is bearing the brunt of the workload for this effort. Of course, there is good reason to prioritize security. The stakes are higher than ever and major corporations (e.g. Equifax, Target, ebay, JPMorgan Chase) are being compromised regularly. So it’s smart that organizations are proactively taking steps to assure customers that their data is safe. This means going through any number of IT audits to measure and validate security. In order to meet the requirements of the audit, there are some key tools and systems that can help ensure a successful audit. In this post, we discuss how JumpCloud Directory-as-a-Service® supports your IT audit.
Varying IT Audits
While being compliant with a standard doesn’t mean that you are secure and unhackable, it does promote good IT security hygiene and hopefully reduces the risk of a breach.
No two IT audits are exactly alike. The PCI Data Security Standard (for organizations that process credit cards) is different than the HIPAA standard for health care, which is different than others such as GLBA, SOX, and FISMA. Some of these standards are prescriptive and tell IT organizations exactly what’s required and how they will be audited. One audit that falls in this category is the PCI audit. Other regulations are more vague and open to interpretation. HIPAA and SOX could be considered as being more high-level and not as detailed.
There are also critical similarities. In all cases, IT organizations are under tremendous pressure to be successful with the audits that they are subject to. Another key similarity is that each compliance standard deals at some level with identity management. Controlling who has access to what IT resources, and how, is a basic IT control that is critical to satisfy. Compromises occur when the wrong people have access to IT systems. Compliance standards are in the business of preventing these breaches. So it makes sense that all audits emphasize proper identity security practices.
Identity Management Solution for Compliance
One of the most important tests for an IT organization is how they keep their critical credentials secure. This is where JumpCloud’s Directory-as-a-Service platform comes in.
As a core, central identity provider, JumpCloud’s goal is to securely connect users to the IT resources they need. That includes systems, applications, networks, and more, located either in the cloud or on-prem. Because JumpCloud is an independent identity management platform, and delivered as a SaaS-based solution, the question for many IT admins becomes, “How can a cloud hosted directory service support my IT audit?”
There are a number of ways that an IDaaS platform can help. Here are the key ones:
Secure control over identities – JumpCloud’s cloud directory securely stores your user accounts and SSH keys. You’ll have one central directory service across your organization which makes it easier to audit your infrastructure. Your passwords will be stored via a one-way hash and salt making it more secure. Connections between the cloud directory service and IT resources are handled through secure connections. You’ll also have the benefit of JumpCloud’s security procedures and audits to show your auditors.
Control over user access – having central control over who has access to what is perhaps the most important reason to have a directory service. With JumpCloud you’ll benefit from True Single Sign-On™, which connects your users to a wide variety of IT resources via LDAP, SAML, RADIUS, SSH, REST, and more. One identity can be provisioned, deprovisioned, and modified to access a number of IT resources. This central control provides auditors with confidence that you can control your IT infrastructure.
Visibility over access control – having control over access and keeping identities secure is important, but you also need to prove that to the auditors. JumpCloud’s event and logging infrastructure provides you with the evidence that you need. All user access to systems is logged, as well as any actions on the JumpCloud management console. You’ll be able to prove when you have provisioned and de-provisioned users, and also who is accessing those all important servers.
JumpCloud and Your IT Audit
While you can’t push a button and be compliant, JumpCloud is one of the components that can lead to a successful audit and save you a great deal of time and expense.
A large number of JumpCloud’s customers are subject to compliance standards. We have been helping these organizations become compliant on at least the identity and access management section of their statutes. You can read a customer story on how Lumeon uses JumpCloud to help them achieve HIPAA Compliance here.
If you would like to learn more about how JumpCloud’s Directory-as-a-Service can support your IT audit, drop us a note. We’d be happy to share with you how our clients have been successfully passing their audits with our IDaaS platform. You can also try out the platform for yourself by signing up for a free account. Your first 10 users are free forever, with no credit card required, so there’s no reason not to give it a shot.