User Provisioning & Compliance Tips

Written by Cassa Niedringhaus on April 14, 2020

Share This Article

Whether you need to comply with HIPAA, PCI, ISO, or other industry regulations, the way you provision (and deprovision) users in your organization plays a big role in your compliance. Here are three steps to tighten control of user identities, improve provisioning processes, and take steps toward achieving regulatory compliance.

Three Tips to Leverage Provisioning for Compliance

1. Implement Central Identity and Access Management

A key tool in achieving regulatory compliance is a centralized identity and access management (IAM) solution. Centralized IAM offers control, security, and visibility throughout an IT environment and stems identity sprawl. Modern cloud directory services fill this central IAM role because they’re natively designed to connect users with a full suite of IT resources, including systems, applications, networks, and files.

Rather than managing a legacy on-prem directory like Active Directory®, a Google Cloud™ Identity directory for G Suite™ access, or a host of third-party vendors to federate identities to various resources, an IT admin can use a cloud directory service to provision and manage all user access from a single solution. A cloud directory service is preferable to using a collection of solutions that each only cover one aspect of an overall IT environment.

A cloud directory service can also aid in implementing a least privilege user management framework in which users and systems have access only to the resources they absolutely require to get their jobs done. From it, you can enforce key regulatory security configurations too, like enforcing full disk encryption on machines, requiring strong passwords and multi-factor authentication wherever possible, and implementing screen lock policies.

The true value in this approach is that you have clarity about who has access to what, and you can provide or revoke access in one touch.

2. Automate User Provisioning

Automation is another aspect to consider, especially as an organization scales, but automated workflows can be difficult to implement with traditional IAM solutions. From a cloud directory service, however, an IT admin can then automate user provisioning workflows easily. If you have defined and systematic workflows, you can more easily demonstrate compliance. This has the added benefit of being more efficient, too.

Automation can also be beneficial for regulatory compliance. HIPAA requires, for example, that a unique name or number is assigned to identify and track user identity — which is done automatically during provisioning through a cloud directory service and is then consistent across resources.

With the right IAM solution in place, an IT admin only needs to manually provision a user once, and then their identity propagates where it’s needed based on frameworks such as group-based access control. The more you can control with automation the better, and the less incentive users have to bypass normal IT processes and create their own accounts with company credentials. If a user has access to all the resources they need automatically from the first time they step foot in the office (or log in remotely) — and they trust the IT department to provision access to resources they need down the road as needed — they no longer have a reason to create a rogue account that funnels proprietary data around traditional controls.

3. Automate User Deprovisioning

Like automated provisioning, automated deprovisioning aids in regulatory compliance and provides other benefits, too. From a central cloud directory, you can suspend a user and automatically revoke their access to all resources, including terminating a current session on a machine. This powerful action is not possible if you are managing multiple identity stores — and it’s critical for regulatory compliance.

The PCI’s Requirement 8 stipulates, for example, that organizations must be able to immediately revoke access for any terminated users. Imagine if you have to suspend access not only in the central directory but also in each individual app a user is logged into. That’s far from an immediate process.

Automatic deprovisioning is more accurate and efficient than its manual counterpart, and it ensures old user credentials no longer provide access to organizational resources.
Click here to learn more about enabling compliance through cloud identity and access management (IAM) and the benefits it could have for your organization.

Continue Learning with our Newsletter