Products Core Products ID-Certify

ID-Certify: Privilege Audit and Cleanup

Overview:

ID-Certify® is a unique Hitachi ID solution for distributed review and cleanup of user entitlements. ID-Certify closes the gap between business process, which should determine what user rights are appropriate, and Authentication / Authorization / Audit infrastructure (AAA), where user rights are actually stored and enforced.

ID-Certify ensures that user access rights are current and appropriate by periodically requiring business stake-holders to review user profiles, login accounts and security group memberships. Different stake-holders can be asked to review different users: managers review their direct subordinates, application owners review the users of their applications and security group owners review their memberships.

Using access certification, stake-holders identify no-longer-employed users, unneeded accounts and inappropriate security group memberships. A workflow engine captures these changes, sends them to suitable authorizers for review and -- if they are accepted -- automatically deactivates inappropriate login accounts and group memberships on sensitive systems.

Electronic signatures capture the actions of stake-holders, creating a trail of accountability for access rights that remain after certification and cleanup are complete.

The Challenge:

Regulatory compliance requirements and security policies increasingly demand that organizations maintain effective controls over who has access to sensitive corporate information and personal data about employees and customers:

• Systems must limit access to just the right users, at just the right time.
• Organizations must be able to provide auditable evidence that these controls are in place and effective. Section 404 of Sarbanes-Oxley specifically states that management must assess the effectiveness of internal controls on an annual basis.
• Organizations must be able to report which internal users currently have and had in the past, access to sensitive data.

Meeting these requirements can be challenging as users often have unique and changing business responsibilities, thus making their access rights difficult to model using roles and rules.

The difficulty in modeling complex, heterogeneous user access rights is compounded by the fact that although users accumulate privileges over time, they rarely ask IT to terminate old, unneeded rights. Moreover, it is difficult to predict when, after a change in responsibilities, a user will no longer function as a backup resource for his old job and so old entitlements can be safely deactivated.

These challenges together mean that it is difficult to model the appropriate access needs of enterprise users across multiple systems at a single point in time and likely impossible to model access requirements for thousands of users, over multiple systems, over an extended period of time.

Features:

The Hitachi ID access certification process addresses the problem of identifying and removing excess access rights.

The certification process is based on a simple premise: business stake-holders can identify inappropriate user rights assigned to users with whom they have close business relationships.

ID-Certify builds on this basic observation, delegating access review, cleanup and certification to managers, application owners and group owners throughout an organization. Three types of business stake-holders lead to three types of access certification:

• Org-centric Certification

  ID-Certify can leverage organization chart data, to identify relationships between managers and their subordinates. Using this data, managers can be asked to review the access rights of their subordinates. Requests sent to managers, along with reminders, change authorizations, etc. all leverage the ID-Certify workflow engine.

  The ID-Certify process for Org-centric certification works as follows:

  • ID-Certify periodically (e.g., quarterly or biannually according to corporate policy) requires managers to review the access rights of their staff. Certification requests are sent by e-mail and the workflow engine sends automatic reminders and escalates requests above managers who failed to respond.

  • Managers respond by signing into ID-Certify using their network or directory login ID and password, to start their certification process.

  • The dashboard interface presents managers with a list of their staff, asking them to identify any staff (user profiles) that no longer work for the organization. These will be removed later.

  • For each remaining, legitimate user, an access profile is displayed, with a list of login accounts on ID-Certify target systems. Target systems are described by name, a description of their business function and a link to an external HTML page providing further identifying information, such as screen-shots and longer descriptions.

  • Managers identify no-longer-needed accounts and flag them for later removal.

  • Managers view a list of security group memberships that their staff have on target systems. As with login accounts, security groups are identified by name, a description of their business function, a link to a pop-up HTML help page. Managers are asked to identify no-longer-appropriate group memberships.

  • Managers complete the process above for every direct subordinate and provide an electronic signature after reading a statement to the effect that their access review is complete and they certify that the remaining users, accounts and group memberships are appropriate.

  • After a manager completes his review and certification, any proposed changes (removed users, deactivated accounts, eliminated group memberships) are bundled into security change requests and submitted to the ID-Certify workflow engine. These requests will normally require further authorization, from system owners or higher managers and will ultimately lead to users, accounts and group memberships being deleted from target systems.

  • Certifications are collected up through the organization's hierarchy. Manager A is unable to sign off on his own certification until all of his subordinate managers (B, C, ...) have likewise signed off on theirs. This creates downward pressure through an organization to complete the review process, since upper managers are motivated to complete by regulatory requirements (e.g., Sarbanes-Oxley, HIPAA, etc.). This motivation leads to global completion of the certification process.

  • Since no manager can have a very large numbers of direct subordinates, this process scales to even the largest organizations. Time to complete an enterprise-wide audit depends on the depth of the organizational structure, rather than the organization's size.

• Application-centric Certification

  ID-Certify can be configured to request reviews of user accounts and security group memberships within individual applications, by those applications' owners. Application owners are prompted and reminded to perform these reviews by the ID-Certify workflow engine.

  The ID-Certify process for Application-centric certification works as follows:

  • ID-Certify periodically (e.g., quarterly or biannually according to corporate policy) requires application owners to review a list of users that have login accounts to their applications and their security group memberships within those applications. Reviews are performed one application at a time.

  • Application owners respond by signing into ID-Certify using their network or directory login ID and password, to start their certification process.

  • Application owners first review a list of users with login accounts to their application and flag for later removal users who should no longer have access.

  • For each remaining users, application owners review sensitive security group memberships and flag inappropriate group memberships for later removal.

  • Group memberships are identified by ID, a descriptive name and optionally a link to an HTML page containing an arbitrarily verbose description of the group's business function.

  • Application owners complete the review process and provide an electronic signature after reading a statement to the effect that their access review is complete and they certify that the remaining login accounts and group memberships are appropriate.

  • After an application owner completes his review and certification, any proposed changes (deactivated accounts, eliminated group memberships) are bundled into security change requests and submitted to the ID-Certify workflow engine. These requests will normally require further authorization, for instance from each user's manager.

  • It should be noted that application-centric certification is appropriate to applications with modest numbers of users, such that the application owner recognizes the users personally and has some idea of what access rights are appropriate for each user. Larger applications and systems that span the entire organization are more appropriately supported by:
    • Org-centric certification.
    • Group-centric certification (for user groups of modest size).
    • App-centric certification, where the application can be segmented into sub-components, each with its own owner.

• Group-centric Certification

  ID-Certify can be configured to request reviews of user membership in security groups by each group's owner. Group owners are prompted and reminded to perform these reviews by the ID-Certify workflow engine.

  The ID-Certify process for Group-centric certification works as follows:

  • ID-Certify periodically (e.g., quarterly or biannually according to corporate policy) requires group owners to review a list of users with membership in their groups. Reviews are performed one group at a time.

  • Group owners respond by signing into ID-Certify using their network or directory login ID and password, to start their certification process.

  • Group owners review group memberships and flag inappropriate ones for later removal.

  • Group owners complete the review process and provide an electronic signature after reading a statement to the effect that their access review is complete and they certify that the remaining group memberships are appropriate.

  • After a group owner completes his review and certification, any proposed changes (deactivated accounts, eliminated group memberships) are bundled into security change requests and submitted to the ID-Certify workflow engine. These requests will normally require further authorization, for instance from each user's manager.

  • In environments with large numbers of groups, it is helpful to draw data about group ownership from existing sources. ID-Certify can pull group owner data from target systems, such as Active Directory. This makes it straightforward to configure group-centric certification across thousands of individual groups.

  • It should be noted that group-centric certification is appropriate to groups with modest numbers of users, such that the group owner recognizes the users personally and has some idea of what access rights are appropriate for each one. Larger groups are better served by Org-centric certification.

Benefits:

• ID-Certify is simple to deploy, providing a practical solution to a perennial security problem: finding and eliminating obsolete access rights.

• The practicality of this solution is unique. Organizations can deploy access certification in just a few weeks, without getting bogged down in never-ending role engineering projects.

• Complete, accurate and up-to-date information about who should have what access to what systems is drawn from the one repository where it already does exist: managers' knowledge of their own workforce.

• Enhances network security by identifying and removing all orphan and dormant accounts.

• Results in a completely clean set of user access and privileges data in existing authentication, authorization and audit (AAA) systems.

• Handles Sarbanes-Oxley (SOX compliance), HIPAA compliance, 21 CFR Part 11, PIPEDA, Gramm-Leach-Bliley (GLB compliance) and more.

© Hitachi ID Systems, Inc. 2008. All rights reserved.