Access Certification

Access Certification – Identify, Certify and Modify Access

Users with unnecessary, excessive or inappropriate access rights - particularly to applications or systems containing sensitive or protected data - increase the risk of data compromise. Effective access governance requires organizations to establish policies and procedures to manage appropriate access rights, especially if they are subject to industry or government regulations, such as Sarbanes-Oxley, HIPAA, GLBA, PCI DSS, BASEL II, Mass. 201 CMR17, Model Audit Rule, NERC CIP, and others.

Organizations need an information security policy designed to:

• Allow only users with a business need access to sensitive/protected data
• Periodically review access privileges to confirm they are in line with business policies and regulations
• Take effective, corrective action to remediate inappropriate access rights

To do this effectively, the organization needs to:

• Identify sensitive data and applications throughout the enterprise
• Discover who has access to it, as well as who has ever accessed it
• Identify users with unnecessary access rights which violate policy
• Deliver this information to business managers in easy to understand terms and layout
• Validate and approve which access rights are appropriate or require modifications
• Automatically modify, disable or delete inappropriate access rights, without requiring a provisioning solution

Avoiding The Big Rubber Stamp

Without these capabilities, companies must rely on a complex, time-consuming, manual process of collecting user entitlement data from dozens or hundreds of IT systems into massive spreadsheets, driving busy, overworked managers to be tempted to simply rubber-stamp the results. Even when they identify inappropriate access rights, the lack of automated remediation hinders the process of quickly and accurately changing a user's access rights. As a result, the organization fails to adequately protect sensitive data or ensure compliance with regulations and corporate policies, and increases the risk of compromising sensitive data.

The Synergy of Identity, Sensitive Data and User Activity

Additionally, some companies locate sensitive data on various systems using data loss prevention (DLP) products. Others monitor user activity to flag suspicious user actions - such as significant after-hours activity or unusual transaction volumes - using security and incident event management (SIEM) and other access logging systems (e.g., enterprise single sign-on, application-specific logs, database activity logs, etc.). DLP and SIEM tools help identify data or users who represent a higher than normal potential risk to the organization. Combining these data with detailed profile information about the users, delivered to business managers using business-friendly terminology, gives the organization the power to respond appropriately to the level of risk.

ComplianceCourier - Meeting The Challenge

To address these issues, Courion delivers ComplianceCourier, an automated access compliance and certification solution. ComplianceCourier periodically reminds managers when certification is required or notifies them when a potential access violation has been identified.

ComplianceCourier is designed to be used by both business users and IT or security administrators. Managers can review entitlement descriptors defined using business-friendly, rather than esoteric IT-focused, descriptors in a consistent format. Integration with leading DLP and SIEM tools correlates sensitive data alerts (generated by DLP) or user activity alerts (from SIEM) with user access rights to provide the manager with a comprehensive user profile, including what data the user has access to, as well as previous activity patterns.

This data is delivered using a visually rich, interactive environment that enables the business user to filter, sort, or reorganize the information to meet his or her specific analysis needs. The product highlights instances where access rights violate policy, such as access to sensitive data that are not part of the individual's business role or segregation of duties violations. It provides the manager with a range of actions, including approval and attestation, direct remediation, integration with a provisioning engine, initiating a help desk trouble ticket, or sending an email notification to a designated authority.

Unlike competing products that simply present user access rights data without the ability to take direct remedial action, Courion delivers the information managers require to effectively evaluate the level of risk to the organization, and take direct remedial action, where appropriate, to mitigate that risk.

Courion’s access certification solution enables a business manager to review a user’s access rights to any enterprise platform or application and directly change, disable or delete inappropriate rights and entitlements, without requiring the deployment of a provisioning platform. Alternatively, if an organization already has a provisioning solution in place, ComplianceCourier can leverage that investment.

Topics Addressed Include:

Access certification, compliance management, risk management, sensitive data management, user activity management