Source:Deloitte Development LLC

Compliant provisioning can help companies identify potential security and compliance risks before granting employees access to corporate systems.

Responding to requests for access to specialized systems, such as accounting, electronic medical records, or financial trading, pose increasing difficulty for many IT organizations. The specific challenge they face: understanding and mitigating the risks associated with granting a user access to a given system.

Each time an IT organization provides a user with a login, the resulting access creates risk. The risk could be for data loss, theft, or misuse; or for a security breach or abuse of corporate resources. For example, if an accounts receivable clerk moves into an accounts payable position, but the individual’s access to the accounts receivable system isn’t revoked, that person could theoretically create fraudulent invoices and authorize payment for them, according to Brian Taylor, a senior manager in Deloitte & Touche LLP’s Security & Privacy practice.

Access also presents compliance-related risks. “Increased regulatory mandates combined with corporate risk management policies impose a growing burden on IT and business managers to determine the appropriate level of access for individuals,” says Taylor.

Rick Siebenaler, a principal in Deloitte & Touche LLP’s Security & Privacy practice, says several laws including Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and the European Union’s (EU) data protection laws require organizations to limit who may access certain systems. Regulated organizations that fail to manage these permissions may increase their exposure to government fines and scrutiny.

Many IT leaders are aware of the security and compliance problems that can result from provisioning access. That may explain why 69 percent of executives surveyed by Forrester Research Inc. during the second quarter of 2012 said that regulatory compliance was a high or critical security priority for the next 12 months. In the same survey, 64 percent of executives ranked identity and access management as a high or critical security priority over the same period.¹

Meanwhile, IT leaders surveyed by identity and access management (IAM) companies appear hard-pressed to get their arms around specific IAM challenges. For example, more than half the IT managers surveyed by Courion Corp., a provider of access risk management systems, say they would like up-to-date information about user access and potential risks, but lack visibility into that data. Either they can’t compile it from their existing identity and access management systems, or they have to produce it manually, according to the survey.² In its “2012 Market Pulse Survey” of IT leaders, identity and access management vendor SailPoint Technologies Inc. found that 42 percent of respondents say they would not be able to provide a complete record of users’ access privileges within one day, if requested. Half are not confident in their ability to grant or revoke access to applications when employees join or leave their companies.³

Taylor says the automated identity management systems many companies employ to track user access don’t typically identify risks. If they do, they identify them in a “coarse-grained manner” or using language a business user wouldn’t understand, he adds.

“Consequently, many IT departments don’t realize they have a problem until audit findings reveal employees have access to systems they shouldn’t,” says Taylor. “This is a fairly widespread issue in many companies.”

As a result, many of Taylor’s and Siebenaler’s clients are seeking solutions that can detect access management risks and compliance issues before they arise.

Compliant provisioning solutions offer IT administrators an integrated picture of the access an employee will have—and the potential risks it may introduce—before  a permissions request is granted, according to Taylor.

He notes that companies may be able to combine their existing identity and access management systems with the governance, risk, and compliance (GRC) module of their ERP systems to create a compliant provisioning solution. GRC modules contain predefined rules that evaluate the various risks an access change may introduce. They look at the specific actions users are authorized to take in a system and assign a risk score to those activities. If the GRC module detects a risk that exceeds a certain threshold, it can provide a notification to an administrator to take an action to mitigate the risk, such as revoking access, allowing access for a defined period of time, or assigning a compensating control, which could be reviewing the actions taken using the access privilege. GRC modules also include reporting capabilities that help administrators assess the overall risk environment for systems.

Going back to the earlier example of the accounts receivable clerk, a compliant provisioning solution would highlight the risk for fraud if the clerk’s access to the accounts receivable system was not revoked prior to giving him access to the accounts payable system.

“Compliance systems offer better controls than traditional identity management systems,” says Taylor. “They understand what users are asking to do and the risks those activities will create because they evaluate the specific actions a user will be able to take in a given system based on the permissions requested.”

Taylor adds that companies may find determining the risks they’re trying to detect and mitigate more difficult than integrating their identity management system with the GRC module of their ERP system. To make risk identification easier, major ERP vendors build common risks and rules into their GRC modules, he notes.

“The more efficiently an organization can identify potential security and compliance risks associated with user access, the quicker it can introduce controls to mitigate or prevent risks,” says Siebenaler. “The result is a streamlined access management process and increased confidence in compliance.”