Everything in the modern age is regulated by something else. Federal governments regulate local governments, and those regulations often get passed on to organizations in order to dictate the security and safety with which they operate. Additionally, some organizations are regulated by the needs and expectations of their own customer-base.
Gone are the days where only a King, or a Queen, or possibly a local Lord could impose stringent rules and regulations on the goings on of your daily life. Today – compliance is a necessity and offers an entirely new level of security and peace of mind for businesses and individuals alike.
Various corporate vectors rely on strict compliance adherence for customer relations, as well as corporate policy and procedure. Requiring and implementing a compliance policy of this sort is one matter, while enforcing it is another issue on its own.
Depending on the particular organization, Active Directory may provide access to the capability for better enforcement of local, internal compliance. Making use of the previously mentioned auditing and authentication features available out-of-the-box in Active Directory is one method of accomplishing this without having to reach out to third-party providers.
Where confidentiality or access control is required by such relationships, Active Directory has the capability to address these concerns securely, while assuring end-user compliance as a matter of course. It is for this reason that Active Directory is also a top choice for user repository in situations where adherence to governmental regulations and compliance is concerned as well.
Compliance with governmental regulations has not only been a hot issue for corporate management, but a major concern of IT departments as well. These regulations mandate that organizations protect and secure access to sensitive financial data as well as customer and patient information, which dramatically impacts the IT infrastructure and the overall business processes.
In the past decade, several laws have been passed that have forced organizations to establish corporate compliance policies. The three most significant lawsare: the Sarbanes-Oxley Act(SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLB).xv
As organizations coordinate their response to the recent governmental regulations and begin implementing the necessary changes, there are many IT solutions that should be considered. However, password management is one of the most instrumental factors in maintaining secure access control for protected information. Thus, password management should be a significant portion of any organization’s compliance strategy
Thereis a significant overlap in the requirementsraisedby the main corporate governance and privacy regulations, as outlined below. Common requirements that are satisfied by password management capabilities are:
1. Strong and reliable authentication
2. Strict control over end-user access to systems and data, including timely removal of access after an employee departure.
3. Thorough audit trails and reporting on end-user access to specific systems and data.
A relatively recent addition to the realm of compliance is the Payment Card Industry Data Security Standard – the PCI DSS.xviInitially looked at as a compliance requirement purely for retail and online shopping, the PCI DSS is a major concern for any organization or business that handles credit card transactions for a variety of reasons.
The PCI DSS exists primarily to ensure that the technology within a given environment is sufficient enough to protect the customer from data/identity theft, as well as to ensure the security and credibility of the business and the payment card industry.
In terms of authentication and identity management, the biggest concern within the PCI DSS is Requirement 8: Identify and Authenticate Access to System Components.xviiThis particular requirement has 8 major portions, and each of those sections has additional sub-requirements to adhere to. Implementing a proper Authentication Management solution alongside Active Directory will enable an organization to naturally adhere to these requirements with minimal effort.
Active Directory anchored password management solutions support the various system access management and data protection requirements of SOX, HIPAA, GLB, and PCI. The following are compliance-related capabilities that can be achieved by Active Directory integration:
1. Facilitating and enforcing the use of stronger password policies that must be changed regularly.
2. Ensuring employees only have access to systems and information required for their specific jobs.
3. Guaranteeing accounts are disabled and access is completely revoked when employees leave company.
4. Automating password reset processes to eliminate human error.
5. Ensuring complete, accurate audit trails and reports on all account changes, login attempts.
6. Confirming unified password policies via accurate password synchronization.
7. Enabling additional factors for strong and secureauthentication.
8. Protecting sensitive corporate and customer data through encryption.
An additional method of meeting the challenges of compliance is to obtain and maintain an adequate method of internal auditing. Beginning with Windows Server 2008 and on, Active Directory now supports more advanced auditing capabilities – a major factor in achieving many compliances today.xviiiThe most important feature if these updated auditing capabilities is the detail with which change logging is recorded. If an object attribute within AD is changed, both the previous and new values of said attribute can be viewed,alongside the details of who made the change and when.
These features enable various roads to achieving compliance by creating audit trails directly within the infrastructure. During a compliance audit, these logs can be viewed and analyzed as needed in order to improve the ability to track changes over the lifetime of an object (such as a User, password,etc.).
Active Directory auditing tools are not only beneficial for maintaining corporate and/or governmental compliance – appropriate use of auditing can assist with protecting an organization from potential data loss, theft, or even an attack. Tracking and monitoring adjustments made to various objects will providean early alert to an suspicious activity on the network so that the appropriate measures can be taken to rectify the situation.
There is an entire host of benefits to Active Directory and appropriate auditing – we have only begun to scratch the surface!