Today auditing is a reality, required by every public company. Audits have become so important that they command board-level attention. The advantage of using an identity and access management tool is that it provides the ability to log, control, audit and report on which users have access to what information assets.
Regulatory and compliance issues are among the main drivers behind identity and access management tools. Organizations require the ability to demonstrate that account administration and access controls are performing according to policy. A good tool should serve as the cornerstone of an organization's governance, risk and overall compliance strategy. Some of the finer points a solution should deliver are: always knowing who is accessing what, when they are doing it and if they are authorized, automatic provisioning of accounts, and integration with enterprise applications, to name a few.
An auditor is interested in "seeing" proof of compliance. Most of these tools create an audit trail that auditors should accept for a general controls audit and proof of compliance. A basic identity and access management tool should help organizations comply with most of the challenges that regulations like HIPAA and PCI DSS put on our organizations.
Lora Bentley, governance and risk blogger for IT Business Edge, made a very interesting post bringing to light that HIPAA may have a new enforcement mechanism because of the HITECH Act signed into law in February as part of the American Recovery and Reinvestment Act. The new law gives government officials more power when enforcing HIPAA policy, especially when dealing with companies that do business in multiple states. An identity and access management tool would be the perfect solution for this kind of company, creating a common reporting framework.
The major problem that I see is that there are no comprehensive identity and access management tools. Now, some people would argue that best of breed is better. I will tell you that from an auditing perspective, a tool that outputs in one standard format or report is more desirable. Unfortunately, auditors will have to have to deal with a federated solution for now. In my next post on identity and access management, I will explore best of breed tools versus more comprehensive tools.