Managing Audit and Compliance with IAM

Automatically log the activities associated with identity administration and real-time enforcement of access rights, providing in the generated audit trail a chronological sequence of evidence (called audit messages) pertaining to and resulting from these operations

Collect, cleanse, correlate and store the audit trail generated by the IAM activities

Generate current status about the IAM infrastructure - for example, the access rights a user has today

Provide for historical analysis of the IAM infrastructure - for example, a snapshot of the access rights a user had last month

IAM components automatically produce detailed audit trails of their activities that can be used to demonstrate accountability, while an external audit facility aggregates the audit trails, stores them securely in a central location, and provides the functions for correlating and analyzing the audit trails and reporting on the results to demonstrate control of business processes on user access and entitlements as required by applicable regulations.

IAM components also provide the functions for generating reports on current status and history on the information in their repositories - for example, the identity store in an identity management component - either automatically or on demand. This information can be brought into the external audit facility for correlation and analysis.

Audit trails produced by identity management components comprise information about activities on identities, roles, and rules. Analysis of these records can provide information about who requested and approved access rights at what time, who certified the access under which conditions, or which policy permitted the access.

Audit trails produced by access management components can provide information about

Historical data produced by identity management components can provide information about changes to identity and identity-related data over time, allowing for historical review of identities and point-in-time comparisons to demonstrate progressive compliance to governance processes, gain insight into identity and policy status or determine why an access request was permitted.

Different applications and components within those applications use different encoding formats, so audit trail format is different from trail to trail, and the data formats used are not always easy to interpret.

Users are hard to identify across different audit trails, since the same user can have different IDs depending on the application, and the ID used within the application can change over time.

Activities in different applications can occur in parallel, so finding the triggering event is often difficult. It is hard to extract a sequential chain of activities of one user among different applications.

The raw intelligence data provided in the IAM audit trails is not aligned with larger business objectives and corporate regulations, and can take weeks, months or even years to analyze. Auditors need fast and easy access to audit data that can be aggregated and viewed according to key performance indicators (KPIs) for identity audit.

Many different regulations exist today, and new ones are mandated all the time, requiring continuous revision of IAM controls.

The policy for what is audited depends on the particular regulation, the enterprise business model in force, and the application creating the audit trail, making it difficult to establish consistent, end-to-end audit policies.

Different regulations require different methods of analysis and reporting and each regulation has its own criteria for analysis and report.

A central, secure audit database that stores the audit trails from all administration, authentication and authorization activities. Using a central repository allows the auditor to analyze the actions of a user throughout the enterprise IT infrastructure instead of on a per-application basis, making security breaches easier to discover and reducing the labor required to report on IAM activities.

Support for multiple tenants to separate data completely from those of other tenants; especially events and history entries.

Functions for collecting and normalizing audit data from identity management, access management and other applications to provide a consistent view of audit trails and the sequence of audit messages that comprise them across the heterogeneous IT environment.

A presentation interface that can aggregate the collected and normalized audit data according to different identity audit-related KPIs and then display the resulting data in a graphic format that auditors can easily view and interpret, allowing them to drill down to details about audited events as necessary.

A reporting interface that is simple to adjust to evolving regulations and which can be tailored to special customer requirements.

Fine-grained access control for audit trails and also for specific information within audit trails, to comply with data security and privacy policies mandated by many government, health and financial regulations.

DirX Identity, for managing who has access to what. DirX Identity provides a comprehensive, process-driven, customizable, cloud-ready, scalable and highly-available identity management solution for enterprises and organizations. It delivers overall identity and access governance functionality seamlessly integrated with automated provisioning. Features include life-cycle management for users and roles, cross-platform and rule-based provisioning in real-time, Web-based user self-service and delegated administration, request workflows, access certification, password management, metadirectory and auditing and reporting.

DirX Directory, for consolidating the storage of digital identities. DirX Directory provides a standards-compliant, high-performance, highly available, highly reliable and secure LDAP and X.500 directory server and LDAP proxy. DirX Directory can act as the identity store for employees, customers, trading partners, subscribers, and other IoT entities. It can also serve as a provisioning, access management and metadirectory repository, to provide a single point of access to the information within disparate and heterogeneous directories available in an enterprise network or cloud environment for user management and provisioning.

DirX Access, for controlling who does what. DirX Access is a comprehensive, cloud-ready, scalable, and highly available access management and SSO solution providing policy- and risk-based (context-aware) authentication, including FIDO, dynamic authorization based on XACML, and federation for Web applications and services. DirX Access delivers single sign-on (SSO), versatile authentication, including risk-based authentication (also called adaptive authentication), identity federation (based on SAML, OAuth and OpenID Connect), just-in-time provisioning, entitlement management, and policy enforcement for applications and services in the cloud, in IoT environments, and on premise.

Metadirectory services allow identities and their access rights to be centrally managed, providing greater transparency into identity management activities and tighter administrative control with fewer administrators.

Automated role- and policy-based user provisioning ensures that corporate security policies are consistently enforced across all points in the corporate IT infrastructure, avoiding error-prone, ad hoc application of access rights by many different IT administrators working in different parts of the enterprise.

Approval and re-approval workflows automate the application of corporate authorization policies, ensuring that they are applied consistently rather than on a case-by-case basis, and immediately, rather than as a result of reviewing an audit report. High-risk IAM activities like the assignment of security-sensitive roles can require a client digital signature, providing evidence of the transaction and who authorized it.

Automated, real-time user de-provisioning ensures that access rights of terminated employees and contractors are immediately and accurately revoked on all affected IT systems.

Automated reconciliation services can detect suspicious accounts and access rights on corporate IT systems and then eliminate them automatically or report them to the appropriate administrator for handling.

Segregation of duties (SoD) policies define user-role assignments that violate corporate security policies or create unacceptable risks, and SoD policy enforcement by user provisioning services notifies of any violations that occur for immediate remediation.

Access certification campaigns allow for periodically checking security-critical user entitlement assignments to ensure that they continue to comply with enterprise business policies and current employee responsibilities

Status reporting facilities provide information about the current state of identity management data, for example, which users have which roles, which roles are unused, and which users have been given delegated administrative tasks.

Audit policies define what is audited, and pre-configured audit policies and reports help to jump-start regulatory compliance efforts.