Identity and Access Control — Demonstrating Compliance

Abstract

Identity and particularly access control present various challenges, particularly for larger organisations. The combined complexity of users from various communities, accessing multiple systems and applications in the context of business processes can be significant. The US MIST proposed the Role- Based Access Control model in order to effectively and efficiently manage authorisations. While this model certainly also has its drawbacks, it gave rise to various interesting software solutions. One particularly relevant one is the Sage tool. This tool builds a model of the actual authorisations across platforms by consolidating and enriching them in its own database. Subsequently, the built-in pattern- matching engine can identify a number of less desirable patterns in the data and can recommend solutions, e.g., for role structuring (role-mining). Furthermore, business constraints can be expressed in so-called business process rules, which can, e.g., reflect segregation of duty requirements.

In the pilot project described here as case study, we combined both role-mining and compliance verification. The case study organisation is subject to both national competition regulation and the US Sarbanes-Oxley act. They employ approximately 25,000 employees. Analysing existing access controls through a unified approach and applying compliance rules to them has shown to be a quick and reliable way for them to demonstrate compliance (or identify actions where compliance was not yet achieved). The fact that the control library is available both at the level of principles and at the level of specific business process rules makes the approach transparent, repeatable and affordable. Furthermore a number of observations were made that allowed to remove undesired authorisations through data cleaning. As a result of the pilot project the client decided to implement BPR-based compliance verification for all applications that are subject to Sarbanes-Oxley.