Security Compliance for Enterprise Organizations
White Paper: Identity and Security Management and Strong Information Technology Governance
Novell's Solution Suite Automates the Approach to the Perfect Union
By Sally Hudson, IDC
(27.03.08) - This IDC White Paper examines Novell's identity and security management (ISM) solutions and how these integrated offerings can play a key role in enforcing security compliance for enterprise organizations. When properly implemented and deployed, these solutions help companies to:
>> Avoid violations of government and industry regulations
>> Avoid the leakage of intellectual property
>> Drive down the cost of compliance through integration, consolidation, and automation
Lesen Sie weiter:
Das komplette White Paper als kostenloses pdf-Dokument [230 KB]
The user is able to sign on to multiple Web sites regardless of the provider or identity domain, and organizations are able to separate employees from external parties to better meet compliance regulations.
Situation Overview
IDC research shows that regulatory compliance initiatives are rapidly becoming part of larger corporate GRC strategies. Security compliance and control solutions play a key role in enforcing corporate governance - a relationship that would seem obvious but often goes unrecognized.
In addition to the widely publicized Sarbanes-Oxley, Basel II, and HIPAA regulations, a number of other important government mandates continue to evolve worldwide, creating a dizzying maze of regulations and IT implementations that are difficult to assess, manage, and maintain on a global basis. When individual industry and corporate policy regulations are added to the mix, we can see why enterprises are often overwhelmed by the situation. Enterprises need to implement flowing, automated systems designed to accommodate strong security frameworks that provide auditing, archiving, and storage for compliance purposes.
A wish list would include the following:
>> Data must be easy to locate and produce for audit.
>> The technology must allow for easy implementation of new controls because the compliance landscape is always changing.
>> A proactive automated system does not permit an out-of-compliance action to occur.
Vendors that provide SIEM and IAM and combine industry best practices and internal policy requirements by controlling and automating their daily IT environments will be at the forefront of the ever-evolving compliance landscape.
Benefits of a Strong IT Governance Solution
IDC takes the position that the increasing complexities surrounding compliance have created a new class of vulnerabilities. The majority of security problems are caused by known vulnerabilities that the customer has not patched. IDC believes that inadequately addressed compliance regulations will result in increased violations and subsequent legal and public relations problems for corporations over the next several years. (See Worldwide Security Products and Services 2007 Top 10 Predictions, IDC #204678, December 2006.)
Compliance can be viewed as the natural by-product of good, integrated IT governance. Strong IT governance is by nature interwoven into all aspects of the enterprise. Risk assessment and risk remediation, as well as fraud prevention and detection, are also essential. The ability to perform these tasks in a timely manner and to view and act on data in real time is crucial to achieving GRC. This can be achieved with a solid ISM offering.
IDC recommends that a comprehensive ISM solution be evaluated based on answers to the following questions:
>> How does it improve overall governance?
>> How does it reduce risk, increase risk management, and facilitate remediation?
>> How well does it utilize existing IAM solutions?
>> How does it contribute to streamlining operations?
>> Does it provide automated reporting and auditing functions?
>> Does it provide real-time views and remediation if something falls outside the established policies for the IT infrastructure?
The last question is critical because events often deviate from the expected, so the system needs to be flexible. Furthermore, an ISM solution should fundamentally require integrating security management while simultaneously enabling and supporting evolving business goals. These in turn must be easily mapped to both government and industry-specific regulations.
Provisioning is key, especially due to regulations such as SOX, as auditors may demand reports on personnel policies, job descriptions, performance evaluations, training and development, and even succession planning. All must be accounted for within the IT infrastructure. Roles are groups of tasks that can be assigned to an individual, a group, or even an organization within an enterprise. They can be defined functionally (i.e., who does what within a business context) or structurally as related to IT processes such as application and resource access. Roles determine access parameters within the enterprise. The ability to define, manage, and effectively integrate roles based access control within the IT and business infrastructure can make or break a compliance implementation.
Coupled with the demand for a comprehensive identity and roles management capability is the need for a documented IT risk assessment and management process that adheres to an IT control framework. IDC believes that enterprises will seek to implement a flowing automated system that allows for a strong security framework including auditing, archiving, and storage for compliance purposes. Data must be easy to locate and produce. The technology must allow for easy implementation of new controls because the compliance landscape is always changing. A proactive automated system that does not permit an out-of-compliance action to occur is a key enterprise and system goal. By combining SIEM, IAM, control, and automation within the daily IT environment, enterprises will be able to achieve these goals.
Traditional Approaches to ISM and Compliance
Historically, efforts to collect and assemble the correct information in order to meet regulatory compliance have often been manual. These efforts are incredibly labor-intensive, painstaking, time-consuming, and prone to omissions and errors. The manual process is hindered further by the lack of tools and methods for reporting and auditing data once it is, in fact, collected. Any manual process is highly prone to error, and these endeavors translate into huge costs and distractions for the IT organization and the company as a whole.
IDC believes that 70% of all serious incidents are sparked by insiders (personnel with privileged access). As corporate perimeters are increasingly expanded, more nonemployees (e.g., contractors, consultants, customers, and partners) have greater access privileges than ever before. In universities, this group includes students and visiting professors. In healthcare, outsiders include doctors with patient privileges at multiple hospitals and other healthcare personnel working on a contractual basis.
Consider the following all-too-common scenario: Compliance regulations (e.g., SOX, Basel II) demand that Company A have a process that ensures that all relevant credentials, user accounts, passwords, and log-ins are removed whenever an employee or a contractor leaves the company. This process is called deprovisioning, and it typically must be enacted across dozens of applications within the enterprise. In today's environment, this often includes physical security, such as office access and building entry badges. Corporate credit cards and telephone calling cards must also be terminated. Timeliness is critical here, and individuals within the organization require access to the termination information almost immediately, along with the subsequent proof that it was done correctly in order to meet compliance standards.
While in theory this represents a relatively straightforward and linear process, it is no easy feat in practice, primarily due to lack of comprehensive, integrated tools and solutions to automate the process. Certain IAM software products such as WSSO and host SSO can (and do) provide a certain level of access management, but they must be coupled with provisioning tools to guarantee the correct access to the correct resources scattered throughout the enterprise. Assuming that this integration across the organization is complete - and this is often a huge assumption - Company A now finds it needs mechanisms to audit and report on these actions to close the compliance loop. When normal organizational boundaries and political barriers found within any company are added to this scenario, the entire effort can be overwhelming for any organization.
A seemingly obvious solution would be to automate these processes to achieve greater accuracy and economies of time and scale. Until recently, very few options have been available to alleviate the pain and streamline this tedious process.
Novell ISM Software Solutions
Novell Inc. has consistently been a leader in the IAM market space. Founded in 1983, the company employs more than 5,000 people worldwide and is headquartered in Waltham, Massachusetts, with key facilities located in Provo, Utah, and Nürnberg, Germany. Novell serves customers in varied market segments and offers a wide range of solutions in the datacenter, security and identity, resource management, workgroup, and desktop market spaces. Novell's ISM product line includes several products that focus on compliance-related functions. This section details each product and its key functions.
Novell Identity Manager provides a foundation for solid identity integration within an organization and ties this to a rules-based, automated provisioning capability. The software provides delegated administration functions (including user self-service). User provisioning automates the process of granting and changing access rights and, in some cases, audits the appearance of inappropriate rights in a user's profile. By automating time- and cost-sensitive manual procedures, user provisioning can sharply reduce the costs of granting necessary access to new employees, customers, partners, and suppliers.
The Roles Based Provisioning Module for Novell Identity Manager reduces the complexity and cost of identity and security management by helping IT managers establish access privileges to resources - including computer applications, telephone systems, and building security systems - based on role membership within an organization. Permissions are managed according to departments, jobs, or the specific tasks assigned to a person, minimizing the amount of IT administration required to add, delete, or maintain system user access rights. High-security organizations, such as hospitals and financial institutions, can ensure that access rights for role memberships are managed properly for both internal and external regulatory compliance purposes.
Roles based provisioning capabilities are increasingly in demand by organizations today. IDC estimates that provisioning software accounted for almost $500 million of the overall $3 billion IAM market for 2006 and forecasts that it will reach $997 million by 2011. We believe the strong growth in provisioning software is due to several factors, chief among them are the Fortune 2000's need to meet regulatory compliance on both industry and government levels and their growing reliance on sophisticated, more granular IAM products. A large part of this growth projection is based on IT enterprise acknowledgement of roles based identity management as a key component in a secure, adaptable business process management environment. In fact, roles based access control is extending beyond the IT level and being recognized increasingly by the business side of organizations as essential in achieving security and adaptability while meeting regulatory compliance demands.
By providing a tightly integrated identity and role management solution, the module provides IT managers with greater transparency and flexibility in managing permissions. The software includes support for tactical decision making, segregation of duties, and attestation. The module is built into Identity Manager's metadirectory and therefore can take advantage of Identity Manager's real-time capabilities and comprehensive set of connectors. The result is that enterprise customers can use roles to provision, monitor, and record user access to protected information and resources and easily provide documented evidence to meet strict regulatory requirements.
Novell Access Manager is the company's WSSO product that allows trusted users to gain secure authentication and access to portals, Web-based content, and enterprise applications. The product provides IT administrators with centralized policy-based management of authentication and access privileges for Web-based environments and enterprise applications. It also offers customers strong authentication and identity FSSO. FSSO is the ability to share a user's log-in and authentication data across different Web sites and applications, both internal and external to the organization, using secure, standards-based protocols. The user is able to sign on to multiple Web sites regardless of the provider or identity domain, and organizations are able to separate employees from external parties to better meet compliance regulations. Access Manager is designed to help streamline this process. The software supports a wide range of platforms and directory services.
Novell Sentinel is the company's SIEM offering that provides real-time event monitoring and correlation, automated incident response handling, and compliance reporting. Sentinel automates the process of monitoring for policy violations, identifying and responding to violations, and delivering compliance metrics to demonstrate the effectiveness of critical IT controls. It consists of several modules that enable IT professionals to collect, correlate, monitor, and display data from thousands of events per second in real time. This software allows enterprises to address IT controls across multiple regulations while closing the knowledge gap between what should happen and what is actually happening in a networked environment. IDC believes this real-time capability is a significant value-add for enterprise organizations looking to increase security while addressing compliance demands.
Novell SecureLogin is the vendor's ESSO product and is designed to provide users with easy access to network and Web resources via a single, secure log-in. It reduces IT administration and cost by significantly reducing the number of help desk calls related to password resets and lowers the risk of data breaches by helping companies enforce consistent password policies. This can simplify compliance with internal and industry regulations. When the product is deployed with other components of Novell's ISM suite, enterprise customers have access to a complete, integrated identity and security management stack for supporting IT compliance, risk management, and governance requirements. SecureLogin enables integration with smart cards, biometrics, and proximity cards in conjunction with usernames and passwords. This aids organizations in their efforts to meet guidelines, such as FFIEC for online banking, that require more than one factor of authentication. The product currently supports Windows Vista, Windows XP, Internet Explorer, and Mozilla Firefox.
Novell Storage Manager is an identity-based file system management product with storage policies (i.e., size, file types, naming enforcement) and document retention capabilities, which are all very important features in meeting compliance regulations today. Storage policies are set in the directory based on users' identities and roles. Storage Manager then automates many common storage-related tasks, including quota management, directory renaming, migration, storage triage, and archiving. It can be used to manage storage on Microsoft Windows, NetWare, or Novell Open Enterprise Server–Linux platforms by leveraging their underlying directories. Novell Identity Assurance Solution is Novell's modular offering for identity-based physical/building security, where the physical credential (i.e., building access badge) management is linked with IT systems for access and verification. It is especially important in meeting government HSPD-12 regulations. Novell's modular solution ties together Novell Identity Manager, Novell Sentinel, and third-party content from Honeywell for physical access control systems (PACS) and utilizes ActivIdentity software for life-cycle card management systems.
Novell ZENworks is from Novell's Systems and Resource Management (SRM) business unit and focuses on providing policy-enforced endpoint and wireless security software solutions, addressing the demands for securing the increasing number of enterprise mobile workers. Evolving in part from the Senforce acquisition in 2H07, the full product suite is designed to address critical endpoint security issues such as endpoint management, encryption, location-aware wireless control, personal firewall, removable media control, and network access control. A key feature is its central management console, which dynamically enables policy-based implementation of endpoint security, ensuring the enforcement of security policies for all employees regardless of location. In addition, the software offers a common log, providing enterprises with critical reports necessary for adhering to compliance regulations such as GLBA, HIPAA, and SOX.
Lesen Sie weiter:
Das komplette White Paper als kostenloses pdf-Dokument [230 KB]
Alle Beiträge zum "Statement of the Month" in der Übersicht
Lesen Sie auch:
Satter ROI gegen den Mythos "Eh-da"-Kosten
Mensch als Unsicherheitsfaktor Nummer 1
IT-Sicherheit und Compliance
Federation ist Vertrauenssache
Identity Management-Einführung
Provisioning und Identitätsmanagement
Compliance: Pflicht oder Kür für den IT-Leiter?
Compliance ist konsequent machbar
IdM mit Higgins und DIX
Veränderte Vorzeichen: Identität als Service
Access Management und Informationssicherheit
Identitätsmanagement und IT-Sicherheit
Managementsystem für Informationssicherheit
Informationssicherheit und Compliance
SOA-Governance und Identitätsmanagement
Identity Management für Web 2.0
PCI-Sicherheitsstandard erhöht Kaufspaß
Novell-Produkt-Berichte:
Provisioning-Modul für Identity Management
Die Studie "Vorteile und Herausforderungen IT-gestützter Compliance-Erfüllung" der Friedrich-Alexander- Universität Erlangen-Nürnberg, Lehrstuhl für Wirtschaftsinformatik III in Zusammenarbeit mit Novell ist hier erhältlich.
White Papers:
Financial Services, Privacy and Compliance
Payback and ROI of ISM solutions
Integration von Sicherheit- und Systemmanagement
Novell Payment Card Industry Solution
Moving from Mandate to Differentiator
Security Compliance for Enterprise Organizations
Über Novell
Partner von Compliance-Magazin.de
Novell, Inc. (Nasdaq: NOVL) bietet Infrastruktur-Software für das Open Enterprise an. Novell ist eines der führenden Unternehmen bei unternehmensweiten Betriebssystemen für Unternehmen auf Basis von Linux und Open Source sowie bei Sicherheits- und System Management Services, die benötigt werden, um heterogene IT-Umgebungen zu betreiben. Novell unterstützt seine Kunden dabei, Kosten, Komplexität und Risiken zu reduzieren, damit sie sich auf Innovation und Wachstum konzentrieren können.
Das Unternehmen mit Hauptsitz in Waltham, Massachussets (USA), beschäftigt weltweit rund 4.700 Mitarbeiter. Seit 1986 ist Novell durch die Novell GmbH in Düsseldorf auch auf dem deutschen Markt vertreten. Von diesem Standort aus werden Vertrieb und Marketing für Deutschland, Österreich und die Schweiz koordiniert.
Niederlassungen befinden sich in Berlin, Frankfurt, München, Nürnberg, Wien, Zürich und Genf.
(Novell: ra)
Novell GmbH
Nördlicher Zubringer 9-11
40470 Düsseldorf
Tel: +49 (0)211 - 56 31 - 0
E-Mail: marketing-services@novell.com
Lesen Sie mehr:
Identitäts-, Sicherheits- und Systemmanagement
Novell Management Services
Weitere ausführliche Informationen über Novell-Lösungen, -Produkte und -Services stehen im Internet zur Verfügung unter
www.novell.com oder www.novell.de
|
|
