7 Regulations Requiring Identity and Access Management Compliance

Businesses in today’s global marketplace face a number of daunting obstacles including rapidly changing technology, marketing to a global audience, and regulatory compliance. The number of far-reaching industry-specific regulations regarding data security and privacy has increased in recent years and failure to comply results costly in fines, and penalties as well as damaged consumer confidence. Fortunately, identity and access management (IAM) solutions have evolved to meet the demands of a regulation-heavy marketplace. A robust IAM program can provide proactive threat visibility as well as risk mitigation while helping meet more specific compliance criteria laid down by various regulations, including the following commonly encountered recent laws. Let’s look at seven regulations requiring identity and access management compliance.

What are the IAM Compliance Requirements for the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR), created in 2016, is far-reaching privacy bill protecting the identity information and personal data of EU citizens. GDPR mandates companies, both foreign and domestic, ensure customer awareness and consent regarding private data access and use. Organizations are responsible for the security of data during the collection process as well as storage. A robust IAM solution that satisfies the GDPR compliance requirements for data privacy and security must include:

  • Access Management
  • Access Governance
  • Authorization
  • Authentication (including multi-factor authentication)
  • Identity Management (IDM)
  • Identity Governance

Key to the satisfaction of GDPR compliance requirements is data protection. Consumers retain the right to deny or revoke the collection of their data. An IAM solution that monitors user access to customer identity information and personal data is not enough. For GDPR compliance, an IAM solution must track all access to personal data collected, and update access rights based on both organizational changes and relevant customer preferences.

What are the IAM Compliance Requirements for the Sarbanes-Oxley Act (SOX)?

Created in response to numerous cases of high-profile corporate fraud, the Sarbanes-Oxley Act of 2002 (SOX) touches on all publicly traded organizations but primarily targets financial services such as banks and insurance companies. To ensure the integrity and security of financial reporting, SOX compliance mandates adequate internal controls for both digital and physical assets. Sarbanes-Oxley compliance is most often concerned with section 404 and 302. IAM solutions that meet SOX security standards must address both identity management and data security.

SOX security standards call for internal controls that are tested and documented to be in place for preparing financial reports and for protecting the data integrity of the accounting information going into these reports. IAM solutions that address SOX compliance requirements include:

  • Centralization administration of access management and identity governance.
  • Enforcement of segregation of duties (SoD) policies.
  • Regular auditing to verify user rights and permissions across the infrastructure
  • Automatic logging and tracking tools that generate clear reports for compliance audits

SOX addresses both physical and digital records making IAM an integral part of compliance, but the key to aligning with SOX requirements is the ability to produce on-demand evidence for an audit. By automating IAM activities including user provisioning and de-provisioning, granular conditional access controls, and implementing accurate access logging and usage tracking companies improve their security posture and reduce the risk of data breaches.

What are the IAM Compliance Requirements for the Health Insurance Portability and Accountability Act (HIPAA)?

Enacted as a national healthcare standard in 1996, the Health Insurance Portability and Accountability Act (HIPAA), was designed by the Department of Health and Human Services (HHS) to guarantee the privacy and security of protected health information (PHI). HIPAA targeted healthcare organizations for their previously lax security dealing with identifiable health information. HIPAA security standards improved the management of health information by creating privacy and security rules for the data that health insurance and healthcare providers, collect and store.

HIPAA forced covered entities to ensure that patient data was kept confidential, and access to that data was limited to healthcare providers directly servicing the patient. Much like GDPR and SOX, HIPAA compliance procedures include privacy safeguards that limit access to PHI based on identity and purpose.

The HITECH Act, signed by President Obama in 2009, motivated the healthcare industry to modernize management of healthcare data via electronic health records (EHR) and peripheral technology. HIPAA and HITECH regulations share a close relationship, and covered entities began including business associates as well. Healthcare clearinghouses faced compliance with both HIPAA security measures and the electronic healthcare data security mandated by the HITECH Act. An IAM solution paired with HIPAA compliance policies reduces risk of privacy rule violations for healthcare data. An IAM solution that addresses HIPAA standards must include:

  • Credential protection through the use of single sign-on
  • Federated identity management for simplified integration of healthcare business partners
  • Centralized access governance to curate HIPAA compliant access management across organizational infrastructure
  • Automatic access logging ensuring compliance to HIPAA security rules such as tracking access to patient data
  • Automated reporting stems from the logging and is used to facilitate auditing of HIPAA security compliance.

Healthcare-related businesses benefit from the implementation of IAM solutions that includes federation, single sign-on security, centrally managed permissions, and automated logging. Administrative transactions become less complicated with effectively managed rights and proper accounts termination. Also, automated in-depth logging enables HIPAA auditors to verify electronic media policy compliance.

What are the IAM Compliance Requirements for the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, focused on financial institutions, forcing them to protect customer information. The Gramm-Leach-Bliley Act specifically applies to sensitive data such as social security numbers, credit history, and account numbers. GLBA includes safeguards for consumer financial information and provides privacy for more benign information such as address and phone number. GLBA compliance mandates financial institutions create and maintain information security programs. The Safeguards Rule within the GLBA is a directive designed to ensure the security of customer information with specific provisions to ensure that data is not accessed under false pretenses. Risk assessment and mitigation of risk are integral to compliance with the Safeguards Rule. Financial institutions require mature security programs with in-depth knowledge of the GLBA and privacy rules. Information Security departments need tools to protect personal information proactively.

Financial institutions reduce risk when they implement organization-wide “least privilege” policies and safeguard identifiable information according to GLBA privacy rules. Consumer protection rules and privacy policies are not solely the domain of a financial institution’s security program; all financial services employees should be aware of the Safeguards Rule and observe security practices that comply with federal privacy policies. An IAM solution can proactively address provisions in The Safeguards Rule and improve GLBA compliance through:

  • Role-based management to ensure access through user roles rather than direct user assignment
  • Controls to ensure segmentation of duties to prevent risky access situations
  • Automated provisioning and de-provisioning of users as personnel change roles and jobs
  • Entitlement management to limit permissions to only access what is needed for a user to complete their job.
  • Multi-factor authentication to protect data in the event of user passwords being compromised.

Organizations found not to be in compliance with GLBA face significant financial penalties. GLBA security violations extend to individuals who not only risk financial penalties but also potential jail time for those who ignore or willfully circumvent security safeguards. Enforcement of GLBA is handled by the Federal Trade Commission (FTC). 

What are the IAM Compliance Requirements for the Family Educational Rights and Privacy Act (FERPA)?

The Family Educational Rights and Privacy Act (FERPA) became Federal law in 1974. FERPA protects the privacy of student directory information and educational data for eligible students attending post-secondary educational institutions. FERPA specifically places controls on how student data relating to their educational records is disclosed. FERPA regulations assure the rights of students and, in some cases, their parents to restrict access to student education records even from faculty and staff not providing education services to that student. Eligible students may also deny their parents from access to their education records. FERPA parallels HIPAA in ensuring that educational records are kept confidential, and access to student information is limited to education providers that are directly servicing the student.

FERPA puts the information security onus on the school officials and the school to provide data privacy controls and access management. Often education providers rely heavily on external controls which ensure general confidentiality of education records, but experience significant gaps in policy compliance regarding internal controls. FERPA is explicit regarding the privacy rights of students and unnecessary disclosure of education data even to other school officials.

Other FERPA compliance requirements an IAM solution should address include:

  • Federated infrastructure allowing eligible non-university affiliates access to relevant education records.
  • Means by which students can delegate access to 3rd parties to access their education data.
  • Accurate and complete logging of users with access to student data including timestamps.
  • Automated reporting providing audit-worthy access management evidence.

FERPA compliance includes the right of a student to restrict access to their directory information in spite of it being public information. FERPA regulations also allow eligible students to grant or revoke permission for their parents to access education records. The ability to easily manage and track access management is the key to privacy law compliance. IAM solutions that centrally manage and cross-reference accounts of eligible students and their parents, as well as school staff and faculty, must ensure that controls are in place limiting access to student records as appropriate.

What are the IAM Compliance Requirements for the California Consumer Privacy Act (CCPA)?

Following in the footsteps of GDPR, the California Consumer Privacy Act (CCPA) was enacted in 2018 but goes into effect on January 1, 2020. Organizations nationwide are scrambling to prepare for the massive privacy implications CCPA will have for U.S. businesses that service Californian consumers.

CCPA is similar to GDPR in that it provides California citizens the same level of control over their personal information that EU citizens currently exercise.  CCPA regulations apply to any company that generates $25 million or more in gross revenue and collects personal information from Californian consumers. 

A critical difference between GDPR and CCPA is that CCPA acknowledges the household as a covered entity as well as the customer. CCPA, in some cases only applies to the personal information provided by the California residents ignoring data sourced or purchased from third parties. IAM solutions that assist in the satisfaction of CCPA compliance requirements for privacy and data security must include:

  • Identity management capabilities that tie individual consumers to their data and privacy requests
  • Access Governance to ensure that a company knows where the data is housed and who can access it
  • Strong authentication including multi-factor authentication to protect disclosure to unauthorized users
  • Centralization administration of access management and identity governance.

As a key factor of CCPA, consumers are in control of their privacy and personal information with rights to deny or revoke either the collection or sale of their data.   While this parallels in data protection with GDPR, it differs in enforcement. With GDPR, violations can cost up to 20 million euros or 4% of global revenue, whichever is greater, while CCPA implements fines on a per violation basis that cap at $250,000 per violation.  

What are the IAM Compliance Requirements for the New York SHIELD Act?

The SHIELD Act is the common name for New York’s “Stop Hacks and Improve Electronic Data Security Act” implemented in 2019.  This act dramatically expands security and privacy notification requirements on companies storing personal information of New York citizens. This act is New York’s cybersecurity effort to force better protection of personal data and improve breach notification requirements. Similar to GDPR and CCPA, this far-reaching data protection act seeks to reduce the risk that the private information of New York citizens will be exposed in a data breach.

Much like GDPR, this law mandates information security requirements be in place to safeguard data privacy.  Any organization already in compliance with either HIPAA or GLBA will find the privacy safeguards similar. This law takes into account the burden of cybersecurity requirements for small businesses collecting and storing personal information. Therefore the directives are adjusted to be appropriate for the size and complexity of the organization. IAM solutions that address NY SHIELD Act data security standard should include:

  •  Automated provisioning and de-provisioning of users as personnel change roles and jobs
  • Entitlement management to limit permissions to least privileges
  • Federated identity management to simplify integration and tracking of business partners
  •  Multi-factor authentication to increase the difficulty of stealing credentials to illicitly access data.

SHIELD compliance necessitates that an organization minimize the risk of a cybersecurity breach or deal with the financial impact of costly breach notifications.  Implementing a robust IAM solution not only proactively protects, but it improves the overall security posture of organizations, ensuring compliance and minimizing risk.

Why Saviynt? Holistic IGA

Saviynt goes beyond IAM with a holistic approach to IGA.  Our innovative, cloud-native Gartner recognized IGA solution enables full visibility into how and where users interact with data whether using a cloud, hybrid, or on-premises IT infrastructure, which is what is required to meet many of the current privacy regulations. 

Saviynt provides deep visibility with the Cloud Privileged Access Management (PAM) module, and enterprises can monitor privileged users to ensure that they do not abuse their rights while also providing time-bound escalations to mitigate potential access violations.   Automated provisioning and de-provisioning of users as personnel change roles and jobs eases the overhead of access management. Moreover, our cloud-native capabilities and integrations accelerate IT modernization by providing continuous monitoring and documentation. Automated reporting facilitates audit documentation and eases the burden of proving continuous assurance over privileged access. 

Saviynt’s peer- and usage-based analytics enable you to create context- and risk-aware ABAC rules. Saviynt’s entitlement management limits permissions to least privileges using our intelligent analytics to compare users’ requests to their peers’ access. Our analytics enable IAM compliance by enforcing policies and internal controls. This emphasis on least privilege and continuous assurance helps ensure employees and administrators don’t gain excess access to private data. 

Our Control Exchange is a library of over 200 controls, based on regulations, industry standards, and mission-critical IaaS, PaaS, and SaaS providers. The rules and policies automatically integrate with your authoritative identity source so that our analytics can incorporate the controls into your holistic IAM compliance program. After setting the controls and IAM policy, the platform automatically alerts you to anomalous access requests and suggests remediation actions to help your organization maintain the necessary data privacy compliance posture. 

For more information, contact us or engage in a free trial.

MJ Kaufmann

About author

MJ Kaufmann is an industry veteran with two decades of experience in the field. Her experience covers a wide range of technology from networking to application development and systems analyst, through information security. She holds a Master's in Information security as well as two industry certifications, NSTISSI No. 4011 and NSTISSI No. 4013.

Leave a Reply

Your email address will not be published. Required fields are marked *