7 Regulations for Identity & Access Management Compliance

Kyle Benson

Kyle Benson

Director, Product Marketing

A Strong IAM Program Can Meet the Demands of a Regulation-Heavy Marketplace

Businesses in today’s global marketplace face some daunting obstacles: rapidly changing technology, digital transformation, and an increasing number of industry-specific data security and privacy laws. Failure to comply with these laws could lead to costly fines, penalties, and damaged customer confidence. Fortunately, identity and access management (IAM) solutions have evolved to meet the demands of a regulation-heavy marketplace. 

From commonly encountered laws to highly-granular compliance regulations, a robust IAM program can give institutions broad protection, threat visibility, risk mitigation — and most importantly, peace of mind. 

Let’s review seven key regulations that require identity and access management compliance.

What are the IAM Compliance Requirements for the General Data Protection Regulation (GDPR)?

The 2016 General Data Protection Regulation (GDPR) is a far-reaching privacy bill that protects the identity information and personal data of EU citizens — and impacts any company doing business with customers in Europe. GDPR mandates that foreign and domestic companies ensure customer awareness and consent regarding private data access and use. 

Organizations are responsible for the security of data during the collection process as well as storage. A robust IAM solution that satisfies the GDPR compliance requirements for data privacy and security must include:

  • Access management
  • Access governance
  • Authorization
  • Authentication (including multi-factor authentication)
  • Identity management (IDM)
  • Identity governance

Data protection is the key to satisfying GDPR compliance requirements. An IAM solution that monitors access to a customer’s personal data is not enough. Under GDPR, consumers have the right to “be forgotten” and to deny or revoke the collection of their data. 

An effective IAM solution must track all access to personal data collected and update access rights based on both organizational changes and relevant customer preferences.

What are the IAM Compliance Requirements for the Sarbanes-Oxley Act (SOX)?

Created in response to numerous cases of high-profile corporate fraud, the Sarbanes-Oxley Act of 2002 (SOX) touches on all publicly-traded organizations but primarily targets financial services (such as banks and insurance companies). IAM solutions that meet SOX security standards must address both identity management and data security. Sarbanes-Oxley security standards require tested, documented internal controls to ensure the integrity and security of financial reporting — and the data integrity of the accounting going into these reports. SOX compliance mandates adequate internal controls for both digital and physical assets. This includes:
  • Centralized administration of access management and identity governance
  • Enforcement of Separation of Duties (SoD) policies
  • Regular auditing to verify user rights and permissions across the infrastructure
  • Automatic logging and tracking tools that generate clear reports for compliance audits

Companies can reduce the risk of data breaches by providing granular, conditional access controls — and by automating IAM activities such as user provisioning and de-provisioning, predictive SoD analysis, and access logging and usage tracking. At the end of the day, the ability to produce on-demand evidence for an audit is key to aligning with SOX requirements.

What are the IAM Compliance Requirements for the Health Insurance Portability and Accountability Act (HIPAA)?

Enacted as a national healthcare standard in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that guarantees the privacy and security of protected health information (PHI) that health insurance and healthcare providers collect and store. 

The Department of Health and Human Services (HHS) designed HIPAA to target healthcare organizations with lax security practices around identifiable health information. 

HIPAA forced covered entities to ensure that patient data was kept confidential, and access to that data was limited to healthcare providers directly servicing the patient. Much like GDPR and SOX, HIPAA compliance procedures limit access to PHI (Protected Health Information) based on identity and purpose. HIPAA also shares a close relationship with the HITECH Act, which mandates data security for electronic healthcare records (EHR). 

As digital healthcare data proliferates, an IAM solution paired with HIPAA compliance policies helps create a wide umbrella of protection against privacy violations. An effective IAM solution must include:

  • Credential protection through the use of single sign-on
  • Multiple ways to onboard and simplify the integration of healthcare business partners
  • Centralized access governance to curate HIPAA-compliant access management across organizational infrastructure — ​​including human and non-human users like the Internet of Things (IoT) devices
  • Automatic access logging, such as tracking access to patient data, and automated reporting to facilitate auditing

Healthcare-related businesses benefit from the implementation of these IAM capabilities. With effectively managed rights and proper account termination, administrative transactions become less complicated. In addition, automated logging helps HIPAA auditors to verify electronic media policy compliance more easily.

What are the IAM Compliance Requirements for the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, mandates that financial institutions create and maintain information security programs that protect customer information. The GLBA applies explicitly to sensitive data such as social security numbers, credit history, and account numbers. GLBA also includes safeguards for consumer financial information and provides privacy for more benign information such as addresses and phone numbers. 

Financial institutions reduce risk when they implement organization-wide “least privilege” policies and safeguard identifiable information according to GLBA privacy rules.

All financial services employees — not just security programs — should be aware of the Safeguards Rule and comply with federal privacy policies and consumer protection rules. 

An IAM solution can proactively improve GLBA compliance through:

  • Role-based management to ensure access through user roles rather than direct user assignment
  • SoD controls to prevent risky access situations
  • Automated provisioning and de-provisioning of users as personnel change roles
  • Entitlement management that permits only enough access for a user to complete their job
  • Multi-factor authentication to protect data in the event of compromised passwords

Organizations and executives that violate GLBA face significant financial penalties and potential jail time — particularly for those who ignore or willfully circumvent security safeguards. Enforcement of GLBA is handled by the Federal Trade Commission (FTC).

What are the IAM Compliance Requirements for the Family Educational Rights and Privacy Act (FERPA)?

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students in post-secondary educational institutions. 

FERPA specifically protects the rights of students to restrict access to student data, educational records, and even public-facing directory information. Eligible students may also prevent or grant record access to their parents. 

Other FERPA compliance requirements an IAM solution should address:

  • Federated infrastructure allowing eligible non-university affiliates access to relevant education records
  • Means by which students can delegate education data access to third parties 
  • Accurate, complete, and time-stamped logging of users with access to student data
  • Automated reporting with audit-worthy access management evidence

The ability to easily manage and track access is key to privacy law compliance. For effective FERPA compliance, IAM solutions should centrally manage and cross-reference accounts of eligible students and their parents, as well as school staff and faculty, and ensure that controls limit access to student records.

What are the IAM Compliance Requirements for the California Consumer Privacy Act (CCPA)?

Following in the footsteps of GDPR, the 2020 California Consumer Privacy Act (CCPA) brought massive privacy implications for U.S. businesses that serve California consumers. CCPA is similar to GDPR in that it provides California citizens the same level of control over their personal information that EU citizens currently exercise. CCPA regulations apply to any company that generates $25 million or more in gross revenue and collects personal information from California consumers.

IAM solutions that assist in the satisfaction of CCPA compliance requirements for privacy and data security must include:

  • Identity management capabilities that tie individual consumers to their data and privacy requests
  • Access Governance to ensure that a company knows where the data is housed and who can access it
  • Strong authentication (including multi-factor) to protect disclosure to unauthorized users
  • Centralization administration of access management and identity governance

With CCPA, consumers are in control of their privacy and personal information with rights to deny or revoke either the collection or sale of their data. While this parallels data protection with GDPR, it differs in enforcement.

What are the IAM Compliance Requirements for the New York SHIELD Act?

The SHIELD Act is the common name for New York’s “Stop Hacks and Improve Electronic Data Security Act” implemented in 2019. Similar to GDPR and CCPA, this data protection act dramatically expands security and privacy notification requirements on companies storing the personal information of New York citizens. This goal is to enforce better protection of personal data, prevent breaches, and improve consumer notification requirements.

Any organization already in compliance with either HIPAA or GLBA will find similar safeguards in the SHIELD Act. However, SHIELD considers the burden of cybersecurity requirements for small businesses collecting and storing personal information. It adjusts its directives to be appropriate for the size and complexity of the organization. 

IAM solutions that address NY SHIELD Act data security standards should include:

  • Automated provisioning and de-provisioning of users as personnel change roles and jobs
  • Entitlement management to limit permissions to least privileges
  • Federated identity management to simplify integration and tracking of business partners
  • Multi-factor authentication to increase the difficulty of stealing credentials to illicitly access data.

All The Identity Capabilities You Need. One Converged Platform.

As organizations move to the cloud and add more SaaS applications, IT architecture becomes more complicated. To comply with modern privacy regulations, businesses need complete visibility into how and where human and machine identities access protected data — whether in the cloud, hybrid, or on-premises IT infrastructure. 

Saviynt goes beyond just IAM. Our converged Platform brings industry-leading, cloud-first simplicity and scale to today’s complex compliance challenges.

With Enterprise Identity Cloud (EIC), you get all five of Saviynt’s flexible, automated, cloud-first solutions in one single, cohesive platform:

  • Identity Governance and Administration (IGA)
  • Cloud Privileged Access Management (CPAM)
  • Application Access Governance (AAG)
  • Third-party Acess Governance (TPAG)
  • Data Access Governance (DAG)

Find out how EIC can unify controls and risk management for every identity, app, and cloud across your business and transform your security posture.

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >