Understanding Identity and Access Management Compliance

Joe Raschke

Joe Raschke

Principal Solution Strategist

4 Reasons Organizations Struggle with IAM Compliance and 5 Ways Automation Can Help

The Identity and Access Management (IAM) compliance struggle is real. As organizations add more SaaS applications to streamline their business operations, they often lose visibility over their users’ access within the complex architecture. 

As your organization moves to the cloud, you need a solution that addresses the proliferation of both human and machine identities across on-premises, hybrid, and cloud ecosystems. Policies that identify who has access to the right information at the right time for the right reason will enable you to mature your security strategy — and expand to handle all evolving identities and their related accounts.

Implementing policy-based controls across SaaS and current hybrid solutions is an ever-moving target. To meet the challenges of IAM compliance, look for flexible, cloud-architected solutions that incorporate automation. 

4 Reasons Organizations Struggle with IAM Compliance

The Pareto principle — that 80% of consequences come from 20% of the causes — certainly applies to identity governance. The full scope of identity-based controls may encompass 80% of all of the required activities to monitor. 

The standards-based approach to compliance requirements for IAM, such as in PCI DSS, uses identity and access management to help protect data security and privacy. Managing the IAM lifecycle effectively requires you to set policies that enable user access requests, identity reconciliation, and the review/certify process. 

1. Provisioning/Deprovisioning: From Birthright, Transfer, and Termination

The provision/deprovision process acts as the starting point for the IAM lifecycle by granting the appropriate entitlements and access in a timely manner or revoking access upon job termination or transfer. Most regulations and industry standards set a grant/remove access timeline to ensure data privacy and security with appropriate data access management. 

Legacy solutions tend to focus on birthright or termination processes and only address top-level requirements, often leaving the middle child — transfers — ignored. An audit-proof program needs visibility into all deprovisioning use cases: birthright, transfer, and termination.

To do this, effective IAM policies need to incorporate: 

  • User identity definitions
  • User authentication methods (such as multi-factor authentication)
  • User access to resource locations
  • User access within resource locations
  • User access reviews

2. Enforcement

After granting permissions, you need to validate and enforce your IAM policy controls, such as authentication and authorization to Software-as-a-Service (SaaS) applications and Infrastructure-as-a-Service (IaaS)/Platform-as-a-Service (PaaS) environments, while also maintaining compliance with access management policies. 

As such, IAM policies need to incorporate: 

  • Access management policies
  • Consistent role-based, rule-based, or attribute-based access requirements
  • Separation of Duties policies (SoD)
  • Comprehension of the dynamic nature of these SaaS, PaaS, and IaaS environments

3. Validating Access with Review and Certify Processes

Although the review/certify process requires enforcing your IAM policy rules, IT administrators or department managers often become inundated with requests as the organization incorporates new technologies. 

As such, IAM policies need to incorporate: 

  • Who reviews requests
  • Succession ownership over the process
  • Context for user access needs

Policies also need to address a second wave of issues with both business and IT application owners rubberstamping excessive certification requests. For example, IT admins tasked with setting up access to a shared folder have no visibility into the business reasoning for that access, so they end up rubberstamping it during certification. 

Other times, if they seek a manager’s approval, that manager may make wrong assumptions about who has access in their department — especially if that manager happens to be a new hire. Legacy systems don’t provide the extra context needed for complete visibility.

4. Documentation for Audit

At its core, compliance requires documentation. To create identity-based IAM policies, you need to define business-relevant Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), and document your overarching IAM program. 

As such, IAM policies need to incorporate: 

  • Business-driven metrics
  • Audit process requirements 
  • Suggested documentation for proving governance and the prescriptive nature of PCI-DSS give a glimpse into the scope of controls to consider.

5 Ways Automation Eases IAM Burdens 

Automation solves many of the current IAM policy creation and compliance problems. Digital transformation requires an equally modern IAM solution to help protect data privacy and security. Finding the correct automation enables greater control over users’ data access and proves governance more effectively for audit purposes.

1. Identity Reconciliation

With automation, you can create an identity warehouse that incorporates all identity and access definitions across your ecosystem. Identity reconciliation tools compare the definitions, do role-mining, and create a single, authoritative source of identity. Once the automation completes the role-mining, you can use the standardized identity definitions to create holistic IAM policies. To augment fraud detection, you should also be able to securely open data inside these warehouses to integrate with your other solutions, such as SEIM and your Security Operation Centers.

2. User Access Requests

When the access request is performed by the individual or on behalf of their manager, automation streamlines the access request/review/certification process by enabling you to create risk-based rules and approval paths. User access requests should become the exception not as a normal activity.

For example, organizations using automation can create designated approver notifications, delegation rules, SoD rules, and escalations. Intelligent analytics provide a way for organizations to look at user access context so that they can augment their Role-Based Access Controls (RBAC) and create Attribute-Based Access Controls (ABAC) which align to their risk tolerance. 

3. Provisioning/Deprovisioning

With authoritative identity sources, you can streamline the provisioning/deprovisioning process. Automating access within the tool enables you to set timebound rules or review notifications so that you no longer need to worry about orphaned accounts or excess access as users join, move within, or leave the organization. 

Moreover, if you choose the right automated tool, you can also establish IAM policies for non-person identities such as APIs, Robotic Process Automation (RPA), workloads, servers, and containers. Most legacy solutions falter around “movers” — no automated way to know when to deprovision and reprovision. This can become a daunting task on the road to Zero trust.

4. Enforcement

Once you create an authoritative identity source and establish risk-based, context-aware rules within your automated tool, you can more easily enforce them. 

Intelligent analytics can automatically compare access requests to policies, send potential violation alerts, and suggest remediation actions. This then allows you to reduce the amount of operational and compliance risk — and identify both outlier and potential “inlier” reviews on a timely basis. We call this process “micro-certification.”

5. Documentation for Audit

Automated identity analytics continuously monitor for anomalous access requests, removing “rubber-stamping” from overwhelmed IT administrators and department managers. Automation applies your IAM policies across the identity lifecycle to create risk-aware request escalations, requiring someone in the organization to purposefully review the request.  

Saviynt’s Intelligent Analytics Streamline IAM Compliance

Saviynt’s intelligent analytics streamline the IAM compliance process so that organizations can create a frictionless approach to managing the identity lifecycle. More than Identity-as-a-Service (IDaaS), we provide Assured Compliance-as-a-Service (CaaS). 

Our cloud-native platform provides flexible options for both on-premises and cloud-based deployments. Our intelligent analytics provide role-mining capabilities that help establish “least privilege” entitlements to control access to and within your IaaS, PaaS, and SaaS environments. 

Moreover, Saviynt’s peer- and usage-based analytics enable you to create context- and risk-aware ABAC rules. Our analytics compare users’ requests to their peers’ access to automatically grant or limit access. Our analytics also enable IAM compliance by enforcing policies and internal controls. 

Saviynt’s Control Exchange, part of our Identity Risk Exchange, is a library of over 200 out-of-the-box controls, based on regulations, industry standards, and mission-critical IaaS, PaaS, and SaaS providers. The Control Exchange simplifies compliance by providing controls that organizations can implement across the multiple platforms Saviynt currently supports. It enables cross-mapping between regulatory initiatives, control frameworks, and platforms that automatically integrate our analytics with your authoritative identity source.  

After setting the controls and integrating them with your IAM policy, the platform automatically alerts you to anomalous access requests and suggests remediation actions.


Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

#1 IGA Solution. New Identity Leader for the Cloud Era.

Gartner | 2021 IGA Solution Scorecard