Mobile Edition
Print
Get the Mag
Weekly UpdatesMANY ORGANIZATIONS ARE INVESTING in identity and access management (IAM) solutions to automate security administration functions and help reduce the number of resources required to perform manual security administration functions. A 2008 Forrester Research study estimates that the IAM market will grow from nearly US $2.6 billion in 2006 to more than US $12.3 billion in 2014.
Organizations also are turning to IAM to meet compliance and regulatory requirements that are putting a greater burden on the security administration function in the form of additional reports, better records of workflow and change requests, and periodic self-assessments. Moreover, as IT budgets have declined in recent years, IT leaders have realized that automating security administration saves costs.
IAM solutions use relatively new technologies with their own audit challenges. Part of the solution resides in a client's computing environment, part of it resides in a service provider's environment, and another part depends on the Internet "cloud" that links them. Auditors must address these separate computing environments as part of a single strategy.
IAM TO THE RESCUE
IAM promised a way to automate the security administration function. IAM software enabled organizations to automate the front-end workflow for adding new employees (on-boarding), removing separated employees (off-boarding), and adding, modifying, and deleting (provisioning) access requests. It also provided standard back-end adapters to automate updates of common technologies like Active Directory, Lightweight Directory Access Protocol (LDAP), servers, and mainframe and mid-range systems. However, problems customizing the software and lack of programming expertise lengthened the duration of IAM projects and increased implementation costs.
Outsourcing IAM was another option. In the past decade, IT leaders have looked to reduce overall IT costs by outsourcing many functions, but they considered security too risky to be outsourced. Instead, they decided that the administration function should remain in-house, but the IAM "center" should be managed by external experts.
Once organizations started to trust managed service providers, IT leaders saw they could gain additional savings by using IAM services over the Internet, where multiple clients share the provider's computing resources. IAM in the cloud moves identity management to a third-party service provider. Client requests and user approvals travel across the Internet through a secure tunnel to the provider. The resources to be managed, such as servers, applications, and the network, reside in the client's computing environment. The users of these IT resources are the client's employees and business partners. The service provider maintains all the IAM servers, LDAP, and workflows required to provision users. The client's designated users submit requests on the Web, and the IAM workflow engine obtains all required approvals. The provider's IAM servers respond to these requests by submitting the appropriate instructions for the computing resource at the client. For example, when the client wants to create a new finance user in Active Directory and SAP, it submits the request to the provider through the Web. The provider's IAM servers send instructions to the client's Active Directory server to create a new user and add the user to the finance group. They also instruct SAP to create the same user in the finance group and notify the client that its requests have been completed.
AUDIT STRATEGY
The IAM cloud approach provides challenges for internal auditors focused on assessing identifiable risks. The audit strategy is based on generally accepted audit principles but encompasses the broader risks associated with the IAM cloud. This strategy should address risks within the client's environment, within the provider's environment, and within the cloud. Some examples include risks associated with the service provider's ability to safeguard the organization's data and transactions over the Internet, as well as abuse of privileged accounts by the provider.
CLIENT ENVIRONMENT The risks in the client's environment are the same as internal IT risks. Some of the risks that the audit program should consider include unauthorized access to systems and data, abuse of privileged accounts, lack of approval process, missing patches, missing and ineffective log reviews, and inadequate monitoring. The scope of the IAM environment should include:
* Applications, including purchased and homegrown products.
* Identity management process from on-boarding to termination, including the approval process and workflow management.
* Servers that are used or managed in the IAM process, including Windows, Linux, and mainframes.
* Provisioning adapters used to connect the IAM server to the managed resources (if applicable).
* Network infrastructure used or managed during the identity management process.
* Access control for all servers, applications, network resources, and workflows used or managed during the IAM process.
In addition, the audit program should address proxy repositories in the client's environment. These databases of user accounts and assets are located in the client environment but owned and managed by the provider. Moreover, auditors should consider compliance with all relevant regulations that may increase risk.
PROVIDER ENVIRONMENT The service provider's environment may contain more risk depending on the level of access and information provided to clients. In most cases, the client remains accountable and liable for safeguarding information. When auditing the provider, auditors should address:
* IAM servers residing in the provider's environment. These include Linux and Windows servers that host the IAM functions and applications, Web services, repositories, databases, LDAP, and any other infrastructure that is needed to operate the outsourced model. Auditors should review security baselines periodically.
* Access control. Auditors should address access control in two areas: the provider's infrastructure and the client's data. Because the provider has administrator access to the client's provisioned IT resources, such elevated access should be reviewed and reported frequently.
* Segregation of data and privacy. The client's data should be segregated from other clients' data appropriately. This may mean using separate servers for each client and separate network subnets, where possible. Segregating and protecting data is especially important when the provider serves competing organizations.
* Security operation processes. Because the provider's internal IT operations have an impact on the client, auditors should review such operation processes as change, release, and patch management; backup and restore; disaster recovery for the client's IAM system and the ability to recover the client's system and data at an alternate site; incident response and problem management; and physical security of the IAM provider's facilities and data.
* IAM system availability. IAM servers should be redundant to increase availability, but the client has to weigh the increased cost of redundancy against how quickly an IAM system can be restored.
* Statement on Auditing Standards (SAS) 70 Type II reports. Auditors should periodically request and review the provider's SAS 70 report from an independent party to gain a fresh perspective on the risks existing within the provider's IT environment. This report can help auditors catalog identified risks, understand how quickly the risks are addressed, and determine whether the risks are increasing or decreasing over time.
* Periodic reports from the provider. The service contract should require the provider to submit reports on IAM operations and performance. These reports should cover user provisioning and de-provisioning, granting and removal of access, and administrative access usage and reviews. Auditors should compare these provisioning reports with approvals to verify the authenticity of the approval and the approver.
The risks in the provider's environment are elevated because the provider's employees have administrative access to the IAM computing resources and the client's computing resources. Implementing appropriate controls in the provider's environment can help reduce these risks.
THE CLOUD The third aspect of an IAM cloud computing audit strategy is the cloud itself. The cloud's security should be based on providing and establishing a secure tunnel between the client and the provider. Auditors should test this tunnel periodically. The tunnels to various clients also should be segregated in such a way that client data does not cross and intruders have no access.
THREE ELEMENTS TO AUDIT
"Divide and conquer" is the appropriate strategy for auditing IAM in the cloud. Auditors must address each of the three elements of this form of security administration--client, provider, and cloud--individually using generally accepted audit principles and methodologies.
SAJAY RAI, CPA, CISSP, CISM, is CEO and founder of Securely Yours LLC in Bloomfield Hills, Mich.
PHILIP CHUKWUMA, CISSP, is chief technology officer with Securely Yours LLC.
To comment on this article, e-mail the authors at sajay.rai@theiia.org.
EDITED BY STEVE MAR
FEED