Active Directory getting critical look from regulators

By Mark Baard, Contributor 27 Sep 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The next time auditors come to examine your network infrastructure, expect them to take a closer look at how you manage and secure Active Directory.

"With Sarbanes-Oxley, Gramm-Leach-Blilely and other regulations taking effect, companies must take a more formal approach to internal controls," said Sean Peasley, principal in the Audit and Enterprise Risk Service at Deloitte and Touche LLP.

Active Directory is at the core of internal IT controls for Microsoft Windows users, according to Peasley and other data security experts. Administrators use the Microsoft directory service to assign enterprise-wide policies and deliver software patches and updates to workstations.

Admins also use Active Directory to manage network configuration changes and assign access rights to individual users.

With so much network management taking place within a single service, said Peasley, "It is imperative to make sure Active Directory is secured and controlled. If you lose that information, there is now the potential for fines and consent orders."

SOX, HIPAA and GLBA, which regulates how organizations can use and store personal information, are compelling security officers to step-up their IT controls.

Active Directory has long been neglected by IT and business auditors, said Larry Brandolph, infrastructure technology management team lead at Cigna Corp., an employee benefits company based in Philadelphia, Pa.

"Most IT and business auditors don't understand what Active Directory provides," said Brandolph. Auditors "are focusing their time on tracking/auditing at the application levels, but are forgetting that Active Directory is used as an authorization/authentication product. Given all the regulator requirements today, at some point AD needs to get on the auditor's scopes."

Cigna has been running Windows 2000 Active Directory since December 2000. The company plans to upgrade to Windows 2003 Active Directory in 2006.

Throughout the health care industry there's a need for a built-in mechanism for managing Active Directory log files, Brandolph said, adding that Cigna is reviewing software options to help it track more closely the addition and removal of objects on its network, including NetPro's ChangeAuditor.

ChangeAuditor belongs to a class of software that monitors, tracks and reports changes to file and printer services, hubs, routers and switches--anything that can be added to and taken off the network through Active Directory. (The suite also includes software for managing policies in Active Directory and a product, DirectoryLockdown, which is designed to fend off denial-of-service attacks and security breaches.)

Products like those from NetPro and other security management software firms automate the tracking of problems and performance, said Deloitte and Touche Audit and Enterprise Risk Service senior consultant Manny Fernandes. "Other companies don't necessarily have the tools to provide that level of functionality," said Fernandes.

NetPro CTO Gil Kirkpatrick said his company's products are designed in part to help security officers comply with the best practices prescribed by the IT Infrastructure Library. ITIL was created for the British government and is said to be the global standard for service management. ITIL calls for the preservation of confidentiality wherever appropriate, the maintenance of data integrity and the availability of network assets. ITIL also stipulates that transactions are not denied erroneously and that the network complies with government regulations, contracts with partners and clients and with internal controls.

"Compliance and security are now tied at the hip," said Kirkpatrick. "Most of the regulatory compliance problems are concerned [with IT security]."

To comply with new regulations and maintain high performance security officers need to have multiple layers of defense and security, and the segregation of duties on the network.

"Rather than one big bucket of privileges, you have to have appropriate level of access," Fernandes said. "You want to have very few people logging in to an application--only those with the appropriate skills and competencies."

Tags: Database Security Management,  Gramm-Leach-Bliley Act (GLBA),  HIPAA,  Data Privacy and Protection,  Sarbanes-Oxley Act,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Gramm-Leach-Bliley Act (GLBA) Implement security and compliance in a risk management context The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Where hard drives go to die, or do they? Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers Making sense of the maze Gramm-Leach-Bliley Act (GLBA) Research HIPAA Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements HIPAA Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary