SOX compliance: Building a directory services model for adequate access controls

In the late 90s security practitioners thought access control problems would be solved with the ability to consolidate the proliferation of OS and network directories into one "enterprise" directory. We have since found that while the use of meta-directories for authentication and access control puts data at risk, they can be useful in obtaining the granular control of service directories required for regulatory compliance.

Meta-directories aggregate information from multiple data sources or are combined with logic and filters to move information from one directory storage point to another, while being able to change the pattern (syntax) of the information it is moving. Using aggregated directories (meta-directories) for authentication and access control is risky. If the directory environment is compromised, the single, consolidated directory is a hacker's virtual gold mine. This archaic (from a security and compliance perspective) directory model also requires treating your entire access control environment as a single, broadly defined (a.k.a. open to all users) security zone.

However, meta-directories can be useful in obtaining the granular control of service directories required for compliance with regulations such as Sarbanes-Oxley. In order to comply with an external regulatory audit, it is necessary to be able to isolate end users beyond roles, and to fix responsibility for data inputs and components of financial statements by end-user name. Meta-functionality is best used as the information mover and translator on a per unique end-user population basis. Granular controls are then reached by taking the identity and role information supplied via the meta-directory and using it with identity management and provisioning tools to populate a service directory and perform the granular access controls within an appropriate directory schema.

SOX Security School Go to SOX Security School to learn what you need to do to meet auditor's evolving expectations and pass your next SOX audit.

To identify and control by name who has access to, or who can change the data in a particular data field, use population specific authentication and access service directories. A population is defined in this context as a group of users who have similar authentication and access control requirements. For example, there is no need for a repeat customer who is making an online purchase to be in the same directory, access the same portal, or even be on the same network, as your users in the accounting department. The principle at work here is isolation. The more you isolate any given population of end users, the more you enhance your ability to control their access, use and overall online experience. At the same time you are confounding potential hackers.

Likewise, the opportunity for inappropriate or unintended access decreases when security policy and implementation dictate access control. Add to this the accounting principle of separation of duties, and one can begin to map out the requirements for designing and implementing the appropriate authentication and access control directory framework.

For SOX compliance, first focus on the end users who are contributors to and creators of the information that is landing in the company's financial statements. For a large espresso coffee chain, for example, that would be employees all the way from baristas in the stores, to store managers, regional staff, and corporate office accounting staff, the comptroller, and VP of finance. Merely having this much separation of a population of end-user populations would be a major improvement in some companies where even the janitors have access and are in the same access directories as the comptroller. The question to ponder is whether this is enough isolation from the other employees. Or, should there be further differentiation by job responsibilities within the population, who have contact with the entries on financial statements? Keeping in mind that separation of access rights to applications and specific data can be controlled within the LDAP directory schema, the answer is still yes. In a large company the store level personnel should not be housed in the same access service directory as home office staff. Nor should they be able to see or access, or have other than "read only rights" to any regional or home office financial application, and then only replicated "report only" data, eliminating any opportunity for up-line internal hacking.

Getting access control models right is not easy. It may require a good deal of detailed work for the IT department to implement an appropriate control framework and the result may present an inconvenience for operations staff. However, there are identity management and identity provisioning software tools out there that leverage meta-directory functionality to do things within your ideal framework once and leverage it over time to maintain adequate controls over access to online resources.

About the author
Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   Sarbanes-Oxley Act,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.