Tip

SOX compliance: Building a directory services model for adequate access controls

In the late 90s security practitioners thought access control problems would be solved with the ability to consolidate the proliferation of OS and network directories into one "enterprise" directory. We have since found that while the use of meta-directories for

--> <table border=" align="left"> 

SOX Security School


Go to SOX Security School to learn what you need to do to meet auditor's evolving expectations and pass your next SOX audit.

 

 

Authentication and access control puts data at risk, they can be useful in obtaining the granular control of service directories required for regulatory compliance.

Meta-directories aggregate information from multiple data sources or are combined with logic and filters to move information from one directory storage point to another, while being able to change the pattern (syntax) of the information it is moving. Using aggregated directories (meta-directories) for authentication and access control is risky. If the directory environment is compromised, the single, consolidated directory is a hacker's virtual gold mine. This archaic (from a security and compliance perspective) directory model also requires treating your entire access control environment as a single, broadly defined (a.k.a. open to all users) security zone.

However, meta-directories can be useful in obtaining the granular control of service directories required for compliance with regulations such as Sarbanes-Oxley. In order to comply with an external regulatory audit, it is necessary to be able to isolate end users beyond roles, and to fix responsibility for data inputs and components of financial statements by end-user name. Meta-functionality is best used as the information mover and translator on a per unique end-user population basis. Granular controls are then reached by taking the identity and role information supplied via the meta-directory and using it with identity management and provisioning tools to populate a service directory and perform the granular access controls within an appropriate directory schema.

@21162

To identify and control by name who has access to, or who can change the data in a particular data field, use population specific authentication and access service directories. A population is defined in this context as a group of users who have similar authentication and access control requirements. For example, there is no need for a repeat customer who is making an online purchase to be in the same directory, access the same portal, or even be on the same network, as your users in the accounting department. The principle at work here is isolation. The more you isolate any given population of end users, the more you enhance your ability to control their access, use and overall online experience. At the same time you are confounding potential hackers.

Likewise, the opportunity for inappropriate or unintended access decreases when security policy and implementation dictate access control. Add to this the accounting principle of separation of duties, and one can begin to map out the requirements for designing and implementing the appropriate authentication and access control directory framework.

For SOX compliance, first focus on the end users who are contributors to and creators of the information that is landing in the company's financial statements. For a large espresso coffee chain, for example, that would be employees all the way from baristas in the stores, to store managers, regional staff, and corporate office accounting staff, the comptroller, and VP of finance. Merely having this much separation of a population of end-user populations would be a major improvement in some companies where even the janitors have access and are in the same access directories as the comptroller. The question to ponder is whether this is enough isolation from the other employees. Or, should there be further differentiation by job responsibilities within the population, who have contact with the entries on financial statements? Keeping in mind that separation of access rights to applications and specific data can be controlled within the LDAP directory schema, the answer is still yes. In a large company the store level personnel should not be housed in the same access service directory as home office staff. Nor should they be able to see or access, or have other than "read only rights" to any regional or home office financial application, and then only replicated "report only" data, eliminating any opportunity for up-line internal hacking.

Getting access control models right is not easy. It may require a good deal of detailed work for the IT department to implement an appropriate control framework and the result may present an inconvenience for operations staff. However, there are identity management and identity provisioning software tools out there that leverage meta-directory functionality to do things within your ideal framework once and leverage it over time to maintain adequate controls over access to online resources.

About the author
Dennis C. Brewer is the author of
Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.

This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.