To ensure compliance with regulations and industry standards like Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS), you'll need tools that provide reports revealing who accesses your systems. All current users need to be accounted for. These standards and regulations require regular auditing to ensure inactive users are trimmed from the system. In addition, all removals must be documented.
A product that combines reporting and auditing is ideal. It allows you to audit systems for internal auditsr and provide reports that satisfy regulators. As a best practice, make it a routine to implement your auditor's recommendations. Provide controls for setting up user access to systems, maintain directories of users and groups, allow only unique user IDs and audit for stale accounts and ex-employees. Picky regulators may have their own particular requirements in addition to those mentioned. As a result, when shopping for any product, make sure it has additional features for regulatory compliance reporting.
Fortunately, many products on the market offer both features. Your product selection should be based on your needs -- whether for regulatory compliance or internal auditing -- how well the product meshes with your identity management system and cost considerations.
The following are four well-known products in the market:
BMC Software Inc. offers several identity management products that can be used for provisioning access as well as reporting. In addition, they're adaptable to different systems from mainframes to distributed systems. Secure Computing Corp.'s SecureWord SafeWire is an appliance that sits on your network and provides access control for both internal and remote access, including VPNs. The product has an internal management console and provides collective reporting tailored to your needs.
Beta Systems Software AG's SAM Identity Management Suite also combines provisioning with reporting. SAM Jupiter has a log-auditing facility that provides historical reports for compliance with SOX and Basel II, its European equivalent.
LogLogic Inc.'s LogLogic 4 is another interesting product, billing itself as an analytical tool for a number of different regulations. But lately, the product has been heavily marketed as a tool for PCI Data Security Standard compliance, which requires auditing of identity management and user accounts. This is just a sample of identity management software products available.
For more information:
Dig Deeper on Privileged access management
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ... Continue Reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.