SOX reality check: Provisioning systems

This article provides you with insight into compliance-related products for account lifecycle management, reporting and review, and workflow and approvals.

Sarbanes-Oxley requires that companies institute internal controls over the processes that may affect the accuracy of financial reports. One of the key aspects of these internal controls is the ability to regulate and audit access to important corporate applications and systems. In today's world, the mechanisms that authenticate users and manage privileges are shared across the enterprise. 

As a result, account management and access control can't be localized to the financial applications but must be managed consistently across the corporation. However, while some of the account services are centralized, there are always systems and applications that don't integrate with the corporate environment. In the face of these complications, a corporation must be able to prove that only authorized individuals are allowed access to the systems and applications that affect its financials.

Identity management and provisioning systems can help organizations meet the requirements of Sarbanes-Oxley by consolidating and facilitating the provisioning, management, and auditing of system and application accounts across an enterprise. One of the most helpful aspects of identity management systems is that they automate the notification and approval workflow that is necessary when creating and modifying accounts. Organizations must ensure that there is appropriate separation of duties, that supervisors, information owners and information custodians are notified of changes to accounts and privileges, and that accounts and privileges are re-certified periodically. Without an automated centralized system, the communications, reporting and auditing can become unmanageable.

A growing number of software companies provide identity management solutions. Some of the most prominent products are CA Identity Manager, Courion's Enterprise Provisioning Suite, Hewlett-Packard OpenView Identity Management, IBM Tivoli Identity Manager, Microsoft Identity Integration Server, Novell Identity Manager, , Sun Java System Identity Manager and Oracle Xellerate Identity Provisioning. All these solutions are designed to be the centerpiece of identity management in the enterprise. There are a number of features that are important in choosing an identity management solution, particularly when regulatory compliance is a driving factor. An organization must consider:


Provisioning systems: The real deal

By Diana Kelley, Burton Group Analyst

Regulations such as SOX don't explicitly require implementation of an identity management system with robust provisioning. However, the foundation of many compliance programs is the capacity to mange and report on roles and access for users. Provisioning tools can help automate the process by automatically creating accounts with appropriate levels of access. The flip side of provisioning -- de-provisioning -- is also a critical piece of access control compliance because it can ensure that user rights are quickly revoked when necessary.

There's no question that automating provisioning and de-provisioning of accounts with robust tooling can result in increased granularity of access control and overall efficiency in the compliance process.

Here's what provisioning tools can't do: they can't do the work of defining roles and responsibilities in your organization, and they can't automatically determine how best to fit in strategically with the corporate architecture. Determining who and what must have access to which systems, applications and devices on the corporate network is an exercise that should be completed prior to deployment of the provisioning solution.

Once the rules and roles have been defined, an enterprise must decide where to house that information and how it will be accessed. This is because many provisioning systems are predicated on the existence of an authoritative source of identity information. If such an authoritative source does not exist, provisioning automation may introduce fragmentation or confusion.

Provisioning tools can automate account creation and elimination but they must be configured with the right information and have access to up-to-date authoritative identity and attribute stores. In short: clean house first. Complete role definition and repository populating work before deploying provisioning; there's little sense in automating a broken process.

  • Ease of integration with critical systems and applications
    The more easily existing systems and applications integrate with the identity management system, the better the corporation can rely on the identity management system to automate account creation, management and reporting. Virtually all identity management systems integrate with prominent account systems like Active Directory or LDAP. The question is whether financial applications and home grown systems can be integrated as well.


  • Ease of integration of existing databases
    User databases are often distributed throughout an organization. Being able to import or integrate with these databases is an important measure of a product's ability to adapt to an organization. Support for an organization's preferred database technology or technologies (e.g., Oracle, SQLServer, DB2) is also important to avoid the cost and nightmare of introducing new technology.


  • Platform compatibility
    Identity management solutions need to be compatible with the platforms an organization depends on. For most large organizations, convenient and rich integration with mainframe, Unix and Windows technologies is required.


  • Authorization and policy flexibility
    Identity management systems need to be able to accommodate the authorization or entitlement models of an organization, not force an organization to change its model to match the system. On the other hand, identity management systems may provide an opportunity to unify the various systems and applications that currently have inconsistent or even conflicting models. Organizations need to assess the needs of various systems and applications and determine if the identity management system supports their current and/or future models.


  • Reporting capabilities
    The ability to report on the accounts and privileges associated with individuals or groups in a flexible and customizable manner is critical to SOX compliance. All of the identity management solutions listed above include flexible reporting features either in an integrated package or via a third party mechanism like Crystal Reports. In addition to account status and history reporting, it is useful to have a system that is able to scan accounts for compliance with policy (e.g., appropriate separation of creation and approval privileges), and report exceptions both in regular reports and asynchronously in alerts. Organizations should look at the kinds of reports that auditors require and ensure that the identity management system can provide the necessary information.


  • Support for workflow, including provisioning, de-provisioning and authorization certification
    SOX requires a documentation trail to justify all creation, deletion and changes to user accounts and privileges. Just as important is proof that the right people were notified and required to approve those changes. Identity Management systems provide workflow engines that integrate with e-mail systems to notify interested parties. They also require and track approvals before changes are actually implemented.

As time goes on, larger organizations (at least) will likely find that it is nearly impossible to meet all of the SOX requirements without some kind of centralized automated identity management and provisioning solution. Whether it is an off-the-shelf system, a customized solution or a combination, Identity Management systems appear to be part-and-parcel of regulatory compliance.

>> Next: SOX reality check: Compliance management products

Next Steps

Does SAP Software Provisioning Manager support migration success?

This was last published in February 2006

Dig Deeper on Security audit, compliance and standards