When a cyber breach occurs, the fallout impacts the entire organization. There can be theft of company secrets, regulatory fines, loss of revenue from negative brand reputation, and the termination and departure of the senior-most people in the company. Audit and compliance around access to systems is a board level topic. The prepared organizations are executing on initiatives to keep them safe — the others we get to use as cautionary tales.
In this final post in this series, we will talk about the capabilities available in the Oracle Identity Governance Suite that can help identify and prevent access violations, automate manual processes oftentimes performed during certification campaigns, and create vital reports all in support of corporate and governmental regulatory compliance mandates.
Access certification, as the name would imply, is the feature which enables the periodic review of access to protected resources — who has/had access to what, when, and why? The Sarbanes-Oxley Act of 2002 (more commonly known as SOX) is a US Federal Law that amongst many of its provisions, holds senior leadership at certain organizations personally accountable for bad things that happen on their watch. Every fiscal quarter, as the organization issues its financial reporting, the executive leadership is ultimately attesting to the fact that they are fully aware and responsible for the information they are presenting about the financial health of their company. And to do this, they would need to be certain (or extremely confident) that the members of their team that have a need and responsibility for reporting these facts are the only people that have accessed the various systems and applications where this information exists. So just from the narrow perspective of SOX, it can be seen as critical that periodic reviews of access occur every 90 days.
Oracle Identity Governance is a robust solution, allowing the certification process to be either closed loop or simply a remediation reporting action (see reporting below). In the closed loop process, the solution can de-assign any role-assignment that was revoked, de-provision any account that was revoked, remove any entitlement-assignment that was revoked, and can completely delete or disable any user that has been transferred or otherwise separated from the organization. Both lines of business users, and IT users, can be involved in the process using multiphase certifications for review. Risk impact rating and classification of applications/access is important for defining the sensitivity of data — OIG enables and calculates risk-values through a scheduler. Risk summaries are generated to separate high risk certifications from medium and low risk items. Looking back at the cyber breach at Ashely Madison, had this been an attack by a former contractor, at some point after his departure, someone in IT could have had to attest that the user was no longer under contract and would therefore not have needed any systems access — that further assumes that proper lifecycle management wasn’t followed as that would have terminated their access immediately upon departure from the company. You will start to see patterns that many of these cyber attacks could have been prevented in multiple ways.
OIG is a powerful identity auditing solution capable of capturing and preventing segregation of duty (SOD) violations by defining custom policies based on attributes and expectations. As a detective tool it looks at existing users for potential conflict violations in and across applications. Additionally, as a preventative tool, OIG is capable of checking for SOD violations at the time that a request for access/entitlement occurs. The requester is immediately notified of the violation at the time of submission and OIG will also show the policy violation to the approver who can then can decide to approve or deny the request. Similarly, during the certification process, audit violations/conflicts such as these will be highlighted. A classic example often cited when describing SOD conflicts is providing an employee an entitlement in a financial application to create an invoice and then giving that same employee an entitlement to generate payments against invoices. Tying back to SOX compliance, you can see how having a violating type of situation as is described, could end up putting senior leadership on the wrong side of the law, should someone under their watch do something illegal.
Reporting is an integrated capability with OIG, shipping with the most common reports used in identity auditing. Oracle BI Publisher further enables the creation of professional quality and customized reports based on specific requirements within an organization. Reporting plays a critical role in ensuring the data quality and security of the system over time.
As we’ve discussed in this and the earlier blogs in this series, cyber breaches are not going away and the bad guys aren’t necessarily performing overly sophisticated attacks, but rather exploiting poorly designed systems. The Oracle Identity Governance Suite provides a comprehensive set of capabilities that allows organizations to implement a defense in depth strategy. Working with a qualified Oracle partner, a plan can be put in place to help address where and how to begin to improve your security posture. Do you first look to protect privileged and shared accounts, which can be the keys to the kingdom if compromised? Or do you look at your broader user population and start to manage their access throughout the lifecycle of their engagement with your organization? Should an access certification campaign be your starting point to identify dormant accounts that might be exploited by malicious actors? Regardless of where you start, it is critical that you DO start — otherwise you might very well find yourself as the next news headline.
Abhinav Raina, Amit Kumar and Shashank Kulshreshtha