New in IdM 7.1: Periodic Access Review Improvements

One of the key improvements to IdM 7.0 was the re-integration of Sun's Identity Auditor back into the core Sun Identity Manager product.  The original idea was to fork the core code and offer an auditing product that could look down the same resource adapters to view user account information and check for security audit and separation of duty violations.  That is the way it works in 6.X.

But fortunately, clearer heads prevailed and in 7.0, the code fork was removed and the two became one again (and so did the license, saving you money by not having to purchase two products).  The reason was simple; provisioning and auditing go hand in hand, ying and yang, Abbott and Costello, etc. With the products split, you only had the ability to do postmortems on problems introduced into your identity infrastructure.  Create a security violation and it may be a week before an audit catches it, if it does at all.

What if you could catch it a priori to creating the problem.  With 7.X, you can add a policy check to your provisioning workflows to do an on the spot audit check before you create a problem you then have to find later. In your work flows you can basically say "Ok, I know how I want to provision this user, but before I do, let me check with the current auditing and security policies and insure the user's provisioning does not violate any of them".  Don't forget, the auditing security policies can change at any time.  So this step saves creating a problem you may not detect until you do an audit scan.

The big improvement now in IdM 7.1 is improved attestation or periodic access review. One of the new burdens for systems managers due to Sarbanes-Oxley is the need to periodically (once a quarter, month, week) is to review who has access to your systems and should the continue.  This PAR requirement has identity management teams scrambling to issue reports to managers to attest the user accounts are valid and insuring the systems managers respond in a timely fashion.

But fret no more; Sun's IdM 7.1 has a new PAR subsystem built into it to make PAR's almost OOTB.  You can set a review task to start on a regular basis to scan all user accounts and send a report to the manager of a resource or organization unit (or to both of them) to validate the user accounts on their system. There are new reports available to help managers review the user accounts and to quickly attest or challenge (or pass on to a delegate) the users access. There are summary reports that can help auditors see the state of each PAR and help them determine what managers have not responded yet.

One other feature I will mention in passing, which I will go into more detail in a future posting, is the ability of an attesting manager to request a user's account information is refreshed from live data at the time of attestation. This insures the audit is working on current state data, not the data at the time of the original scan. More later.


Powered by ScribeFire.

Comments:

Post a Comment:
Comments are closed for this entry.
About

Sean ONeill

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today