How to be compliant with Intelligent IAM

Posted by Steve Morin -Director, Product Management on Thu, May 19, 2016

A great deal of time and effort can be saved during management reviews and audits by using an Intelligent IAM solution to provide reports, including filtering and drill-down capabilities, trend information, and data visualization tools. These not only give managers a high-level view of progress toward goals (such as eliminating orphaned accounts and policy violations), but also they can show auditors that efforts have been made  to address  high-risk  issues, such  as monitoring access to the most sensitive data stores and controlling the entitlements  given  to privileged users. Here are a few other ways that using an Intelligent IAM solution can impact your goal of true compliance:

Continuous Improvement of Provisioning and Governance

Most users of Intelligent IAM solutions focus on the immediate benefits provided by continuous monitoring, rapid response to immediate threats, and tools to analyze risks, patterns, and trends.  But organizations shouldn't overlook the importance of strengthening their investment in existing IAM systems.increase_efficiencies_small.png

Intelligent IAM can support the continuous improvement of account provisioning, governance, and other IAM processes. By providing visibility to key areas of access risk, organizations can immediately respond and take action by either doing a microcertification to fully inspect suspect access or take a deprovisioning action against a known violation. While having a fixed schedule for access reviews is important to ensure compliance, enabling continuous reviews as and when risks become visible ensures best practice governance that continuously improves and enables a more efficient provisioning and compliance process.

Reducing over-provisioning and under-provisioning

Over-provisioning and under-provisioning are occupational hazards for everyone who defines and manages roles. Over­ provisioning creates security vulnerabilities by granting unnecessary entitlements to a role. Often this comes about when a single individual with unique needs requests new access levels or entitlements that are then assigned to the role rather than to the individual, and the entitlements are mistakenly given to everyone in that role. This potenreduce_cost_small.pngtially leads to everyone in the role being over-provisioned creating an access risk and circumvents a Least Privilege Model, which should be a best practice.

Under-provisioning occurs when an entitlement that’s genuinely needed for a role isn't assigned, forcing all or most people in the role to request that entitlement on an exception basis. This is a drag on the productivity of the employees and of the managers and resource owners who must repetitively review and approve their ad-hoc requests.

Intelligent IAM helps people who define and manage roles reduce over-provisioning and under-provisioning. With a few clicks, they can determine the following:

  • Which entitlements are rarely or never used by current members of a role, so those entitlements can be removed from the role
  • Which entitlements are frequently or always requested by members in a role , so those entitlement s can be added to  the role
  • Which individuals have excessive entitlements compared with others in the role, so the behavior of those individuals can be examined and the individuals can be assigned to more appropriate roles

Activity related information, such as last login and last transactions executed, also provides insight into whether rights are really needed. For example, if a resource hasn't been accessed for three months, there's a strong chance it's not required for that individual or others in the same role.

Closing the Governance Gap with Continuous Monitoring

Organizations have blind spots when it comes to violations of security and privacy rules. Account provisioning systems provide users with appropriate access to corporate resources when they join a company or change roles. However, changes and exceptions to rules and roles over time introduce excessive rights for individuals, leading to policy violations and access-related vulnerabilities. In many organizations, access permissions are gracompliance_governance_small.pngnted outside of approved provisioning processes. An example would be when application or database administrators grant access rights based on direct requests from a user.

Organizations should run periodic certifications asking managers to verify that existing access rights for their subordinates are necessary and appropriate. Unfortunately, busy managers often treat these as "rubber stamp" exercises. They don’t take the time to review each entitlement and consider its implications. In many cases, they lack the knowledge and tools to identify policy violations. In other cases, the sheer volume that needs to be reviewed is so overwhelming, reviewers are not thoroughly reviewing access during the certification review.

An Intelligent IAM solution can address these problems by providing not only the prevention on the front end but also continuous monitoring of identity and access-related data and events throughout the life of the user. Violations can be identified as soon as they occur (see Figure 3-2). Changes made outside approved provisioning processes can be flagged and reviewed. Data can be correlated to pinpoint Segregation of Duties (SoD) violations and other complex policy violations before they can be exploited.

Preventing Policreduce_threat_surface_small.pngy Violations at the Point of Origin

Even with an advanced account provisioning system, managers and resource owners find it very difficult to identify SoD and other policy violations.

An Intelligent IAM solution can be integrated with a provisioning system to flag potential policy violations at the time an access request is being reviewed. It can also give the reviewing manager or resource owner tools to drill down and look at the recipient's current entitlements and those of his or her peers, to determine if the request is necessary and appropriate. It's far less work to prevent a policy violation at the point of origin than to find it during a large-scale certification (or through a security breach).

In the near future, intelligent IAM solutions may be able to improve provisioning decisions by supplying recommendations based on real-time risk scoring. This would allow decisions to be made based on the risk profile of the enterprise, users, applications, and resource at the time of provisioning.

One example of such "intelligent provisioning" would be to set up three workflows so that


  • Low-risk access requests (as determined by the organization in the IAM solution) are granted automatically without requiring the attention of a manager.
  • Medium-risk requests are sent by the provisioning system to a manager for approval.
  • High-risk requests require approval by a manager and escalation to a higher level executive for final approval.


With changing policies, regulations, access, and more, it is hard to keep up with the trillions of relationships that happen within an organization on any given day.  With an Intelligent IAM solution, adapting to these advancements is considerably more effective and straightforward. By allowing managers to have increased visibility of the tasks, goals, and issues at hand, an Intelligent IAM Solution allows for both better efficiency and productivity within the company. By enabling continuous reviews, an intelligent solution guarantees that high-risk situations can be monitored and corrected using immediate precautions. This solution helps reassure that all audits are successfully organized by providing reports, including filtering and drill-down capabilities, trend information, and data visualization tools. Not only will an Intelligent IAM solution help you pass your audit but it will put your organization on the path to true compliance.

Want to learn more about how intelligence can impact your organizations approach to compliance? Download our new eBook Improving IAM with Intelligence for more information or schedule a demo to see Access Insight 9 at work. 

Tags: access compliance, access rights, Access Insight, access risk, compliance

What does "Compliance" mean to you?

Posted by Ashley Sims - Marketing Manager on Thu, Apr 07, 2016

Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." 

If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. 

HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. 

In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our Brent_quote.jpgfriends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you? 

"What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls."

Brent Comstock - VP, Identity & Access Management, Elavon 

"Compliance is simply defined as the ability to comply with a set of rules or requests.  As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure."

Curtis Cain - CFO, Courion Corporation 

"With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within."

Alex Naveira, CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital 

"In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO.  The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy."

William "Buddy" Gillespie, HCISPP, ITILv3 - WJGillespie HIT Consulting  

Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. 

Looking for more information on how your organization can become or remain compliant? Courion and Core Security have multiple options for maintaining compliance across all industry and government regulations. Find out more here or contact us at


Tags: access compliance, hipaa compliance, access risk, compliance

Call for Entries! CourionCares Program for Education

Posted by Courion Corporation on Tue, Feb 05, 2013

CourionCares logoCourion is now accepting entries for its CourionCares™ Program for Education. A part of the larger CourionCares corporate citizenship initiative, the CourionCares Program for Education provides deserving educational institutions with the opportunity to apply for a donation of Identity and Access Management (IAM) software to manage user access, demonstrate access policy compliance and improve IT security.

Protecting student data is one of the most important tasks in educational institutions today. As with commercial enterprises, it’s essential to manage user access to sensitive data while being able to demonstrate compliance with privacy and regulatory policies such as the Family Educational Rights and Privacy Act (FERPA), the Children’s Internet Protection Act ( CIPA), and the Health Insurance Portability and Accountability Act (HIPAA).

Without proper identity and access risk management controls in place, non-profits are at put at risk — suffering from data breaches and regulatory violations — and more importantly, a loss of trust. And to make matters worse, they’re also constrained by budgetary and resource limitations.

Designed to address security and regulatory challenges associated with managing user access, the CourionCares Program for Education awards complimentary software licenses to a different non-profit organization each year. Courion's Access Risk Management Suite solution helps organizations improve security and demonstrate regulatory compliance by ensuring that only the right people have the right access to the right resources and are doing the right things with it.

Who is eligible: The program is open to national 501-C3, international not-for-profit organizations and educational institutions.

When: The deadline to submit is March 30, 2013. A winner will be announced in June 2013.

How to enter: Organizations must submit a 250 word (minimum) descriptive overview of the IT security and regulatory challenges they face, including reasons they believe Courion solutions will help them with these challenges, and how Courion solutions will help the organization achieve its mission and goals specific to the constituency they serve. Entries must be submitted by a CISO, CSO, CIO or equivalent IT executive position in the organization.

Click here to complete a submission form.

Tags: courioncares, access compliance, Courion, access governance, identity and access management, Access Risk Management, education

Giving Back – A Year Round Tradition at Courion

Posted by Courion Corporation on Wed, Nov 21, 2012

courionCares logo  For many, ‘tis the season for giving thanks and giving back – something we do at Courion year round.

Courion is committed to giving back to the community through supporting education, social services, local charities and foundations. Through our CourionCares™ program,  a companywide philanthropic initiative for local organizations in need, Courion employees raise money throughout the year through a variety of activities including bake sales, chili cook-offs and laptop auctions, as well as through SnackCourier, which donates proceeds from refreshments purchased by Courion employees to charities year round.

An integral part of CourionCares is the annual employee auction, which this year raised a record of over $30,000 for local charities. Every November, employees have the chance to bid on a wide range of goods and services donated by local businesses, partners and Courion employees – from a New England weekend getaway to golfing with the CFO, autographed sports memorabilia to a barbeque for 24  -- with 100 percent of the proceeds going to the Neely Foundation for Cancer Care, and to foster Science, Technology Engineering and Math (STEM) education efforts at the Curley K-8 School in Boston. 

“Once again the Courion team has stepped up and impressed me with its generosity and commitment to helping others,” said Chris Zannetos, Courion President and CEO. “I am proud of the time and energy Courion staff puts in to making the CourionCares program a success, whether it’s the annual auction or the many other activities they drive throughout the year.”

Additional CourionCares activities include supporting science contests, career education programs, and service learning trips for inner city schools; and food pantry, back to school supplies and holiday gift drives. And Courion staff has personally contributed over $190,000 since the inception of the program.

Another component of the initiative is the CourionCares Program for Non-Profits, which awards complimentary software licenses to a qualified non-profit organization every year for Identity and Access Management (IAM) software to manage user access, demonstrate access policy compliance and improve IT security.

To learn more about Courion’s philanthropic initiatives, click here.


Tags: courioncares, access compliance, Courion, identity management, identity and access management