How to be compliant with Intelligent IAM

Posted by Steve Morin -Director, Product Management on Thu, May 19, 2016

A great deal of time and effort can be saved during management reviews and audits by using an Intelligent IAM solution to provide reports, including filtering and drill-down capabilities, trend information, and data visualization tools. These not only give managers a high-level view of progress toward goals (such as eliminating orphaned accounts and policy violations), but also they can show auditors that efforts have been made  to address  high-risk  issues, such  as monitoring access to the most sensitive data stores and controlling the entitlements  given  to privileged users. Here are a few other ways that using an Intelligent IAM solution can impact your goal of true compliance:

Continuous Improvement of Provisioning and Governance

Most users of Intelligent IAM solutions focus on the immediate benefits provided by continuous monitoring, rapid response to immediate threats, and tools to analyze risks, patterns, and trends.  But organizations shouldn't overlook the importance of strengthening their investment in existing IAM systems.increase_efficiencies_small.png

Intelligent IAM can support the continuous improvement of account provisioning, governance, and other IAM processes. By providing visibility to key areas of access risk, organizations can immediately respond and take action by either doing a microcertification to fully inspect suspect access or take a deprovisioning action against a known violation. While having a fixed schedule for access reviews is important to ensure compliance, enabling continuous reviews as and when risks become visible ensures best practice governance that continuously improves and enables a more efficient provisioning and compliance process.

Reducing over-provisioning and under-provisioning

Over-provisioning and under-provisioning are occupational hazards for everyone who defines and manages roles. Over­ provisioning creates security vulnerabilities by granting unnecessary entitlements to a role. Often this comes about when a single individual with unique needs requests new access levels or entitlements that are then assigned to the role rather than to the individual, and the entitlements are mistakenly given to everyone in that role. This potenreduce_cost_small.pngtially leads to everyone in the role being over-provisioned creating an access risk and circumvents a Least Privilege Model, which should be a best practice.

Under-provisioning occurs when an entitlement that’s genuinely needed for a role isn't assigned, forcing all or most people in the role to request that entitlement on an exception basis. This is a drag on the productivity of the employees and of the managers and resource owners who must repetitively review and approve their ad-hoc requests.

Intelligent IAM helps people who define and manage roles reduce over-provisioning and under-provisioning. With a few clicks, they can determine the following:

  • Which entitlements are rarely or never used by current members of a role, so those entitlements can be removed from the role
  • Which entitlements are frequently or always requested by members in a role , so those entitlement s can be added to  the role
  • Which individuals have excessive entitlements compared with others in the role, so the behavior of those individuals can be examined and the individuals can be assigned to more appropriate roles

Activity related information, such as last login and last transactions executed, also provides insight into whether rights are really needed. For example, if a resource hasn't been accessed for three months, there's a strong chance it's not required for that individual or others in the same role.

Closing the Governance Gap with Continuous Monitoring

Organizations have blind spots when it comes to violations of security and privacy rules. Account provisioning systems provide users with appropriate access to corporate resources when they join a company or change roles. However, changes and exceptions to rules and roles over time introduce excessive rights for individuals, leading to policy violations and access-related vulnerabilities. In many organizations, access permissions are gracompliance_governance_small.pngnted outside of approved provisioning processes. An example would be when application or database administrators grant access rights based on direct requests from a user.

Organizations should run periodic certifications asking managers to verify that existing access rights for their subordinates are necessary and appropriate. Unfortunately, busy managers often treat these as "rubber stamp" exercises. They don’t take the time to review each entitlement and consider its implications. In many cases, they lack the knowledge and tools to identify policy violations. In other cases, the sheer volume that needs to be reviewed is so overwhelming, reviewers are not thoroughly reviewing access during the certification review.

An Intelligent IAM solution can address these problems by providing not only the prevention on the front end but also continuous monitoring of identity and access-related data and events throughout the life of the user. Violations can be identified as soon as they occur (see Figure 3-2). Changes made outside approved provisioning processes can be flagged and reviewed. Data can be correlated to pinpoint Segregation of Duties (SoD) violations and other complex policy violations before they can be exploited.

Preventing Policreduce_threat_surface_small.pngy Violations at the Point of Origin

Even with an advanced account provisioning system, managers and resource owners find it very difficult to identify SoD and other policy violations.

An Intelligent IAM solution can be integrated with a provisioning system to flag potential policy violations at the time an access request is being reviewed. It can also give the reviewing manager or resource owner tools to drill down and look at the recipient's current entitlements and those of his or her peers, to determine if the request is necessary and appropriate. It's far less work to prevent a policy violation at the point of origin than to find it during a large-scale certification (or through a security breach).

In the near future, intelligent IAM solutions may be able to improve provisioning decisions by supplying recommendations based on real-time risk scoring. This would allow decisions to be made based on the risk profile of the enterprise, users, applications, and resource at the time of provisioning.

One example of such "intelligent provisioning" would be to set up three workflows so that

 

  • Low-risk access requests (as determined by the organization in the IAM solution) are granted automatically without requiring the attention of a manager.
  • Medium-risk requests are sent by the provisioning system to a manager for approval.
  • High-risk requests require approval by a manager and escalation to a higher level executive for final approval.

Conclusion

With changing policies, regulations, access, and more, it is hard to keep up with the trillions of relationships that happen within an organization on any given day.  With an Intelligent IAM solution, adapting to these advancements is considerably more effective and straightforward. By allowing managers to have increased visibility of the tasks, goals, and issues at hand, an Intelligent IAM Solution allows for both better efficiency and productivity within the company. By enabling continuous reviews, an intelligent solution guarantees that high-risk situations can be monitored and corrected using immediate precautions. This solution helps reassure that all audits are successfully organized by providing reports, including filtering and drill-down capabilities, trend information, and data visualization tools. Not only will an Intelligent IAM solution help you pass your audit but it will put your organization on the path to true compliance.

Want to learn more about how intelligence can impact your organizations approach to compliance? Download our new eBook Improving IAM with Intelligence for more information or schedule a demo to see Access Insight 9 at work. 

Tags: access compliance, access rights, Access Insight, access risk, compliance

Guest Post- Alex Naveira, Director, ITGA & CISO on Compliance

Posted by Ashley Sims - Marketing Manager on Thu, Apr 21, 2016

To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life. 

An elderly man falls off of a subway platform and onto the train tracks.  A stranger pulls the man to safety while the train screeches to a stop.  Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.”  Now, what does this story have to do with compliance?  What is compliance?

 

compliance.jpg

According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.

 

The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities).  Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment.  Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats.  Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems.  Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems.  Why?  Because experience and intuition told us that it was the right thing to do.

 

iStock_000023256305_Full.jpgToday, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities.  In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right.  In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.

 

When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting?  Of course not!  He just does what is right, even if difficult or expensive.  In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.

Alex Naveira, CISSP, CISA

Director, ITGA & CISO

Information Technology

Miami Children's HospitalImpact_Pro_Demo.png

 

Looking for ways to keep your organization compliant? Check out our Attack Intelligence for Healthcare Organizations data sheet and you can even request a demoto see the solution at work. 

Tags: continuous compliance, hipaa compliance, compliance

What does “Compliance” mean to a Healthcare CISO?

Posted by William "Buddy" Gillespie HCISPP, ITILv3 on Thu, Apr 14, 2016

The role of the healthcare CISO has expanded exponentially since the HITECH Act of 2009.  CISOs were traditionally charged with the responsibility to maintain the IT environment consisting of applications and infrastructure.  Today they are taking on an expanded organizational role consisting of innovation, operational responsibility and compliance.  Although, the governance for compliancy consists of a village when it comes to leadership and stakeholders, CISOs still remain at the center of the universe.  A multitude of federal and state regulations are at the CISO’s doorstep and pressing on the their scope of responsibility.

iStock_000021946209_Full.jpg

 

Among these regulations are PCI, ICD-10, Meaningful Use and, the biggest and most daunting of all, HIPAA.  If a Healthcare Organization (HCO) fails to meet the compliancy standards required by these regulations, the results may be penalties consisting of fees, possible imprisonment and the loss of credibility. 

The “experts” all agree that the following are the largest and most challenging force vectors for the healthcare CIO to confront in order to achieve and sustain compliance:

 


  • Mobile Devices:
    • The sprawl of mobile devices in the Internet of Things (IoT) has created multiple and diverse conduits into the patient data.  A strong Mobile Device Management solution should be implemented along with encryption where appropriate.  CIOs are taking responsibility to map the information flow of patient data to ensure that the data is following the authorized path.
  • Rogue Applications:
    • None of the enterprise applications in healthcare can meet all the point specific needs across the HCO enterprise.  This void has spawned the sprawl of rogue applications.  These apps are often acquired without the knowledge of the CISO.  The CISO and IS are not able to provide the best controls without being a part of those 3rd party solutions.

The Cloud:

  • The use of Cloud Service Providers (CSP) in healthcare has its advantages and benefits.  Lower cost and scalability are two of the most common benefits.  However, the CISO must ensure that the CSP is HIPAA compliant and a strong Service Level Agreement is negotiated.
  • Payment Card Industry (PCI):PCI_Demo.png
  • HIPAA:
    • The number one compliancy challenge for CISOs is HIPAA.  The HITECH Act expanded the scope of HIPAA and the Omnibus bill in 2013 gave definition and guidance for the implementation of the HITECH requirements.  The Meaningful Use requirements expanded the access to the electronic medical records thus creating additional opportunities for security breaches.  The good news is that CISOs have the technical controls available in the market place to build a fortress against the onslaught of breach opportunities.  The other side of the coin the CISOs must build the case for a security budget that will allow for the acquisition and implementation of those controls.

In order to be successful and achieve the appropriate level of compliance, the CISO must advocate for a Compliance Governance within the HCO.  The CISO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy.Privacy_and_Security_ini_Healthcare.png

 

 

Want to hear more from Buddy on the role of HIPAA and compliance in healthcare? Download his free on-demand webinar Privacy and Security in Healthcare  

Tags: hipaa compliance, compliance, PCI DSS, HIPAA

What does "Compliance" mean to you?

Posted by Ashley Sims - Marketing Manager on Thu, Apr 07, 2016

Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." 

If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. 

HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. 

In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our Brent_quote.jpgfriends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you? 

"What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls."

Brent Comstock - VP, Identity & Access Management, Elavon 

"Compliance is simply defined as the ability to comply with a set of rules or requests.  As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure."

Curtis Cain - CFO, Courion Corporation 

"With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within."

Alex Naveira, CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital 

"In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO.  The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy."

William "Buddy" Gillespie, HCISPP, ITILv3 - WJGillespie HIT Consulting  

Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. 

Looking for more information on how your organization can become or remain compliant? Courion and Core Security have multiple options for maintaining compliance across all industry and government regulations. Find out more here or contact us at info@courion.com

 

Tags: access compliance, hipaa compliance, access risk, compliance

3 Steps to HIPAA Compliance

Posted by John Verner on Wed, Sep 09, 2015

With the rising use of mobile devices, EHR solutions, BYOD policies, and the amount of shared and saved data comes the rising risk of HIPAA compliance. While this can seem like

medical bag

an insurmountable task, you don't have to try and tackle everything at once! We've broken the process down to 3 easy, repeatable steps to make your organization HIPAA compliant. 

1. Perform a Risk Analysis

How do you secure your devices? What are the processes for PHI handoff? What are your password rules? To perform a risk analysis, you not only need the answers to these questions, you need to know your data flow. Knowing where your PHI information enters, resides, and exits your environment will help you to know where your vulnerabilities are. Make sure that you look at all of your devices, servers, and applications to make sure you have an understanding of how each of these work and, more importantly, where they do not. 

There are plenty of options from vulnerability scans, to penetration tests to look for vulnerabilities. Here are Courion, we have our very own Quick Scan process to help find your weaknesses and create plans to help fix them.

Once you see all of your vulnerabilities, analyze the HIPAA risk level and potential impact to your organization by asking:

Hipaa risk levels

Then assign each vulnerability a high, medium, or low risk value based on your findings so that you have an understanding of which risks to tackle first. 

2. Create a Risk Management Plan

Your risk plan can be as simple or as detailed as you want to make it. However, remember that being able to show HIPAA extensive documentation of intent to mitigate risk will go a long way in your quest for compliance.

An easy way to do this is to answer the following four questions:

HIPAA compliance questions

Remember you need to have a plan in place for the risks to the system and for each of your employee types that use the system.

female dr

Employees: Focus on training and education around security practices and HIPAA compliance. Put blockers in place to help stop breaches before they start. Teach the importance of HIPAA compliant passwords

business man

Business Administration: Anyone who touches your data should follow your rules. Whether this is a medical device repairman or a contractor, they should be held accountable for their involvement in your data. 

IT guy

IT Department: IT doesn't always mean security. Make sure that your IT team is constantly updating your software and applications so that you have the most up to date security features.  

 

3. Implement Your Plan

Once you see all of your vulnerabilities laid out with their management plans, you will quickly see which of these are top priorities. Make a plan to take care of the biggest risks first and then start over. Keep identifying the top risks in your organization and working on implementing security fixes. chart

What's next? Rinse and repeat. While this is only a three step system it will still take you time to dig through your systems, solutions, and data to find where your greatest risks lie and even more time to find and implement the security fix. However, with an IAM solution you could automate much of this process. An IAM solution will continuously monitor your system and alert you to any variables that may lead to a breach.

Tags: cybersecurity, cyber risk, EHR security, emr security, hipaa compliance, healthcare data, healthcare, cyber security, EMR, EHR, electronic medical record, healthcare IT, medical records, cyber attack, compliance, HIPAA, #HIT, healthcare security

Assessing the Risk of Identity and Access

Posted by Ashley Sims - Marketing Manager on Thu, Jul 16, 2015

Here at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect, identify and manage the risk?

With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are: 

infrastructure change

-  Routine changes such as hiring, promotions or transfers 

-  Infrastructure changes such as mobility, cloud adaptation, system upgrades, or  new application rollouts. 

-  Business changes such as reorganizations, the addition of new products, or new partnerships

In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.

Want to know more about how Identity and Access Governance can help lessen your risk? Read more by downloading our eBook and learn about: 

-  How to remain compliant with an IAM solution
-  Preparing for an attack
-  Automated provisioning
-  And more  
ebook assessing the risk

Tags: governance, cyber security, provisioning, cyber attack, risk, compliance

Why Traditional Access Certification is Broken

Posted by Vikram Chellappa - Sales Engineer on Mon, Dec 22, 2014

Vikram ChellappaMost organizations have to demonstrate that they are compliant in an increasingly regulatory landscape. An important objective of compliance efforts is to ensure that the right people have appropriate access, particularly to high-risk applications and sensitive data such as cardholder information and personal health information. To satisfy these regulatory requirements, organizations conduct periodic reviews, typically every six months or a year, in which managers and other authorized personnel periodically review users’ access and attest to whether those access rights are correct.

Based on media accounts, the number of security breaches per year is increasing dramatically. In many of these breaches, it has become apparent that the breached organizations were unaware that a security breach occurred. So why is this the case? Why are organizations more susceptible to breaches, even after performing periodic certification reviews and essentially passing audits?

The reason is the significant surge in the volume, variety and velocity of information. The Big Data storm has made it extremely challenging, if not impossible, for organizations to enforce high security standards while also achieving a high level of productivity. Much can change with users, their roles and responsibilities, their access rights and the resources they access in the time in-between periodic access reviews.

Hence, even though users’ access information is presented to reviewers, there is typically no context around that information. Reviewers do not quite know how or why or when users obtained the access. In fact, a recent survey conducted by Courion found 43 percent of IT Security executives agreeing with the statement that their organization is unaware of when access privileges are increased or when access behavior departs from the norm. In addition, the volume of data that is presented is considerable, if not overwhelming. These reasons invariably drive reviewers to rubber stamp. Clearly, this is not an effective tactic to truly mitigate organizational risk.continuous re-certification

What organizations need is a continuous and comprehensive approach to identify access risks and employ preventative controls to mitigate those risks. The Courion Access Assurance Suite provides organizations with the ability to automatically revoke inappropriate access and/or perform risk-based certifications reviews when a policy violation occurs or when a threat is detected.

Risk-based certification reviews provide complete context around the information being reviewed, thereby enabling managers to make more educated and informed decisions on whether a user’s access is appropriate or not. By performing these narrowly focused risk-based certification reviews on a continuous basis, organizations can not only satisfy audit requirements, but also mitigate potential risks in a more intelligent and efficient manner.

Tags: access management, medical records, compliance

Purdue Pharma Selects Courion to Fulfill Identity and Access Management Requirements

Posted by David DiGangi - Regional Manager on Thu, Aug 14, 2014

David DiGangiPurdue Pharma L.P., a privately held pharmaceutical company based in Stamford Connecticut, has selected the Courion Access Assurance Suite after an evaluation of several competing offerings. The pharmaceutical company will leverage the intelligence capabilities of access assurance suite to maintain regulatory compliance and mitigate risk.

Purdue Pharma, together with its network of independent associated US companies, has administrative, research and manufacturing facilities in Connecticut, New Jersey and North Carolina.Purdue Pharma logo

With implementation of the intelligence capabilities within the Courion IAM Suite, Purdue will be able to leverage this product to automate routine IAM tasks and maintain compliance with US Food & Drug Administration requirements.

Tags: intelligence, Access Assurance Suite, Purdue, regulatory, risk, compliance

SOX Reporting Headache? Take One ComplianceCourier and Get a Clear View Into ‘Who Has Access to What’

Posted by Brad Frost - Account Executive on Tue, Jul 29, 2014

Brad FrostThe headache of Sarbanes-Oxley (SOX) reporting requirements is just about to get easier for Old Republic National Title Insurance Company, since the title insurer selected Courion ComplianceCourier™ for its access certification solution.

The public company, which has more than 4,000 employees, must comply with Sarbanes-Oxley (SOX) reporting requirements. And not unlike many companies we speak with, the IT department was finding the challenge of answering “who has access to what” was absorbing too much manpower and time. The manual data process of gathering user access information and compiling it into spreadsheets was also vulnerable to error.Old Republic

With ComplianceCourier, Old Republic will be able to centralize and automate the access control process, reducing the risk of unauthorized access. What’s more, the access certification solution will allow the company to audit existing access by user, application, administrator, group, or workstation and meet SOX compliance requirements more easily. The efficiency of IT operations will be improved and as an added bonus, the active directory structure will be consolidated. To read more, click here.

Tags: Sarbanes-Oxley, governance, compliance, SOX, Brad, Frost, ComplianceCourier

Big Data Volume, Variety and Velocity Drives Need for Intelligence

Posted by Vikram Chellappa - Sales Engineer on Mon, Mar 10, 2014

Vikram ChellappaThe 3 V’s (Volume, Variety and Velocity) of Big Data have become more relevant in the complex world of Identity and Access Management than ever before. In the midst of dealing with the high volume, variety and velocity of information, organizations not only have to streamline the process of how access is granted and revoked and ensure a high level of productivity, but they also have to reduce risks and maintain high security standards.

Volume: Data seems to be around forever. Many organizations still use data that was created 15 years ago or more. Considering that there is so much information from applications and systems that have been around for a long time, do organizations have all of the information they need? Has the need for new information diminished? The obvious answer to both of these questions is No! In fact it is quite the opposite. The amount of new information has increased exponentially and many if not most organizations have petabytes of information in storage.

Variety: Very few organizations have a single platform, a single source or a single format for information. Operating systems, directories, databases, applications and unstructured data sources such as file shares, social media feed such as Linked-in Facebook, and Twitter all form sources and destinations for information. Each system processes Information in a variety of formats such as text files, word documents, presentations, images, videos, or messages.

Velocity: The popularity of mobile devices and the explosion of social media have completely changed the way we obtain and consume information. Information is available to us at our fingertips and organizations are increasingly providing their employees with mobile capabilities. 

All of these elements present a very challenging situation for organizations. It has become increasingly difficult to answer questions such as3 Vs of Big Data

– Who has access to applications and what level of access do they have?

– Do the right people have the right level of access?

– What information is being accessed and who is accessing it?

– What are the riskiest applications?

These are just a few examples of the types of questions that organizations seek answers for. But the factors already discussed in this post have made it extremely difficult, if not impossible, to manually find answers to these questions. Organizations struggle to get a handle on what causes risk and to act upon those risk factors in a timely fashion.

The key is to be able to harness relevant information such as identities, policies, and access rights from any data source, analyze the information obtained and embed the intelligence gained thereof in provisioning, de-provisioning and compliance reviews. Information on privileged accounts, abandoned accounts, orphaned accounts, users who have excessive access when compared to their job role or their peers; unused entitlements, riskiest applications and policy violations are some examples of information that needs to be analyzed to effectively implement a secure, robust and an intelligent IAM solution.

Tags: privileged, access rights, access, policies, Vikram, identities, big identity data, Identity and access intelligence, entitlements, big data, compliance, identity and access management, data, Chellappa, orphan accounts, accounts