8 Identity & Access Management Compliance Regulations You Must Know
Being a CTO or a CIO today is tougher than ever. As if aligning IT with overall business strategy while keeping pace with rapidly changing technology wasn’t hard enough, CTOs and CIOs must deal with an increasingly heavy compliance burden. Various federal and industry-specific regulations to ensure data security and privacy, such as PCI, Sarbanes-Oxley, HIPAA are designed to keep sensitive customer data safe.
Nonetheless, failure to comply with them can be costly in terms of fines, penalties and other negative repercussions such as loss of trust.
Fortunately, identity and access management (IAM) solutions can be used to meet numerous compliance requirements. As stated in the often-quoted definition by Gartner, IAM is “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
If an organization is audited and has a solid IAM program, it can prove that it has its measures in place to mitigate the risk of data being stolen or misused from users level. IAM can also help meet the more specific criteria associated with various regulations, including those that follow.
Identity and Access Management Standards
SOX applies to the financial services, banking, and insurance industries. Section 404 specifically mandates that adequate internal controls are in place, tested and documented for preparing financial reports and for protecting the integrity of the financial information going into these reports. Among the ways IAM can address this is by:
- Providing centralized administration for managing user access rights and authentication.
- Enforcing segregation of duties (SoD) policies.
- Adjusting access rights when someone’s job function changes.
- Revoking user access upon termination.
- Managing access based on job roles and providing “least privilege”.
- Performing periodic audits of access rights and privileges, and providing automated reports.
SOX addresses both physical and digital records making IAM an integral part of compliance, but the key to aligning with SOX requirements is the ability to produce on-demand evidence for an audit. By automating IAM activities including user provisioning and de-provisioning, granular conditional access controls, and implementing accurate access logging and usage tracking companies improve their security posture and reduce the risk of data breaches.
GLBA is a federal law that mandates that all financial institutions maintain the confidentiality of non-public customer information and protect against threats to it. It includes the Financial Privacy Rule, which regulates the collection and disclosure of private financial information, and the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information. Then there are the Pretexting provisions, which prohibit the practice of accessing private information using false pretenses. This is the area where IAM can provide the biggest compliance boost by:
- Providing centralized administration for assigning and controlling user access rights.
- Enforcing SoD policies.
- Adjusting access rights when someone’s job function changes.
- Revoking user access upon termination.
- Managing access based on job roles and providing “least privilege”.
- Performing periodic audits of access rights and privileges.
- Tracking account access for individual users.
Introduced as a national healthcare standard in 1996, the Health Insurance Portability and Accountability Act (HIPAA), was designed by the Department of Health and Human Services (HHS) to guarantee the privacy and security of protected health information (PHI). HIPAA establishes national standards for processing electronic healthcare transactions, requires covered entities (healthcare or other organizations that handle protected health information) to implement secure electronic access to health data, and mandates compliance with privacy regulations set by the U.S.
Department of Health and Human Services (HHS). The HIPAA omnibus rule provides guidelines for business associates of covered entities. The HITECH Act, signed by President Obama in 2009, motivated the healthcare industry to modernize management of healthcare data via electronic health records (EHR) and peripheral technology.
IAM can assist organizations in ensuring HIPAA compliance with access and identity management. That includes the use of federated identities, single sign-on (SSO), least privileges, regular credential rotation, multifactor authentication, and role-based policies for account provisioning and de-provisioning. (IAM can also help comply with the Health Information Technology for Economic and Clinical Health Act known a HITECH.)
HIPAA and HITECH regulations share a close relationship, and covered entities began including business associates as well. Healthcare clearinghouses faced compliance with both HIPAA security measures and the electronic healthcare data security mandated by the HITECH Act. An IAM solution paired with HIPAA compliance policies reduces risk of privacy rule violations for healthcare data. An IAM solution that addresses HIPAA standards must include:
- Credential protection through the use of single sign-on
- Federated identity management for simplified integration of healthcare business partners
- Centralized access governance to curate HIPAA compliant access management across organizational infrastructure
- Automatic access logging ensuring compliance to HIPAA security rules such as tracking access to patient data
FERPA is governance access to student records maintained by educational institutions and agencies, and applies to all federally funded elementary, secondary, and postsecondary institutions. It requires that these organizations use “reasonable methods” to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing or permitting access to personally identifiable information (PII).
While FERPA doesn’t mandate specific requirements regarding “reasonable methods,” best practice suggestions include components inherent in IAM solutions including:
- Selection of authentication levels based on the risk to the data.
- Development of a process to securely manage any secret authenticating information, such as passwords, from creation through disposal.
- Enforcement of policies to reduce authenticator misuse, such as encrypting stored passwords.
- Management of user identities from creation through disposal and with periodic account recertification.
Other FERPA compliance requirements an IAM solution should address include:
- Secure infrastructure to allow eligible non-university affiliates access to relevant education records.
- Process for students to delegate/restrict access to 3rd parties(parents/guardians/others) to access their education data.
- Accurate and complete logging of users with access to student data including timestamps.
- Automated reporting providing audit-worthy access management evidence.
The California Consumer Privacy Act was enacted in 2018 but goes into effect on January 1, 2020. Organizations nationwide are scrambling to prepare for the massive privacy implications CCPA will have for U.S. businesses that service Californian consumers.
CCPA is similar to GDPR in that it provides California citizens the same level of control over their personal information that EU citizens currently exercise. CCPA regulations apply to any company that generates $25 million or more in gross revenue and collects personal information from Californian consumers.
A critical difference between GDPR and CCPA is that CCPA acknowledges the household as a covered entity as well as the customer. CCPA, in some cases only applies to the personal information provided by the California residents ignoring data sourced or purchased from third parties. IAM solutions that assist in the satisfaction of CCPA compliance requirements for privacy and data security must include:
- Identity management capabilities that tie individual consumers to their data and privacy requests
- Access Governance to ensure that a company knows where the data is housed and who can access it
- Strong authentication including multi-factor authentication to protect disclosure to unauthorized users
- Centralization administration of access management and identity governance.
As a key factor of CCPA, consumers are in control of their privacy and personal information with rights to deny or revoke either the collection or sale of their data. While this parallels in data protection with GDPR, it differs in enforcement. With GDPR, violations can cost up to 20 million euros or 4% of global revenue, whichever is greater, while CCPA implements fines on a per violation basis that cap at $250,000 per violation.
PCI DSS is an industry-accepted security standard for companies that manage major credit cards. IAM can help meet many of its components through data access management. For example, PCI DSS limits the number of employees who can access payment card data.
IAM can be used to meet this standard by granting users only the least privileges necessary to complete their work. IAM also can be used to meet much of PCI DSS requirement 8.1, which states “Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components …” That includes ensuring that each user as a unique ID; automatically revoking access to terminated users and removing or disabling inactive user accounts within a set timeframe.
The GDPR goes into effect 25 May 2018. It’s the EU directive that aims to consolidate data protection regulations across EU member states. It has many organizations worrying because of high value non-compliance penalties which could be as much as 4% of the annual global turnover or €20 Million (whichever is greater). Key functionalities provided in an IAM solution can help organizations avoid those penalties, including:
- Identity Federation and SSO
- Identity Provisioning
- Identity Analytics
For example, IAM can help organizations comply with GDPR requirements such as managing consent by individuals to have their data recorded and tracked, responding to individuals’ right to have their data erased and notifying people in the event of a personal data breach.
The SHIELD Act is the common name for New York’s “Stop Hacks and Improve Electronic Data Security Act” implemented in 2019. This act dramatically expands security and privacy notification requirements on companies storing personal information of New York citizens. This act is New York’s cybersecurity effort to force better protection of personal data and improve breach notification requirements. Similar to GDPR and CCPA, this far-reaching data protection act seeks to reduce the risk that the private information of New York citizens will be exposed in a data breach.
this law mandates information security requirements be in place to safeguard data privacy. Any organization already in compliance with either HIPAA or GLBA will find the privacy safeguards similar. This law takes into account the burden of cybersecurity requirements for small businesses collecting and storing personal information. Therefore the directives are adjusted to be appropriate for the size and complexity of the organization. IAM solutions that address NY SHIELD Act data security standard should include:
- Automated provisioning and de-provisioning of users as personnel change roles and jobs
- Entitlement management to limit permissions to least privileges
- Federated identity management to simplify integration and tracking of business partners
- Multi-factor authentication to increase the difficulty of stealing credentials to illicitly access data.
SHIELD compliance necessitates that an organization minimize the risk of a cybersecurity breach or deal with the financial impact of costly breach notifications. Implementing a robust IAM solution not only proactively protects, but it improves the overall security posture of organizations, ensuring compliance and minimizing risk.
Each industry has specific data security rules to follow. Although some regulations appear complex and stringent, the laws are in place to protect personal information from theft, prevent identity fraud and support the privacy rights of users and consumers.