How Do I Validate Proper Compliance?

Aaron Yee  and  Daniel Lu
October 28, 2019

Love it or hate it, paying taxes is a staple of life for people all over the world. Disclosing and proving payment of those taxes to the government is an equally accepted practice—you can’t simply assume they know you are doing so. Similarly, when it comes to compliance, it’s vital for companies to prove to governing bodies that they are protecting their data.

So far in this Secure Access series, we’ve explored how businesses can connect to partner identity sources, provide secure and selective access to partner users, and automate the privileges of those users as they come and go. Continuing the conversation, this post will address the issue of validating proper compliance for partners, vendors, and contractors.

IT security teams must ensure that users have the appropriate level of access to documents, systems, and networks at the right time. They must be able to prove this to themselves, as well as potentially to outside auditors.

How to validate compliance

Proving compliance is an important aspect of any IT security strategy, especially in industries that have heavy regulations. Specifically, when it comes to user access and privileges, security practitioners need to be able to proof and audit the onboarding and offboarding of both internal employees and outside users from third-party contractors and partners. To do this, companies need to be able to show:

  • How a user got access to an application
  • What level of access the user should have
  • Whether the user should still have access to the application
  • If and how a user’s access to an application has been revoked when needed

This process can be complicated for internal employees, but is even more difficult with extended enterprise users. Often, IT has less visibility into the profile, access, and the rights of external users, yet IT is still tasked with ensuring they get the right level of access. IT need tool to give them the visibility they need to keep their environment secure.

Compliance reporting

Solid reporting helps organizations gain visibility into their vendor and partner user access levels. At Okta, we have several out of the box reports that give admins confidence that their environment is secure:

  • Current assignments report: This report shows which users have access to which applications. It also provides insight into how users were assigned the applications, be it by direct assignment from an admin or via a group membership. This information can also provide additional data around admin or group membership to auditors.
  • Recent unassignment report: This report shows what applications users were unassigned from over a specified period of time. For example, if seasonable employees were hired over the holiday period, the report would prove users were given access in November and revoked access at the end of January.
  • Suspicious activity report: This report offers insight into failed logins and users that have been locked out of applications, as well as details like username and IP address.
  • Rogue accounts report: This report will check whether there are any discrepancy between the user assignments within Okta and the user assignments within the app itself. It could be that a user was provisioned to an app outside of Okta. This helps IT admins to manually revoke access to an application.

Syslog information

System logs provide a powerful view of data like login events, imported information, and single sign-on activity. By looking at login failures, for example, companies can pinpoint potential security risks by understanding where the user came from, whether they’re using a known location or device, or if they’re coming from behind a proxy—which could suggest a potential risk.

These logs can also provide visibility into which users—internal and external—have access to systems and applications. Integrating this with Security Information Management and Events (SIEM) tools like Splunk or Sumo Logic can highlight access data all in one place.

Like how you’re held accountable for the taxes in your personal life, it’s vital for enterprises to prove that they are complying with regulations to protect their data. What that comes down to is ensuring that the organization has the right level of visibility into user access across the board, as well as the right tools to automate user termination at the appropriate time.

For more information on how Okta can help your organization take control of validating compliance, read about our centralized reporting functionality and watch our access reports demo. Additionally, download our whitepaper on how to secure access to legacy applications.

Aaron Yee
Group Product Marketing Manager

Aaron Yee joined Okta in 2012 as the company's first Professional Services consultant. In that role, he implemented Okta for many early customers and saw how they stretched Okta’s capabilities. He subsequently joined the Product Marketing Team to continue shaping the product for modern user lifecycle management requirements. Prior to Okta, Aaron was a consultant for civilian and DoD agencies in DC, where he designed & implemented solutions to manage user lifecycles. Aaron has a BA in Computer Science from Brown University and an MBA from the University of Virginia. He lives in San Francisco and enjoys sailing, snowboarding, tinkering with cars, and rooting for the hopeless 49ers.

Follow Aaron Yee
Share on Linkedin
Daniel Lu
Daniel Lu
Senior Product Marketing Manager, Single Sign-On

Daniel Lu is a Product Marketing Manager at Okta focused on Okta’s Single Sign On product. He’s responsible for growing the Single Sign On business and takes every opportunity to discuss why Okta has the best Identity and Access Management platform in the market. Daniel has focused his career on scaling great businesses. Prior to Okta, Daniel was part of business strategy at Adobe and before that, he co-founded a golf company.

Daniel holds an MBA from Northwestern University and a BS in Electrical Engineering from University of California, Davis. He’s a rare Bay Area native and currently lives in San Francisco. When he can, Daniel tries to make time for international travel, new restaurants, and exercise.

Previous
Next

April 17, 2024

Okta Workflows Tutorial: Build a Connector for the OpenWeather API

By Max Katz
This tutorial will teach you how to build a connector for the OpenWeather API using the Okta Workflows Connector Builder. Connector for OpenWeather API What is…

Read now

April 17, 2024

What Is single sign-on (SSO)?

By Okta
Single sign-on (SSO) is an authentication tool that enables users to securely access multiple applications and services using one set of credentials,…

Read now

April 17, 2024

What Is an Identity platform?

By Okta
An Identity platform is a centralized framework that manages the digital identities of humans and devices, enabling organizations to authorize secure user…

Read now

April 16, 2024

Extend your passwordless journey to device login

By Cynthia Luu
Okta Device Access now supports passwordless login and FIDO2 YubiKeys for Desktop MFA Despite all the talk of driving workers back into the office, most…

Read now

April 15, 2024

Simple and secure user experiences: The latest on Okta Customer Identity Solution

By Ruchita Shah
Customer expectations are higher than ever, including access to the applications they need from any device, wherever they are in the world. Businesses are…

Read now