How Do I Validate Proper Compliance?

Love it or hate it, paying taxes is a staple of life for people all over the world. Disclosing and proving payment of those taxes to the government is an equally accepted practice—you can’t simply assume they know you are doing so. Similarly, when it comes to compliance, it’s vital for companies to prove to governing bodies that they are protecting their data.

So far in this Secure Access series, we’ve explored how businesses can connect to partner identity sources, provide secure and selective access to partner users, and automate the privileges of those users as they come and go. Continuing the conversation, this post will address the issue of validating proper compliance for partners, vendors, and contractors.

IT security teams must ensure that users have the appropriate level of access to documents, systems, and networks at the right time. They must be able to prove this to themselves, as well as potentially to outside auditors.

How to validate compliance

Proving compliance is an important aspect of any IT security strategy, especially in industries that have heavy regulations. Specifically, when it comes to user access and privileges, security practitioners need to be able to proof and audit the onboarding and offboarding of both internal employees and outside users from third-party contractors and partners. To do this, companies need to be able to show:

  • How a user got access to an application
  • What level of access the user should have
  • Whether the user should still have access to the application
  • If and how a user’s access to an application has been revoked when needed

This process can be complicated for internal employees, but is even more difficult with extended enterprise users. Often, IT has less visibility into the profile, access, and the rights of external users, yet IT is still tasked with ensuring they get the right level of access. IT need tool to give them the visibility they need to keep their environment secure.

Compliance reporting

Solid reporting helps organizations gain visibility into their vendor and partner user access levels. At Okta, we have several out of the box reports that give admins confidence that their environment is secure:

  • Current assignments report: This report shows which users have access to which applications. It also provides insight into how users were assigned the applications, be it by direct assignment from an admin or via a group membership. This information can also provide additional data around admin or group membership to auditors.
  • Recent unassignment report: This report shows what applications users were unassigned from over a specified period of time. For example, if seasonable employees were hired over the holiday period, the report would prove users were given access in November and revoked access at the end of January.
  • Suspicious activity report: This report offers insight into failed logins and users that have been locked out of applications, as well as details like username and IP address.
  • Rogue accounts report: This report will check whether there are any discrepancy between the user assignments within Okta and the user assignments within the app itself. It could be that a user was provisioned to an app outside of Okta. This helps IT admins to manually revoke access to an application.

Syslog information

System logs provide a powerful view of data like login events, imported information, and single sign-on activity. By looking at login failures, for example, companies can pinpoint potential security risks by understanding where the user came from, whether they’re using a known location or device, or if they’re coming from behind a proxy—which could suggest a potential risk.

These logs can also provide visibility into which users—internal and external—have access to systems and applications. Integrating this with Security Information Management and Events (SIEM) tools like Splunk or Sumo Logic can highlight access data all in one place.

Like how you’re held accountable for the taxes in your personal life, it’s vital for enterprises to prove that they are complying with regulations to protect their data. What that comes down to is ensuring that the organization has the right level of visibility into user access across the board, as well as the right tools to automate user termination at the appropriate time.

For more information on how Okta can help your organization take control of validating compliance, read about our centralized reporting functionality and watch our access reports demo. Additionally, download our whitepaper on how to secure access to legacy applications.