Virtual Directory as Database Security

I've written plenty of posts about the various use-cases for virtual directory technology over the years. But, I came across another today that I thought was pretty interesting.

Think about enterprise security from the viewpoint of the CISO. There are numerous layers of overlapping security technologies that work together to reduce risk to a point that's comfortable. Network security, endpoint security, identity management, encryption, DLP, SIEM, etc. But even when these solutions are implemented according to plan, I still see two common gaps that need to be taken more seriously.

One is control over unstructured data (file systems, SharePoint, etc.). The other is back door access to application databases. There is a ton of sensitive information exposed through those two avenues that aren't protected by the likes of SIEM solutions or IAM suites. Even DLP solutions tend to focus on perimeter defense rather than who has access. STEALTHbits has solutions to fill the gaps for unstructured data and for Microsoft SQL Server so I spend a fair amount of time talking to CISOs and their teams about these issues.

While reading through some IAM industry materials today, I found an interesting write-up on how Oracle is using its virtual directory technology to solve the problem for Oracle database customers. Oracle's IAM suite leverages Oracle Virtual Directory (OVD) as an integration point with an Oracle database feature called Enterprise User Security (EUS). EUS enables database access management through an enterprise LDAP directory (as opposed to managing a spaghetti mapping of users to database accounts and the associated permissions.)

By placing OVD in front of EUS, you get instant LDAP-style management (and IAM integration) without a long, complicated migration process. Pretty compelling use-case. If you can't control direct database permissions, your application-side access controls seem less important. Essentially, you've locked the front door but left the back window wide open. Something to think about.

Unstructured Data into Identity & Access Governance

I've written before about the gap in identity and access management solutions related to unstructured data.

When I define unstructured data to people in the Identity Management space, I think the key distinguishing characteristic is that there is no entitlement store with which an IAM or IAG solution can connect to gather entitlement information. 

On File Systems, for example, the entitlements are distributed across shares & folders, inherited through the file tree structure, applied through group memberships that may be many levels deep, and there's no common security model to make sense of it.

STEALTHbits has the best scanner in the industry (I've seen it go head-to-head in POC's) to gather users, groups, and permissions across unstructured data environments and the most flexible ability to perform analysis that (1) uncovers high-risk conditions (such as open file shares, unused permissions, admin snooping, and more), (2) identifies content owners, and (3) makes it very simple to consume information on entitlements (by user, by group, or by resource).

It's a gap in the identity management landscape and it's beginning to show up on customer agendas. Let us know if we can help. Now, here's a pretty picture:

Filling the Gap in Identity and Access Governance

Identity and Access Management: Filling the Gap in Identity and Access Governance

Traditional identity solutions focus on access to applications, but that misses as much as 80 percent of corporate data.

We’ve entered the age of access governance. Organizations need to know who has access to what data and how they were granted that access. Identity and Access Governance (IAG) solutions address these issues while managing enterprise access. They provide visibility into access, policy and role management, and risk assessment—and they facilitate periodic entitlement reviews of access across numerous systems. Most enterprise IAG solutions are missing a key piece to the puzzle, though: unstructured data.

[Read the full article in TechNet Magazine]

Identity Solutions and Unstructured Data

Being in the space for so long, I'm always looking for ways to provide new, interesting functionality. To date, identity (IAM) solutions have no insight into the usage of unstructured data. And it would be really cool if they did.

IAM vendors have only recently begun thinking about unstructured data at all. Some have the ability to look across file system permissions and perhaps include rights information in reports along with basic user and group data. I don't think any do a great job of including a view across file system, Sharepoint, SQL Server, and Exchange Public Folders. But regardless of platform, the capability seems to stop at reporting on rights as they exist at some point in time.

The next logical step would be to watch user activity and be able to provide recommendations and reporting on usage along with permissions. Then, you could make better decisions. Think about this: IAM gives department managers the ability to manage security groups. Maybe they know what the group should access. And maybe they have some idea of what users should be in the group. But, there's no easy way to see which members of the group have exercised those rights and actually accessed the resources in question. Or even whether those resources are actually still relevant. (Have they been accessed? By who? How does that affect the concept of 'least privilege'?)

I'd love to hear your thoughts.

BTW, this isn't purely rhetorical. But, you'll have to be patient if you want more details. ;)

+1 for Continuous Compliance

Anton Chuvakin posted a blog entry today about Continuous Compliance. I've written on the subject in numerous places (here for example) and have even written a white paper and given a webinar on the topic.

As a software vendor, I often hear from organizations who are looking for the silver bullet. People actually say things like "your software is PCI compliant, right? ...because we need to be PCI compliant and I'm looking for software to get us there". It's not their fault. Apparently, the folks pushing down the requirements, despite their efforts, haven't done a great job at educating the people that need to be educated.

My paper and my responses explain that the idea isn't to find a piece of software or even a business process that will get you compliant for your audit next month and then you forget it until next year. The idea is to create what I've called a "culture of compliance" (a borrowed phrase) through which you remain in compliance continuously. Put controls in place, create a way to test controls, understand access rights, regularly monitor and review permissions, and you'll ultimately be able to respond to any new (related) regulation that comes at you.

Sure, I can map specific reports to specific subsections of a regulation or security framework, but that shouldn't be the goal. Take a look at our recent article on the topic: When compliance is at odds with security - sometimes focusing on the goal of point-in-time compliance can actually negatively affect your security posture. I hope Anton is right that the times may be upon us because I have to say that I often feel like people listen to what I'm saying but ultimately ignore it and really just want a set of reports labelled with the regulation du jour.

Identity Governance is not One Size Fits All

I read an article this morning written by SailPoint's Darran Rolls titled How Identity Governance Solves the Compliance. Aside from my feeling that the title was either cut-off or misprinted, the article makes a lot of sense. Rolls writes:

The identity management landscape is changing. The need for stronger auditing controls is giving rise to identity governance tools that are supplanting ID provisioning solutions as the centralized management layer for identity.

and later makes the point that:

This ability to translate technical identity data into business-relevant context is a critical advancement from old-school provisioning technology.

Yes and Yes.

This is exactly what I've been spending my time on at NetVision. One difference though. Much of Rolls' article focuses on the topics of platform coverage and correlation. While our solution scales and is deployed well into the Fortune 500, most of the organizations we speak to are turned off by the complexity involved with integrating numerous platforms.

NetVision's focus is on core network systems - Microsoft and Novell. That's Active Directory or eDirectory, which hold network user accounts, security groups, and some other entitlements based on account attributes -- and the associated file systems, which are a breeding ground for unauthorized access of sensitive information. Our goal is to be simple and easy to use, with no requirement for in-house expertise on access rights. And we get results on day one.

I'm not trying to give a pitch. My point is that Identity Governance is important. But, it's not one size fits all. While some organizations are looking for the solution with the broadest range of platform coverage and are willing to accept the inherent complexity, many are looking for easy-to-use, simple-to-own solutions that cover core networking platforms.

Who Has Access to What? is the question of the year. Tools that enable you to audit, monitor, alert, and report on access rights are a must-have for driving down audit costs and improving your ability to answer that question. We're entering the next wave in Identity Management. And it's not a pie-in-the-sky utopia of federated identity with built-in governance (yet). It's real-world solutions for answering the question of year with zero effort.

Industry's First Managed Service for Identity & Access Audit

Last week, I mentioned NetVision's new Managed Service Offering. Now, it's official. The press release is out.

I know you don't all want to hear me blabbering on about my products, but bear with me on this one for two reasons:

1 - It's what I do all day, so it's hard to NOT talk about it.

2 - This is REALLY interesting stuff. I'm not talking about a new feature or bug fixes. This is a new way of delivering solutions that really makes life easier and is more cost effective for our customers. Nobody else is doing this.

Here's what it boils down to:

Our software has gotten better over the years. It's been around for a decade and we have scars, battle wounds, lessons-learned, and the benefit of the collective experience of twelve years worth of customers. But, solution software isn't enough.

You need hardware, platform OS software, database and reporting software, and it all needs to be installed, configured, maintained, and integrated. Assuming all of that is done, to get the answers you need, you'll also need knowledge -- of the systems that you want to audit and of the requirements (what questions should you ask).

So let's say that you spend some consulting dollars to get the system setup, it's producing all the right answers, and you get knowledge transfer on how to use the system. What happens when requirements change? Or when the guy who was trained leaves the company or switches roles?

Systems are complex by nature. Understanding how to tie together directory, file system, database, reporting, takes a fair amount of knowledge -- especially when you think about re-configuring, tweaking settings and performance, troubleshooting issues, etc. And when you're doing it for the first time or it's not your primary job function, it can be inefficient to say the least.

So, we put our money where our mouth is. We will maintain the investment in expertise. Expertise in the systems we rely on, the systems we audit, our own system, and the requirements & best practices needed to coax out the right answers. We already do this stuff, so we decided to scale it out a bit and pass the economy of scale cost savings on to our customers.

We made improvements to the management interface, nailed down hardware requirements to an appliance, and put resources in place to provide the service and monitoring delivery.

I'd love to know what you think. I'm particularly interested in those of you who are setting up managed identity services businesses. This is something that can help you keep an eye on the effectiveness of the IAM solutions you manage. AND it can help your customers keep an eye on what changes you might be making to their environment. It's also a great solution for organizations that outsource IT and have no in-house directory expertise but want to monitor access rights and other directory or file system rights changes.

Visit our site for more info on Microsoft Active Directory solutions or Novell eDirectory solutions. I look forward to hearing what you think.

Identity-Based NAC or UTM

While walking the floor at Interop in NYC this week, I stopped to chat with the guys at the Cyberoam booth. Cyberoam provides a security appliance that provides identity-based Unified Threat Management (UTM). Similar to most Network Access Control (NAC) devices, the solution grants and denies access to systems and resources based on the IP+port destination address. Typically, this is done at the network layer by enforcing policies based on the requesting machine's MAC address (laptop X is allowed to access application Y on server Z).

Cyberoam's messaging is that they are identity-based. This means that the appliance (the red box below) doesn't enforce policies strictly based on MAC address (the user's hardware). It is identity-aware in that it knows who is logged onto the desktop, verifies policies and access rights against the network directory (Microsoft's Active Directory, for example) and grants access to the user rather than to the machine. This is a level of protection and intelligence above purely hardware-driven NAC solutions.

I can't vouch for Cyberoam as a solution. I haven't used it and don't know more than was told to me in a five minute conversation. But, I immediately recognized a use-case scenario for NetVision.

If access to systems and assets across the network is based on data held within Active Directory, then you better be able to monitor changes to that data and get immediate alerts if there's a policy breach. If it's true that 88% of IT admins would steal from their employers or snoop around the network, then an environment that puts the keys to the kingdoms in the hands of the Active Directory administrators needs a comprehensive ability to audit and monitor administrative activity.

So, if you are a Cyberoam customer or if you have a similar NAC or UTM solution that relies heavily on the network directory, please let me know. Even if you're not interested in finding a monitoring solution, I'll buy you a cup of coffee and maybe lunch if you're willing to tell me about your environment, the business challenges, how it's going, what risks you see, etc..

Something Old and Something New

Eric Norlin provides some insight into what to do (related to identity management) in an economic slowdown:

Something Old:

"1. SSO and Password Reset: The facts are on the wall. If you can reduce the number of helpdesk calls for password reset, you're going to save a TON of money. You can do that through self-service modules, E-SSO, web sso, or even federation. Just do it."

Something New:

"2. Automating Compliance: This is a big one, and you probably won't get it done before the recession ends. However, the more you achieve automated compliance controls, the more big bucks you can save on manual audits. Throw everything from RBAC to de-provisioning into this bucket and then get started looking at what really will slice greenbacks soonest."

Password Reset and SSO have long been good entry points into Identity Management and also proven creators of cost reduction and efficiency.

Automated Compliance is a somewhat more recent phenomena that also yields cost reduction and efficiency. You may be wondering though how many companies are able to get to automated compliance without giving an arm and a leg to define requirements and processes that enable automated compliance. Might the initial effort might defeat the purpose of cost reduction?

One thing Eric wrote is probably key to that discussion – "the more you achieve automated compliance controls..." which to me means, let's not get caught up in the grand notion of automated compliance. Implement a few key automated controls that eliminate significant manual effort in the compliance audit process. And that will bring you cost reduction.

SaaS Eases Security Cost and Complexity

I first read an article in InformationWeek titled SaaS Makes A Run At Security and then found this very similar article by the same author online.

I've posted recently about identity as a service (be sure to check the comments and links if you visit that posting). But my day job dictates that I think more about identity reporting as a service. (intelligence around who has what access and what changes are being made).

One of the striking take-aways from the article is the Gartner estimate that by 2018, 85% of security intelligence will be offered as a service. I guess the words "offered as" seem to deflate the energy of the claim. I wonder what the estimates are for how much will be consumed as a service in 10 years.

In any case, I think the writer hits on the right points - cost and complexity. Especially for the mid-market (his target audience). I think (particularly in the mid-market) the simplification of key capabilities will outweigh the emotional hurdles that make SaaS a tough sell for security. Of course, actual security capabilities may remain a harder sell than security capabilities. That is, companies may be more willing to have managed identity reporting than managed provisioning.

I think mid-market security practitioners want their lives to be easier. They're not driven by the same concerns as large enterprises. What do you think?

Value Adding Security to the ROI of Identity Management

Two months ago, I posted about the prospect of extending the ROI on provisioning. The post was inspired by conversations with many smart people and led to additional conversations (like this one) that helped formulate the ideas presented in an article that was published today at eBizQ titled Value Adding Security to the ROI of Identity Management.

The initial draft had a number of quotes, but the quotes didn't read well according to the editor who was concerned that a quote by anyone less famous than Gartner could appear biased. I see his point, but apologies to those who I had requested permission to quote and who might have been expecting to be a part of the article.

I hope the article clarifies what I meant by extending the ROI of provisioning. I led a round table discussion at a CSO conference recently on the topic and I'm not sure that the idea resonated immediately. The bottom line is that provisioning solutions can be augmented to become a true (secure) funnel for account management rather than just the preferred avenue.

Improved Security on the Identity Infrastructure

I wanted to expand on my earlier post about Extending the ROI of Provisioning. Here's a visual aide to help the discussion:

There's nothing new in this illustration. It simply shows that the provisioning engine connects to multiple identity data stores. As we know, provisioning systems have the potential to do a very good job at providing work flow and business rules around creation and management of user accounts across multiple systems. They may even have some additional capabilities around Separation of Duties enforcement, user attestation, user self-service password management, reporting on rights (based on its view), and more.

The Gap

What it doesn't do, however, is protect the connected data stores against direct access. For example, the DBA still has direct access to the database and the Directory Administrator still has direct access to the directory. They can create new accounts, view information, and change permissions. The system may be able to see when new user accounts are created during its next scheduled run, but that capability isn't always enough. I'll give an example.

One of these LDAPs is not like the other

I purposely shaded the Network Directory so that it stands out from the others. That's because it is different. Since the market for the Network Directory consists almost entirely of just two vendors (Microsoft and Novell) and one has a much larger percentage of the market (Microsoft), I'll just use Microsoft's Active Directory (AD) as the example.

Now, back to the gaps:

• Scheduling: When provisioning systems connect to AD, the connection and sync processes are often scheduled. And AD has a time lag in replication (usually 15 minutes). S0, if the sync is done hourly against a particular DC, the total time that a new account may be in existence on a different DC without being noticed by the provisioning system is a little more than an hour. Can you do damage in an hour? I could create an account, make it a domain admin, log onto servers, change rights, access files, and remove my trail from the logs within an hour.


• Coverage Scope: The connection may be made to a particular portion of the AD tree. So, if you created an account in a portion of the tree that isn't monitored by the provisioning system, it wouldn't get picked up.


• Source: Some provisioning systems use AD as the source. So, in that scenario a new account in AD would potentially create accounts and/or rights across multiple other systems. So, by specifying rights or group memberships, an AD administrator could grant himself rights to other connected systems (perhaps in between attestation cycles).


• Account Type: Provisioning systems generally only look at user accounts based on object type. So, you could create an iNetOrgPerson instead of a User object.


• Activity Scope: Provisioning systems don't even try to monitor failed logon attempts or failed user creates at the local systems. They also don't watch file open activity or file changes. What if the provisioning system pulls a feed from a text file and someone modifies that file? There's no knowledge of activity other than a particular type of account being created.

All of these can be applied to other connected data stores as well. For example, scope is an issue for relational database tables. The provisioning system may only watch specific tables or may completely ignore local accounts in the RDBMS itself. Likewise, if AD is not the source, the HR database is likely the source which yields the same issue for the HR DBA.

Conclusion

My point isn't that provisioning systems are weak. They do what they do very well. But, you can improve the overall security posture of the environment by including localized protection on the connected data stores as well. Encrypt the database. Monitor DBA activity and Directory Administrator activity. Watch directories for failed attempts to create or modify accounts. Watch for failed authentication attempts. In a nutshell, ensure that accounts and permissions are being managed through the provisioning system into which you've built the business rules and work flow to ensure that rights are being managed effectively.

And if you have to respond to auditors for compliance reasons, you can say you're certain that accounts are only being created according to policy; instead of you hope that to be the case.

I've heard the argument that this might be overkill (admittedly an over-simplified characterization of the argument). OK. In some scenarios, maybe you don't need tighter security. You only care about work flow efficiency and cost cutting. Or you're OK with the level of improvement in your security posture that traditional user provisioning systems provide. I'm not saying that anyone should ignore the risk analysis process. But, if compliance is an issue and you want to prove compliance beyond reasonable doubt or just simplify the audit process, solutions that locally monitor the connected systems may provide value.

And if you can demonstrate that 100% of your user and rights management processes are funneled through the provisioning system with appropriate work flows, I think you could justify claiming a much improved ROI on the overall solution with minimal additional investment.

Disclaimer? Yes, NetVision can help with reporting and monitoring on your Network Directories (both major vendors) and related file systems. But that's no reason for me not to talk about it!

Extending the ROI on Provisioning

Provisioning has typically been about increased efficiency and reduced cost. But, it's time to extend the ROI into security and compliance as well. I've had a number of conversations over the past two weeks with provisioning vendors and industry consultants. They confirmed that the organizations they work with are asking for this. The same organizations that deploy provisioning solutions are confronted with compliance tasks and demand for improved security. They want the identity infrastructure that enables work flow efficiency to provide the compliance benefits as well. Provisioning vendors have made progress in terms of logging system activity, but there's no way for them to prevent authorized administrators from leveraging direct access to the directory to get around the work flow. Today's niche identity and security vendors have improved on this by providing security and audit-ability on the complete set of activity taking place in the identity infrastructure. I'm in the process of writing an article on this for one of the security trade mags. I'm interested in your feedback on this topic.

Would you like to be quoted? Would you like to be mentioned as a consultant that understands this proposition? Would you like your vendor's technology to be included? Let me know or leave a comment.

The C-Level execs take the fall

One more thing re: the State Dept. passport breach. Notice who's in the news taking the heat for the breach – the CEO of the State department. That's exactly what we were told would happen at the Gartner GRC Summit a few weeks ago. It's the C-level executives that take the fall when a high profile breach occurs, which is one of the reasons why governance is vital to the business. And why a correctly done risk analysis should beget executive sponsorship for risk mitigation solutions.

It's really interesting to me that such a seemingly ordinary act has become such a high profile breach. By ordinary act, I mean seemingly non-malicious and only acting with approved rights and privileges. These employees were GIVEN the power to act. They didn't have to TAKE the power through theft or hacking. And that's the risk with privileged users. With them, it's not about security controls. They can simply decide to subvert policy. That's why Dave's post was so timely. You can audit every transaction.

Audits don’t prevent loss?

Dave Rowe, who has a fairly extensive background in both audit and IT, reminds us:

Audit’s intent is to verify the accuracy of something; typically by checking a sample of outcomes but also by making sure that critical controls are functioning.

He's making the important point that Audit should not be confused with the security controls that are designed to enforce policy. Audit is there to prove policy effectiveness. Good point Dave. Sometimes we forget the basics amidst all the marketing collateral and news articles about security, risk, compliance, and audit. Sometimes it all just feels a bit jumbled.

He then makes a simple but powerful point about the strength of automating IT audit:

Instead of sampling a few transactions and seeing if the outcome was right, you can audit every transaction to see if the outcome was right.

Yes. And that's exactly the type of technology that saved Obama's passport information. Truly effective IT audit doesn't just check that policy and controls are in place. It monitors the effectiveness of policy and controls on an on-going basis.

Compliance as a Service - Counterpoint

Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (...or set of ...or service of). But I didn't make that distinction in my previous post. But, is that the basic point you're making? ...that IT compliance is a subset of overall Compliance? Or is there more to it?

I guess what I was thinking is that the service would not only provide controls that put you in compliance and evidence that proves you're compliant but also could tell you which questions you should be answering. ...even with regard to current trends in regulatory and market pressures (which no doubt change over time).

Understanding that big-C Compliance requires much more than IT controls, would it seem more realistic if we said IT-compliance-as-a-service? or IT-Audit-as-a-service?

The main thing I'm wondering is if organizations would get value from an external party taking over the IT audit portion so that the org itself (who might be anticipating regulatory pressure) wouldn't have to figure out which questions to ask, how to ask them, how to build controls to get the right answers, and how to prove that the answers are what they should be.

Audit for Active Directory

NetVision launched a new web site focused on our solution for reporting and monitoring on Windows and Active Directory. The solution is pretty cool. If you're having trouble understanding how to generate reports or apply real-time monitoring for Active Directory, you should check it out.

This is not a SIEM solution designed to collect logs from as many sources as possible. This is a very focused solution on Identity information in Active Directory. The listener is embedded into Active Directory so that we're not reliant on the security event logs, which provides non-repudiable proof of events that are taking place. And it means that we're not limited to the information provided by the event log (there is a limited set of attributes available for a user object change, for example). We can tell you what changes were made, when the change occurred and who initiated it. All of which is valuable audit and compliance information.

We also have advanced filtering capability on the listeners so that you can filter events by type, object, or actor. This means that you only collect relevant data which reduces storage and makes it easy to get to the data you want on the reporting side. We can tell you things like user attributes and group memberships, changes to user accounts or groups, inactive user accounts, OU changes, file system Access Control List changes, file system access attempts and file adds or changes. And we provide policy and report templates that make it easy for you to get up and running.

So take a look and let us know if you have questions.

The Insider Threat: News & Info

Some recent news of malicious insiders:

• Employee's silent rampage wipes out $2.5m worth of data - Here, a woman unnecessarily fearing job loss wiped out valuable employer data.


• Sys admin jailed for 30 months over failed logic bomb - A system administrator at MedCo planted a logic bomb that was luckily a dud in his first attempt.

Some interesting reading on the insider threat:

• Are Insiders Really a Threat? - An article from the Software Engineering Institute at Carnegie Mellon discussing the reality of the insider threat and outlining thirteen practices for preventing insider attacks. Incidentally, I think the 30% stat they provide is low. I think 30% may be the percentage of reported malicious attacks perpetrated by insiders. A far greater number of security breaches happen every day by non-malicious insiders. And here's an article on research suggesting that many insider breaches aren't reported (and why).


• The CERT Insider Threat Research page - Lots of useful information on insider breaches, including the source of the article above.

What does all that mean?

Well, the insider threat is real. I don't think that's controversial news. But I would argue that there are far more light security breaches by insiders than malicious attacks -- something I haven't seen much data on. But a breach is a breach and in many cases can be prevented with the right policies, processes and tools. I like the SEI article and I think it provides a good place to start thinking about how to approach the challenge.

A couple of quick things

A quick tactical point:

Thanks Mark for pointing out NetVision's ability to police the IDM environment. Specifically, Mark mentions the combination of NetVision with Novell's ZENworks Endpoint Security Management. I also wanted to point out that we already have customers who have deployed and are excited about our ability to add value to Novell Sentinel as well. Sentinel does security event monitoring and logging. NetVision adds value by providing advanced filtering capabilities for eDirectory events at the event collection side. So, the database doesn't fill up with unwanted or unneeded information. And by filtering it on the way in, we simplify the reporting process as well by organizing data in your terms according to your policies.

Also, if you're in LA tomorrow, stop by the CSO PCI Compliance Seminar. I'll be presenting a high level PCI compliance reference architecture and drilling down on policy management, encryption and key management, and the role of identity audit in PCI compliance.

NetVision Webinar: Surviving an Identity Audit

On Tuesday of next week (Dec. 18th) at 1PM EST, NetVision is presenting a webinar on Surviving an Identity Audit. The content is loosely based on our whitepaper of the same title.

You can sign up or get more information at the NetVision Events page. If you attend, we will help you to:

1. Understand the Business Drivers for Identity Audit

• Compliance: Government, Industry, Internal
• Organizational Risk: Unintentional, Malicious, Opportunistic

2. Manage the Identity Audit Project Lifecycle

• Create policies that minimize effort across multiple regulations or best-practice frameworks
• Implement automated controls
• Audit identity controls, user behavior, and user empowerment

3. Create a Culture of Compliance

• Build a multi-regulatory approach to minimize effort and streamline the audit process
• Leverage tools that automate audit reporting
• Utilize a continuous audit model

Look forward to seeing you there!

---
UPDATE - A condensed version of this webinar has been provided at the NetVision web site.