PlainID Identity Security Posture Management Blog

6 Regulations Requiring IAM Compliance

Written by Gal Helemski | Mar 19, 2020 12:07:16 PM

WHAT IS IDENTITY AND ACCESS MANAGEMENT? 

For an enterprise of any size, Identity and Access Management (IAM) is an essential framework for implementing the policies that are necessary to protect assets, resources, and transactions.

IAM is a very efficient means of enabling security and lowering risks. But IAM, with its ability to manage users, their access, roles, and permissions, is also an essential piece of the puzzle when it comes to compliance with the rules and regulations governing specific industries, verticals, or geographical areas.

Security and compliance often go hand in hand. Regulators worldwide recognize this and have enacted strict standards for authentication and for access to sensitive and personal data. Here are six common compliance frameworks and regulations that require organizations to implement IAM policies.

  • HIPAA 

Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. HIPAA establishes the national standards governing the privacy of protected health information (PHI) and adopts security standards for limiting access to PHI that is stored, processed, or transferred in electronic form.

In HIPAA-compliant environments, IAM security is essential. HIPAA demands central identity management and necessitates the close control of access to healthcare data. 

HIPAA follows the principle of "Granting Least Privilege," meaning that only necessary staff members should have access to PHI. As a result, HIPAA has many requirements related to system access and access control safeguards. Through the correct implementation of IAM policies, organizations can host sensitive healthcare data securely and can provide a granular level of user management security in accordance with HIPAA.

  • HITECH 

The Health Information Technology for Economic and Clinical Health Act (HITECH) expands and strengthens HIPAA by imposing requirements related to the use and disclosure of PHI. For example, reporting data breaches for stored health information that is not encrypted, safeguards to protect PHI and stiff fines for infringement of HIPAA regulations.

In addition, HITECH extends certain HIPAA requirements beyond the entities that were covered by HIPAA to their business partners. As a result, HITECH has added layers of complexity and cost to all organizations handling healthcare data. 

Organizations must ensure that PHI and PII data is kept private, and that they can effectively demonstrate compliance with industry regulatory requirements. To achieve this, organizations are leveraging Identity and Access Management (IAM) technology to define, verify and enforce appropriate user access. 

IAM facilitates the visibility demanded by HITECH by focusing on who is accessing what, when, how, and why, making control attestation for effectiveness easier and more transparent.  

One advantage IAM offers when it comes to HITECH compliance is that access policies can be federated outside the boundaries of an organization to permit secure access to electronic health records to specific users from outside the organization. Since HITECH requirements extend to business partners of regulated organizations, this ability of AIM is essential for compliance.

  • PCI 

The PCI DSS is a comprehensive set of standards administered by the PCI Security Standards Council, which includes American Express, Discover Financial, JCB International, MasterCard Worldwide, and Visa Inc. 

PCI standard requires organizations that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. The standard covers twelve requirements, including strict rules for user access management. 

IAM facilitates compliance with PCI's strict standards for access control, which demands that entities, among other requirements:

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

 IAM policies are vital in managing the control of resources and data they hold. 

IAM can ensure that privileged users are granted only the privileges absolutely necessary to complete their work. In addition, IAM solutions allow administrators to limit user privileges to the necessary minimum, assigning and maintaining a unique ID for each user, automatically revoking privileges when they're no longer needed. 

These capabilities enable compliance with PCI requirements, and especially requirements 7 and 8: "Restrict access to cardholder data by business need to know"; and "Identify and authenticate access" to system components. IAM prevents unnecessary escalations of privilege that can result in privacy violations.

  • GDPR

GDPR is a landmark regulation that has changed the way that companies must deal with the personal information they hold.

As Grant Thornton (founder of Grand Thornton International LTD, one of the world’s leading organizations of independent audit, tax and advisory firms) recently pointed out: "As businesses adapt to comply with the General Data Protection Regulation (GDPR)… data privacy and cybersecurity issues are now worthy of C-suite attention. These issues, along with identity and access management (IAM), will continue to factor into enterprise decisions about technology and innovation in 2020".

GDPR ensures that personal data: "can be accessed, altered, disclosed or deleted" only by those authorized to do so through using "appropriate" controls commensurate with the nature, scope, purpose, and context of the data usage. To comply with GDPR, organizations must ensure that access to personal data is restricted based on the following criteria:

  • Only to the right people
  • For the explicit purpose that it's been collected
  • Only the period of time it is required

Since GDPR standards ensure that the user data is protected in a more granular fashion to control access to specific data by specific individuals, IAM serves as a tool to address these various compliance issues. 

IAM solutions are also key to other key areas of GDPR, such as transparency and governance concerning data access and rectification, data portability, and data erasure.

  • FERPA 

Family Educational Rights and Privacy Act (FERPA) is a Federal law which regulates to whom and under what circumstances student education records may be released. FERPA mandates using "reasonable methods" for authenticating those requesting and receiving information, and improving: "the transparency and availability of education data" alongside enhancing "the effectiveness of access controls."

FERPA does not spell out "reasonable methods" for protecting data. Still, best practices include methods inherent in IAM solutions, including:

  • "least privilege" policy
  • leveling authentication policies based on the sensitivity of resources
  • limiting access by roles
  • automatic updating or deletion of permissions
  • automatic logging of "who, what, when & from where" to enhance reporting capabilities and audit readiness.
  • GLBA

Gramm-Leach-Bliley Act (GLBA) is a federal law with the expressed intent of ensuring that financial institutions protect:

  • the security and confidentiality of customer information
  • against anticipated threats or hazards to that information
  • against unauthorized access or authorization to that information

Dangers to financial data come from within and from outside an organization. IAM solutions provide GLBA compliant protection against both, using multi-factor authentication and password encryption, providing dynamic role and entitlement management with granular controls for location and device, and visibility of content and content of accessed records.

IAM facilitates GLBA compliance by providing dynamic role and entitlement management, limiting access based on user roles, and limiting permissions to the minimum necessary to complete a specified job.

To Wrap it Up

Regulation and compliance landscape is constantly changing, and the risk of non-compliance is becoming more and more severe. As GDPR fines alone top $126 million, organizations of all sizes cannot afford to overlook the core details of compliance standards that regulate their specific industries and geographical areas. 

Interested in learning more about IAM and Authorization models? Check out our glossary of key IAM terms, or download “The Complete Guide to Authorization” eBook.