Can IAM software provide certificates for the compliance with legal regulations?
The introduction of IAM systems is often driven by the need for compliance with legal regulations. From high-level laws like the Sarbanes-Oxley Act (SOX) down to technical standards like ISO 27000 – the availability of an efficient Identity and Access Management is a prerequisite for the compliance with such frameworks. Therefore it is self-evident, that companies are asking vendors for the availability of general certificates that testify to be compliant with the individual regulation, when implementing the IAM solution.
To make a long story short:
Such certificates are either not available or of dubious validity. The reason for this disappointing summary is given by the fact, that the compliance with any such regulation must consider the individual implementation of a system and not just the product’s general abilities. Besides a needed feature set of the chosen IAM product, also aspects of the system’s configuration as well as the defined administrative and operative processes must be subject of a compliance audit. Already in 2000 a quote from the famous IT security pioneer and specialist Bruce Schneier stated: “Security is a process, not a product”. When reviewing relevant regulations, their biggest share of compliance requirements is addressing the definition and documentation of responsibilities and processes within the audited organization. How should a standard product be certified to comply with these customer individual tasks?
IAM Compliance Certificates
Certificates are therefore either testifying the compliance of an organization (including the individual implementation of an IAM solution) or they are certifying the compliance of a product with corresponding technology standards. Such product certificates are issued by many national authorities and are applicable for products with a focus on access security like firewalls or PKI environments. For these types of product, certificates are a viable measure to ensure quality standards for technology aspects like encryption or digital signatures. The strength of these products is hardly affected by the customer’s individual configuration, whereas the quality of an IAM product is completely depending on the system’s solution design and the policies of operation. Therefore no standards for an IAM product certification can be defined reasonably.
So although compliance with many standards is hardly possible without the use of an IAM system, the sole procurement and installation of an IAM system doesn’t ensure compliance automatically – You can not ‘buy’ compliance. In this context, Garancy IAM helps and supports our customers to be compliant in many ways. Beta Systems can confirm, that customers who use our IAM solutions have successfully passed various compliance audits – From German standards like MARisk to international regulations like PCI-DSS or the Sarbanes Oxley Act. Based on these experiences, Beta Systems and its partners can consult companies concerning compliance. Nevertheless, the question of being compliant must be answered for every single organization individually.