Regulations impact access control

 

 

 

"As we move forward, we expect to place greater emphasis on the culpability of individuals for their knowing involvement in export control violations, as well as on the companies with which they are associated."

David Mills
Assistant Secretary for Export Enforcement

"... More specifically, these controls address:
(a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (eg clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g. business origination, payments, reconciliation, risk management, accounting, audit and compliance);
(b) accounting policies and processes: reconciliation of accounts, control lists, information for management;
(c) checks and balances (or “four eyes principle”): segregation of duties, crosschecking, dual control of assets, double signatures; ...â"

Basel Committee on Banking Supervision:
Core Principles for Effective Banking Supervision, December 2012

"... the inclusion of end-user data (both fixed and mobile) in databases should comply with the safeguards for the protection of personal data, including Article 12 of Directive 2002/58/EC (Directive on privacy and electronic communications)." [...]
"Competent national authorities [...] should have sufficient powers [...] to decide on complaints and to impose sanctions in cases of non-compliance."

DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2009

Extensible authorization for sustainable compliance

Privacy, export controls or banking; the regulated areas vary considerably, but they all come with complex requirements on access control. And most regulations do. They mandate what organizations may or may not do. Collaborative processes and workflows for which IT provides supporting functions therefore need to be controlled. Thus, regulations by nature impact access controls. 

Sustainable IT organizations strive to externalize authorization decisions from individual applications in order to enable adaption to regulatory requirements. Multi-national organizations frequently have to adapt to multiple jurisdictions. This is almost impossible to do, unless authorization is externalized from applications.

Axiomatics policy-based authorization solutions are built on the XACML standard. They have proven to be extremely efficient in heavily regulated industries. In some areas XACML profiles for regulatory compliance may already have been published by the XACML standardization body. The XACML 3.0 Export Compliance-US profile does for instance help administrators write policies that reflect the intent of the US Department of Commerce with regard to export compliance (EC) laws and regulations. These regulations mandate rules for access depending on the user's location, nationality, relation to blacklisted entities, etc. in relation to a classification scheme for sensitive data types. Avoiding non-compliance by means of manual controls is practically impossible. The same is however true for existing, static access control models, since they are unable to capture the dynamic aspects of what needs to be controlled. By using the XACML profile for export control, customers have a good portion of the implementation out-of-the-box. Implementation and maintenance costs can be kept at a minimum while compliance officers can trust their IT systems to be fully conformant at any time.

In highly regulated industries, any attempt to achieve compliance with conventional, static models such as Role Based Access Control (RBAC) means adding considerable costs while fighting a lost cause. Contrarily, making the shift to eXtensible authorization is investing in sustainable and future-proof IT. As new regulative mandates become applicable, you simply add and audit centrally maintained policies.