SOX and Privileged Access Management
Sarbanes Oxley… aka “SOX.” Wow, is that still a thing? Oh, yes, you can bet your 10K on it. The law requires publicly traded corporations to document, implement, audit, and certify internal controls over financial reporting. This includes a great deal of attention to IT controls and policies. Access controls are critical for SOX. As a result, SOX and Privileged Access Management (PAM) are closely linked, or should be.
A Brief SOX Refresher
SOX is turning 15 this year. The law was enacted in 2002 after the Enron scandal revealed how audited financial statement from public companies could be subject to manipulation that masked fraudulent practices. And, while SOX compliance has become simpler and more routine over the years, it is still a serious set of regulations with serious penalties for non-compliance — including prison for CEOs and CFOs who breach the law.
SOX is actually a collection of rules that add onto the original Securities Laws of the 1930s. It covers activities such as email retention and controls over financial processes. The goal is to give shareholders confidence that the financial statements of a public company are accurate. The SOX “IT General Controls,” as they are known, are thus designed to ensure that financial data and systems are uncorrupted. An external audit must verify that the controls are not deficient.
SOX and Privileged Access Management
Many, if not all, SOX IT General Controls are rooted in access management. For example, if configuration of the General Ledger application is part of an IT General Control, then knowing who has done the configuring (to an auditable extent) is essential for maintaining strong controls.
The person who configures the General Ledger is a “privileged user.” He or she has administrative or “root” access to the General Ledger system. From this privileged position, he or she can add, edit or delete accounts or change settings that affect financial transactions.
For instance, there may be a control over who can post assets to the balance sheet. If this control can be manipulated without anyone’s knowledge, financial data could become corrupted. This could be either unintentional or deliberate. In an Enron type scenario, a malicious internal actor could modify assets before and after the firm’s financial audit. This is a recipe for serious fraud.
Companies that do not manage access well face a double-edged problem. There is the increased risk of cybersecurity breaches. There’s also the likelihood that the SOX auditor will find the IT Controls to be deficient (or worse, to be suffering from a “Material Weakness” that will need to be remediated at significant cost.)
A PAM solution offers a secure, streamlined way to authorize and monitor all privileged users for sensitive systems—including systems involved in financial reporting. It grants and revokes privileges to users for systems on which they are authorized. The solution centrally and quickly manages access over the kind of heterogeneous systems that handle financial transactions and reports (e.g. General Ledger, ERP, Billing, Bank APIs, etc.) The PAM solution creates an unalterable audit trail for any privileged operation. This capability streamlines the SOX documentation and audit process.
Privileged Access Management for SOX Compliance
WALLIX offers a PAM solution to achieve SOX compliance in the IT department and beyond. WALLIX combines robust PAM capabilities with unique ease of installation and use. An agentless architecture streamlines implementation and ongoing changes. Other PAM solutions require the installation of a dedicated software agent on each system where privileged access is being managed. Agents tend to slow down deployment and usually lead to PAM abandonment when they “break” during upgrade cycles. Without ubiquitous deployment, PAM cannot offer complete security- or adequate SOX compliance.
Ease of use and installation offer major benefits for SOX compliance. SOX has the potential to constrain agility if controls are excessively rigid. IT has to be able to modify systems to keep up with changes in the business. If SOX compliance becomes a drag on agility, then either agility or compliance will suffer. WALLIX makes it possible to avoid this tradeoff.
WALLIX spans both cloud and on-premises system deployments. With this capability, the IT department can define and enforce privacy policies for admins and employees across the globe. Other core features include:
- Access Manager – Governs access to privileged accounts, creating a single point of privileged access management policy definition and enforcement that are useful for SOX compliance. A privileged user requests access to a system through the Access Manager. The Access Manager knows which systems the user can access and at what level of privilege. A super admin can add/modify/delete privileged user accounts on the Access Manager.
- Password Vault – Prevents privileged users from knowing the actual passwords to critical systems. A manual override on a physical device becomes impossible. Instead, WALLIX keeps these passwords in a secure vault and opens access to a system for the privileged user once he has cleared the Access Manager. Password Vault strengthens internal controls by ensuring that an administrator cannot change settings for data management or data protection on a local appliance.
- Session Manager – Tracks actions taken during a privileged account session. For audit and incident transparency purposes, WALLIX’s Session Manager offers fine-grained detail for DPA reporting.
WALLIX is lightweight; it easily establishes the kind of pervasive, sustainable PAM that SOX needs to work effectively. It sets up rapidly no matter the system and doesn’t require complex maintenance or agent-updates as underlying systems change. This enables a level of flexibility that leads to a balance between compliance and agility.