At the Crossroads of Microsoft Active Directory, Identity Management and NERC Compliance Software

At the Crossroads of Microsoft Active Directory, Identity Management and NERC Compliance Software

NERC compliance gatekeeper.

Yesterday, many of you probably read about Entergy Corporation ETR announcing its plan to close and decommission the Vermont Yankee Nuclear Power Station. With the closing, Entergy explained the decision was driven by sustained low power prices, high cost structure and prospective for a heavily regulated wholesale electricity market.

I couldn’t help contrast the Entergy decision with a study I recently read on global competitiveness. According to the 2012-2013 Global Competitiveness Report, the world’s strongest economies are the most regulated. This year, as in previous ones, the top 10 economies are also Europe’s most regulated. Switzerland, Finland, Sweden, the Netherlands, Germany, and the United Kingdom, the most regulated economies in the world, outperform all other nations. Rounding out the top 10, the United States, Singapore, Hong Kong and Japan are regulated too, yet to a lesser degree and their performance drops off significantly from the leaders.

By now you are probably wondering what does the Global Competitiveness Report have to do with Microsoft active directory, identity management, and NERC compliance software? The connection stems from the world’s leaders use compliance regulations as an opportunity for total quality control and continuous improvement. For economic leaders, compliance is not concerned with how quickly and completely you mark off a compliance checklist. It’s about protecting intellectual property, focusing on customers, and sustaining profitability.

So how can North American Electric Company providers move from manual, ad-hoc annual or biannual compliance review processes to a total quality, continuously managed, and proactively monitored environment?

The answer lies in automating as many processes as possible, especially IT processes, so compliance and security efforts are simplified. To truly mature processes around access management controls, access certification governance and password management, software must be introduced that unifies Identity and Access Management capabilities.

Automation can also improve accountability through dynamic workflows that put the appropriate decision-makers in charge of access decisions. Automation not only aids in meeting compliance requirements, but it also enables awareness of security processes through reporting. Automation lets you parse out the actions of all user accounts, even administrators, to identify areas of risk.

With identity management automation, access management concerns can be dramatically reduced. This helps energy organizations focus on broader NERC compliance initiatives. At the same time, operations around identity and access management will improve as manual effort is eliminated.

NERC Compliance & Identity and Access Management Automation

As a case in point, let’s look at some common examples where the IT automation of identity management exceeds NERC CIP compliance and exponentially improves information security at a lower cost.

CIP–003–3 R5.1

The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.

NERC Compliance Challenge

With active directory, the practice of shared administrative credentials is common. The granting of logical access is difficult to track and activities are impossible to associate to a single user account.

NERC Compliance Solution

The automated creation of user accounts gives visibility into the actions of administrators even for privileges shared. Administrator activities now trigger unusual access alerts while generating a complete log.

CIP–005–3 R2.1

Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

NERC Compliance Challenge

NERC compliance access controls equally apply to managing active directory groups. The proliferation of active directory group sprawl with out dated members, orphan accounts and no date of expiration create commonly exploited security vulnerabilities.

NERC Compliance Solution

An automated identity management NERC compliance solution alerts you every time a new active directory group is created while allowing you to continuously report on orphan members, unusual privileges and unnecessary memberships.

CIP–007–1 R5.3.2

Each password shall consist of a combination of alpha, numeric, and "special" characters.

NERC Compliance Challenge

The use of special characters is not possible in a standard active directory Windows operating system.

NERC Compliance Solution

An identity management password management system adds security over active directory without requiring equipment and operating system replacement.

NERC Compliance Software with Workflow Automation

To automate NERC CIP compliance and audit reviews, you must first identify your systems, services, devices, data, and people. In categorizing roles, their critical assets, and access privileges you determine a ‘need to know’ baseline for all operations and personnel. When you automate identity management NERC compliance processes, you establish a unified framework for company compliance with HR HIPAA regulations, PCI DSS protection of customer data from unauthorized internal access and SOX compliance for publicly traded companies.

In the NERC CIP active directory examples, the solutions exceed the compliance requirement within existing capabilities. To meet NERC regulations and sustain profitability, look to the economic leaders and identity management automation for the metrics.

Watch the Avatier Identity Management Megatrends Driving the Future Video

Ryan Ward, Chief Innovation Officer and Chief Information Security Officer at Avatier talks about how the next step in the evolution of identity and access management can have a dramatic influence in streamlining IT department processes.

Get the Top 10 Identity Manager Migration Best Practices Workbook

top 10 identity manager migration best practicesStart your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.

Request the Workbook

Written by Thomas Edgerton

Thomas Edgerton, Avatier's MVP award-winning Market Analyst and Performance Consultant in information technology, IT security, instructional technology and human factors, blogs on topics ranging from leadership to national security, innovation and deconstructing the future.​