The Proper Role of Identity Management in Regulatory Compliance

According to Gartner’s “Survey Analysis: Trends in End-User Security Spending, 2017,” organizations are increasing their cybersecurity budgets due to fears of data breaches and related business risks. Regulatory compliance is also a top concern that’s driving security spending.

Organizations face significant financial penalties if they fail to meet increasingly strict regulatory requirements for data security and privacy. The 2016 Ponemon Institute Cost of a Data Breach Study found that the average cost per lost or stolen record increased from $154 in 2015 to $158 last year. Fines for noncompliance with regulations are making up an increasingly significant proportion of data breach costs.

For example, penalties under the Health Insurance Portability and Accountability Act (HIPAA) can reach as much as $1.5 million. Noncompliance with the Payment Card Industry Data Security Standard (PCI DSS) can result in fines of between $5,000 and $500,000. The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, will carry the risk of substantial fines for organizations that fail to meet privacy standards for personal data on consumers in the European Union (EU).

Many organizations install cybersecurity tools, review policies and procedures, conduct risk assessments, and believe they are in compliance as a result. However, regulatory compliance isn’t only about implementing a particular technology or process; an organization can spend substantial sums on security tools and still suffer a data breach. Compliance is about demonstrating that the technologies and processes you implement will provide adequate levels of protection.

That’s why identity and access management (IAM) plays a foundational role in regulatory compliance. In addition to controlling access to sensitive applications and data, IAM helps enforce compliance policies and prevent people from making changes that could compromise security. IAM enables organizations to accomplish this by applying the principles of least-privilege access and separation of duties. Users are given only those privileges that are necessary for their job functions, and responsibilities for critical tasks are split among multiple people.

IAM systems perform two primary functions: predetermined and real-time access control. Predetermined access controls regulate a user’s ability to gain entry to certain systems based on the level of privileges assigned to that user. Once the system determines that the user has the appropriate privileges, real-time controls make decisions based on the user’s location, device, or other parameters, and ensure that the user is only able to access the appropriate systems and data.

Predetermined access controls help prove compliance by showing who authorized the user’s credentials and what criteria were used to determine a given level of privileges. Real-time access controls, on the other hand, log the user’s access attempts and the data obtained during an active session. As noted in a previous post, automated tools can help organizations meet compliance requirements by managing growing volumes of identity and producing meaningful reports.

Of course, all of this is futile if users can “go around” the IAM system. That’s why it’s important to extend IAM across the enterprise and eliminate any systems or processes that allow data to be accessed without proper controls.

IAM won’t ensure compliance; no other security tool or technology will, either. The proper role of IAM in today’s regulatory climate is to document an organization’s ability to detect and prevent unauthorized access to sensitive systems and data.


If you would like more information about how the right IAM solution can help you meet industry specific security requirements, please reach out to us via email at (

Leave a Comment