22
August 2014

Osirium is great for meeting MAS/TRM compliance

Andy Harris

Since the Monetary Authority of Singapore issued their Technology Risk Management Guidelines they have achieved a lot of traction with compliance officers. Singapore is the third largest market for foreign exchange (UK 41%, USA 19%, Singapore 5.7%), it seems that the quality and clarity of the guidelines have made them mutually acceptable worldwide.

In terms of access control there are three key sections for which Osirium is a great fit:

  • Never Alone Principle: Osirium has great controls on who can access what systems and when. Since it can act as a credential proxy you can allow access without altering accounts(1) on the end systems whilst retaining full control. With Session Shadowing supervisors can see what happens in real time and session recording provides the permanent record. (1) Osirium can create and delete personalised accounts on the fly, manage the passwords of existing accounts, or simply proxy through to known credentials.
  • Segregation of Duties Principle: Osirium is built on the concept of users being in profiles, profiles determine which systems and roles a user can get to along with time windows for access and settings for session recording. For example on a need to know basis a user can be in a read-only profile for some devices and a full-access profile for the systems they have responsibility for. Osirium can provide a really fine gain of control using Privileged Task Management that allows an organisation to automate and delegate Privileged IT tasks. This means that specific users can issue tasks through Osirium. The users need not be granted any priviledges associated with the tasks.
  • Access Control Principle: Osirium makes it easy to create the right kind of accounts on systems. Its core purpose is to let you manage who gets access with what tools and task to what systems and at what role level.

Osirium Privileged Access Management (PAM) takes this one level higher with strong analytics that show you how, when and where your systems are being accessed.