Sun Microsystems, Inc. today announced Sun Java™ System Identity Auditor, a comprehensive identity audit solution for helping to improve audit and compliance performance. Identity Auditor provides the most extensive feature set available today, can enable customers to create a secure identity audit trail and present a unified view of an individual’s identity and system access activities. Sun is the only vendor to deliver proactive, automated, and sustainable visibility into identity controls across critical enterprise applications and the entire identity management infrastructure.

In order to comply with legislative regulations, such as Sarbanes-Oxley and HIPAA, companies must be able to report on and manage who has access to critical information systems, such as financial applications or medical records. In addition, companies must provide data on historical access privileges, as well as secure, auditable evidence that internal controls are in place. Identity Auditor helps automate the evaluation and enforcement of a company’s internal identity and access controls so they can react quickly to any violations to minimize risk. For example, in order to meet requirements for the upcoming April HIPAA security deadline, healthcare management personnel could use Identity Auditor to monitor hospital patient care systems, verify identity controls, and help ensure patient confidentiality is being maintained.

“Companies are spending substantial sums of money to hire and manage external consultants to perform auditing and compliance tasks for identity management activities,” said Roberta J. Witty, Research VP, Gartner Inc. “To answer the question of ‘Who has access to what?’, and prove it, companies need a secure, automated analysis and reporting solution that is cost-effective and comprehensive in its capabilities, including the scope of supported platforms and applications as well as role conflict analysis.”

“Organizations today are struggling to implement effective security controls and the verification and auditing of these controls is often a fragmented and highly manual process,” said Sara Gates, vice president identity management at Sun Microsystems, Inc. “Identity Auditor addresses this challenge by enabling automation of identity controls across critical enterprise applications and providing companies with visibility to the audit trail of those automated activities as well as the reporting they require to address corporate audit and compliance requirements.”

Scheduled and Automated Notification of Control Violations

The audit policy engine within Identity Auditor scans critical applications, flags audit policy violations and evaluates violation criteria, such as: segregation of duties, unauthorized access changes, and erroneous access privileges. Early detection and appropriate notification can help reduce the impact of any violations on an organization. Pre-configured audit policies help accelerate regulatory compliance efforts, resulting in reduced costs for the organization. In addition, Identity Auditor allows customers to define custom audit policies, which helps to address their specific corporate requirements.

Automated Certification Reviews

To help enable ongoing verification and attestation of identity controls and mitigate operational risks, Identity Auditor leverages workflow and delegation capabilities to notify and send audit reports automatically to selected reviewers, such as managers or business process owners. The reports can be regularly scheduled access reports or reports generated when a policy violation occurs. Identity Auditor integrates with provisioning and access management solutions to help enforce automated remediation of policy violations. For example, a policy violation could trigger an action within Sun Java System Identity Manager to disable an account, have the Sun Java System Access Manager terminate a session, or simply provide notification that a remediation action is required. In addition, Identity Auditor maintains centralized visibility and traceability of all violations, exceptions, and remediations.

Identity Services For Security Event Management

Another unique capability of Identity Auditor is that it provides closed loop integration with Security Event Management (SEM) applications, such as Symantec Security Management System, to provide an identity context for the enforcement of enterprise security policies. This integration helps customers to more easily tie security policy violations to specific identities and being better equipped to mitigate risk in a timely manner. For example, if a company’s internal network is under attack, the SEM application can trigger Identity Auditor to take appropriate action, such as: disabling accounts, terminating sessions and reporting on user activities.

“Symantec’s customers see the critical need to combine security incident management with identity events and compliance management”, says Rowan Trollope, Vice President of Security Management Products at Symantec. “We are excited to be working with Sun to integrate identity incidents directly into the Symantec Security Management System. Through this planned integration, together we will be able to deliver best-in-class enterprise security and identity event management to enterprise customers”


Identity Auditor includes a number of packaged compliance reports to provide extensive identity information on users’ historical access activities and access privileges, as well as policy violations and resulting actions. Additionally, companies can use the Identity Auditor report wizard to build custom reports that meet their unique requirements. A compliance dashboard provides executives and security managers an overview of the state of compliance, and history and trends of audit policy violations to assess performance and risk status.


Sun is working with leading system integrators (SIs), and consulting and advisory firms that are supporting companies’ identity management initiatives and helping them address compliance and regulatory requirements. These firms are also working with their clients to help define their identity control requirements. Because Identity Auditor helps automate compliance activities, it can confirm a control is being met and facilitate the testing of those controls across the identity management infrastructure.

“Organizations have implemented a number of manual processes and controls to secure their applications and support regulatory compliance. There is a pressing need to automate these processes and controls and make them more efficient, said John Clark, Principal, Deloitte & Touche LLP Security Services Group. The challenges an enterprise faces in enforcing segregation of duties within and across applications is one such example. Automating those processes can improve compliance and audit performance and enable stronger security across the enterprise.”

About Sun Identity Management

Identity Auditor is the latest in Sun’s suite of integrated, best-of-breed products, which are designed to reduce the cost and complexity of a customer’s identity management infrastructure. Unified administration capabilities and reporting features work across the product suite to cost-effectively manage the critical aspects of identity as it affects core business operations, both internally and across corporate boundaries. In addition, Sun provides maximum compatibility with third-party products and platforms giving customers the ultimate degree of freedom in designing their identity infrastructure.