Co-authored by Fabrizio Petriconi.
In the ever-expanding digital ecosystem, having secure and efficient access to resources is critical to both using and delivering services. But if you’re a gatekeeper managing a large number of identities and resources, your primary concern is who has access and how that access is being used.
Identity governance is the intelligent management of user identities to support enterprise IT and regulatory compliance. By collecting and analyzing identity data, you can improve visibility into access, prioritize compliance actions with insights based on risks and make better decisions with clear, actionable intelligence.
Certify Access to Reduce Risk
If you use a business-activity-based approach to risk modeling, you’ll make life a bit easier for your auditors, risk compliance managers and, ultimately, yourself. The core aspects of identity management include automatic and manual provisioning, tracking user roles and life cycles, and understanding business workflow.
Most importantly, establishing accurate access certification at the start — and then continuously reviewing it — can help with your risk modeling efforts. You’ll want to prevent users from accumulating unnecessary privileges, so even if you have had an identity management solution in place for years, it’s a good idea to use certification campaigns as a cleaning tool to ensure everyone is only accessing what they need to do their jobs.
How to Avoid Common Access Certification Issues
It takes a certain amount of diligence for access certification to be useful. Approvers are often overwhelmed by too many certification requests, or those certifications are complex and difficult to parse out. It’s easy to see why an approver might simply “select all,” click “approve,” and conclude his or her activity.
Obviously, this approach should be avoided, and in some countries, it is not compliant with regulations. Let’s look at some recommendations for both static, or predefined, cadences and dynamic events, which occur in response to specific activities such as hiring, job shifts and similar user changes.
Recommendations for Static Events
- Once a year, conduct a complete certification in which each manager certifies all the rights of the members of their team.
- Group or divide access for certain applications or business areas to simplify and focus the reviewer’s attention.
- Do not validate access assigned by automatic and/or default policies.
- Delegate campaigns with a very technical and complicated access to skilled reviewers with subject-matter expertise.
- Activate specific campaigns that include only different and nonhomogeneous users (for example, based on the same duties or departmental membership).
Recommendations for Dynamic Events
- On a quarterly basis, delta certifications are available where managers only certify changes in authorizations from the last quarter.
- Activate continuous campaigns to control access to specific events, such as moving a user from one department to another or changing business functions.
Improve the Content of Your Access Certification Campaigns
As noted, when a certification tool does not offer simple language descriptions that clearly explain the business relevance of roles, users, access permissions and resources involved in the process, approvers may not know what they are certifying.
To create quality descriptions, you should:
- Rely on system owners, since they are the ones who have a thorough understanding of their resources.
- Use definitions of rules with an explicit name. For example, if a role is assigned to a manager of engineering, use the definition “manager_of_engineering” and not simply “mgr” or “L3mgr.” This can be done manually or using role-mining techniques — that is, the tool itself proposes a name based on the attributes of the identity, department location or similar information.
- Highlight the business activities to which users are contributing.
Get It Right
In any case, even after taking all the necessary precautions, access certification can be complex and time-consuming. It’s probably clear by now that to be effective in activating certification campaigns, you need to not only activate the technical solution, but also establish a compliance-oriented culture. Educating approvers on the importance of access certification is also critical to maintain regulatory compliance.
When you consider the commitment of stakeholders and adopt and enforce industry best practices, intelligent identity governance enables you to streamline full provisioning and self-service requests, eliminate manual audits, quickly identify compliance violations and risky behavior, and automate the myriad labor-intensive processes associated with managing user identities. With the digital ecosystem expanding every day, business and security leaders need this level of visibility and control to make better decisions about who can access what data and systems on enterprise networks.