January 30, 2019 By Domenico Raguseo 3 min read

Co-authored by Fabrizio Petriconi.

In the ever-expanding digital ecosystem, having secure and efficient access to resources is critical to both using and delivering services. But if you’re a gatekeeper managing a large number of identities and resources, your primary concern is who has access and how that access is being used.

Identity governance is the intelligent management of user identities to support enterprise IT and regulatory compliance. By collecting and analyzing identity data, you can improve visibility into access, prioritize compliance actions with insights based on risks and make better decisions with clear, actionable intelligence.

Certify Access to Reduce Risk

If you use a business-activity-based approach to risk modeling, you’ll make life a bit easier for your auditors, risk compliance managers and, ultimately, yourself. The core aspects of identity management include automatic and manual provisioning, tracking user roles and life cycles, and understanding business workflow.

Most importantly, establishing accurate access certification at the start — and then continuously reviewing it — can help with your risk modeling efforts. You’ll want to prevent users from accumulating unnecessary privileges, so even if you have had an identity management solution in place for years, it’s a good idea to use certification campaigns as a cleaning tool to ensure everyone is only accessing what they need to do their jobs.

How to Avoid Common Access Certification Issues

It takes a certain amount of diligence for access certification to be useful. Approvers are often overwhelmed by too many certification requests, or those certifications are complex and difficult to parse out. It’s easy to see why an approver might simply “select all,” click “approve,” and conclude his or her activity.

Obviously, this approach should be avoided, and in some countries, it is not compliant with regulations. Let’s look at some recommendations for both static, or predefined, cadences and dynamic events, which occur in response to specific activities such as hiring, job shifts and similar user changes.

Recommendations for Static Events

  • Once a year, conduct a complete certification in which each manager certifies all the rights of the members of their team.
  • Group or divide access for certain applications or business areas to simplify and focus the reviewer’s attention.
  • Do not validate access assigned by automatic and/or default policies.
  • Delegate campaigns with a very technical and complicated access to skilled reviewers with subject-matter expertise.
  • Activate specific campaigns that include only different and nonhomogeneous users (for example, based on the same duties or departmental membership).

Recommendations for Dynamic Events

  • On a quarterly basis, delta certifications are available where managers only certify changes in authorizations from the last quarter.
  • Activate continuous campaigns to control access to specific events, such as moving a user from one department to another or changing business functions.

Improve the Content of Your Access Certification Campaigns

As noted, when a certification tool does not offer simple language descriptions that clearly explain the business relevance of roles, users, access permissions and resources involved in the process, approvers may not know what they are certifying.

To create quality descriptions, you should:

  • Rely on system owners, since they are the ones who have a thorough understanding of their resources.
  • Use definitions of rules with an explicit name. For example, if a role is assigned to a manager of engineering, use the definition “manager_of_engineering” and not simply “mgr” or “L3mgr.” This can be done manually or using role-mining techniques — that is, the tool itself proposes a name based on the attributes of the identity, department location or similar information.
  • Highlight the business activities to which users are contributing.

Get It Right

In any case, even after taking all the necessary precautions, access certification can be complex and time-consuming. It’s probably clear by now that to be effective in activating certification campaigns, you need to not only activate the technical solution, but also establish a compliance-oriented culture. Educating approvers on the importance of access certification is also critical to maintain regulatory compliance.

When you consider the commitment of stakeholders and adopt and enforce industry best practices, intelligent identity governance enables you to streamline full provisioning and self-service requests, eliminate manual audits, quickly identify compliance violations and risky behavior, and automate the myriad labor-intensive processes associated with managing user identities. With the digital ecosystem expanding every day, business and security leaders need this level of visibility and control to make better decisions about who can access what data and systems on enterprise networks.

Download the 2018 Gartner Magic Quadrant for Identity Governance and Administration


More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today