So now you have the access, but how do you review it? Recertifying access is a common pain point that many organizations face, no matter their size or industry. As a rule of thumb, access certification should be an ongoing process through which managers and designated approvers review who has access to what. However, setting up these processes and implementing them in practice can be challenging and strenuous.
Issues pertaining to access certification commonly stem from three causes: a lack of information, a lack of awareness, and a lack of a defined process. Managers and application owners who are tasked with recertifying end user entitlements often find that they have insufficient data on these end users, that the entitlements they are associated with are not descriptive, or that the process of attestation and recertification is loosely defined. For example, a manager is given a list of end users to attest to and while they can confirm if a user is still active in their department or has the same job title, they may have very little details about what access rights that user has been granted. This makes it difficult for the manager to attest to whether all the access an end user has accumulated is actually necessary for them to have.
As is the case in many organizations, entitlements, folders and groups, may not follow a standard naming convention. This results in titles that are non-descriptive and confusing to the end user. For instance, while a manager may be provided with the full entitlement data of end users they are to attest to, the fact that user “John Doe” has access to “Folder 123” provides them very little insight into what that folder grants them access to, and whether it is appropriate for them to have such access.
Furthermore, the process of attestation and recertification may be ill-defined or informal. Many organizations rely on provisioning to address the challenges of access certification, and don’t create a process for ongoing certification of access, thus allowing the over-accumulation of entitlements for end users. It is precisely this over-access of end users that poses a security risk to an organization, as a higher population of users have access to potentially sensitive data that they don’t want to get into the wrong hands.
Although it may seem daunting, mitigating the risk associated with over-access is essential to securing your organization and doing so can be accomplished with these three steps:
1. Identify: The first step towards building a robust access recertification process is to identify your end user population. Ensure that you have an up-to-date list of all the identities to be attested to in your organization and assign the appropriate personnel to review their entitlements, such as managers, application owners, or team leaders. It is imperative to utilize personnel who have the knowledge required to determine what access is required for certain job functions and understands what those access rights entail.
2. Define: The most crucial step for creating a proper access recertification process is to “translate” entitlements into plain and clear English. Doing so will avoid the confusion around entitlement codes, such as “Folder 123” mentioned in the example earlier. This eases the recertification process by making it easier to ascertain what an entitlement actually grants the user, so the approver is able to make an informed decision on whether certain entitlements are warranted. Once existing entitlements have been renamed in simpler terms, any entitlements that are added in the future should follow the same naming convention for consistency.
3. Determine: This final step is easier and approachable now that end users have been identified and entitlements have been defined. The certifier can make an educated determination on whether to attest to end user’s current access or request modifications to better suit the user’s current role. This way you can ensure your organization has instituted the “least privilege principle” – that end users have no more authorizations than necessary to perform their required job functions.
With this three-step process in place, your organization is set to run a successful and continuous cycle of access recertification. To elevate your attestation process, automated access certification tools are also available. These tools contain a central directory that is linked to your organization’s Identity Data Store and lists the identities in your organization, the entitlements being collected, and the relationship between these users and the entitlements. Additionally, these tools can automate the discovery of new roles, identify risks and anomalies, enforce centralized policies, and apply access entitlement review workflows, audit, tracking, and reporting.
Contact the experts at Identity And Access Solutions to see how your organization can elevate its attestation and recertification processes.