Access certification is the process of validating access rights within systems. This process is mandatory for compliance and security risk management; however, it can be a very daunting process for some organizations with dispersed systems, workforce, and partners. With access certification, organizations and regulations aim to formally validate users within systems and ensure their access rights are appropriate.
Organizations face many multi-faceted challenges when it comes to identity and access management. For some, access to enterprise resources must be managed for many global internal and external parties. For others, the overarching challenge is compliance with an ever-growing number of regulations around data integrity and privacy, user identification, and transaction tracking. And for many, knowing who has access to which resources can be draining, time consuming, expensive, and difficult yet critical and mandatory.
As businesses must be able to respond quickly to business opportunities and threats, they must have an Identity and Access Management (IAM) infrastructure and automated processes in place – as much as possible – to ensure that system access is appropriate at all times while incurring the lowest cost possible. Automated access provisioning and offboarding may reduce the number of violations found during the access recertification process and a certification tool can ensure adequate documentation of access review evidence for audit purposes exists. Automation can make the IAM process efficient and effective which will allow the workforce to focus on the growth of the business without wasting time, resources, and budgets unnecessarily.
This article will examine the access certification overview and benefits as well as requirements and criteria for an IAM tool selection as follows:
- Describe the access management requirements and drivers
- Explain how access certification meets the requirements
- Discuss the key criteria for an access certification solution
Requirements and Drivers
In the regulatory landscape, one of the most pressing concerns is the integrity and privacy of data. From Sarbanes-Oxley, with its emphasis on the integrity of financial information, to the Health Insurance Portability and Accountability Act (HIPAA) and other related laws, regulations require companies to focus on access. These requirements have led to increased scrutiny of assigned access to enterprise systems, applications, and data. Therefore, it is vital for companies to know and prove who has access to what resources and whether that access is appropriate.
The need to closely govern access to systems and resources extends beyond regulatory compliance to protecting enterprise assets. The threats posed by inappropriate insider access are many which include system downtime, invalid data, unauthorized transactions, fraud, and data disclosure. Also, dormant and orphan accounts – specially privileged accounts – can facilitate system intrusions to bring systems down, steal data, and request ransom.
Organizations must take the necessary steps to protect themselves from the above-mentioned threats and an important step toward this effort is eliminating opportunities for inappropriate access to systems by rogue insiders and hackers.
Security is critical to reduce business liability and losses, but it must be balanced to help the business achieve its goals. While system access must be locked down to mitigate security risks by keeping inappropriate parties out of systems, it is as important to allow legitimate users access resources to meet business objectives. Adequate identity and access management processes can help achieve the security goals in the most efficient and effective manner.
The access certification process “cleanses” the consolidated data by its very nature, leaving an excellent foundation on which to build. To meet their access management goals, companies deploy access certification practices to:
- Understand who has access to what systems, applications, and data;
- Identify dormant or inactive as well as orphan accounts;
- Validate that the assigned access is correct and appropriate;
- Remove all inappropriate access;
- Seek formal validation of the final access list (certification); and
- Document review evidence for audit and compliance purposes.
Access Certification Frequency
As mentioned, access certification is critical to maintaining security, particularly in guarding against access violations that could lead to security breaches. Regularly scheduled access reviews ensure that users are assigned the minimum access necessary to do their jobs. The frequency of access certification will depend largely on the organization and frequency of its events triggered by new hires, transfers, promotions, or terminations. A periodic access recertification based on the organizational needs will ensure that internal employees do not aggregate access as they move throughout the organization and that both internal and external users do not retain access when their relationships with the organization end.
Technology Automation and Selection
An effective technology solution can automate the access certification process by consolidating and correlating entitlement data from target systems. Such a system will speed and increase the accuracy of access review and validation. An effective solution will also empower resource owners to revoke or adjust any inappropriate access and enforce policies in areas such as separation of duties and least privilege. Finally, the tool can also help document the audit trail to provide evidence that assigned access has been reviewed and, where necessary, corrected, and, provide management reports.
Deployment of an access certification tool can help achieve the following benefits through automation:
- Reduce the amount of time and budget devoted to access certification;
- Centralize data repository by integrating target and source systems with the IAM tool;
- Eliminate human error;
- Replace spreadsheets with web based interface to approve or reject access and log actions;
- Reduce the security and compliance risk associated with unauthorized access;
- Ensure compliance with SoD policy by automating its enforcement across the enterprise;
- Lessen the risk of being cited for noncompliance by accelerating the time required to certify access and remediate violations; and
- Document the certification effort and quickly share the evidence with auditors.
Identity and access management is the cornerstone of an organization’s ability to manage business risk. An access certification technology lays the foundation for related initiatives to consolidate and correlate identity and access data that can be used in access provisioning and role management.
An effective access certification solution should automate the entire certification process, from building a warehouse of entitlements, to scheduling and monitoring certifications, to providing ongoing tracking and reporting. The solution should have the functionality to:
- Collect and centralize identity data from multiple enterprise resources;
- Correlate entitlement data from multiple sources to a single identity;
- Generate the list of users and reviewers for certification;
- Schedule certifications and monitor to ensure that reviews are completed on schedule;
- Automate detection of existing and potential policy violations in critical areas such as Segregation of Duties (SoD) and unauthorized aggregation of privileges;
- Track revocations of or modifications to access and ensure that the appropriate changes are made;
- Report on certification status, policy violations, and other access-related information while reducing the need to manually gather this type of data for compliance and audit purposes; and
- Alert access administrators to existing or potential access policy violations and remediation.
The access certification solution should work seamlessly with system and data owners, and, it should not require substantial customization or programmatic development to work with external resources.
An access certification solution must have the ability to integrate with a company’s provisioning and role management processes to allow for a complete life-cycle management of security policy violations and access revocations that are associated with those violations. This integration will ensure:
- Efficient removal of inappropriate access;
- Capturing the appropriate audit information;
- Increased compliance effectiveness by ensuring that business roles are consistently being defined based on correctly assigned access; and
- Ability to assign, attest, and audit access using roles.
The right access certification solution should come from a vendor with a deep understanding of the interrelationships between core identity challenges, processes, and solutions. The vendor should:
- Provide expertise in compliance management that encompasses expertise in inextricably related areas such as provisioning, role management, and directory services;
- Demonstrate an understanding of, and the ability to effectively respond to challenges in areas such as cloud and secure web access management;
- Have the experience, expertise, and services to serve as a strong architecture and design resource that can guide your efforts to build an effective identity infrastructure.
Access certification is an extremely critical process for organizations that are concerned with accountability, IAM risk management and regulatory compliance. Automating the certification process increases access validation accuracy and effectiveness while it formalizes the process for audit purposes. Access certification provides the organization with a clear understanding of their users’ identities and their access rights to critical business information and services and establishes compliance controls for ensuring that access is correct at the certification time. The IAM certification process enables organizations to answer key questions such as:
- Who has access to what?
- When was access granted?
- Who approved those access privileges?
- Is access still valid and in line with policy?
With an automated solution, compliance requirements can be met with minimum cost to the organization. Additionally, ROI can be extended across the enterprise by utilizing the information gathered in the IAM recertification exercise to refine the identity and access management program.
Key Access Certification Steps
- Define the certification procedures for data gathering, distribution, review, and error correction;
- Determine the certification frequency (should not be less than once per year);
- Consider the sources of information to be gathered for certification purposes;
- Assign a certification project manager;
- Identify certification managers who will review the entitlements;
- Have each manager review and certify all the entitlements for their team members;
- Assign task deadlines to accomplish the certification goals and reduce risks by eliminating unauthorized access;
- Develop metrics to track the certification effort, improve the process, and demonstrate reduced access risk;
- Consider a delta certification on a more frequent basis than the main certification effort where managers only certify the changes in entitlements for their team in that period;
- Perform an event-based certification where all the entitlements for that employee get examined to eliminate segregation of duties issues which can arise from an employee transfer;
- Perform regular certification education and training for all parties involved; and
- Consider an automation tool.