Designing an Effective Access Certification Program

Understanding, validating, and documenting who has access to sensitive applications and data is a critical part of any effective enterprise security program. By regularly reviewing the appropriateness of user access privileges, organizations can address audit requirements such as Sarbanes-Oxley, HIPAA, and GDPR, while also improving their overall risk posture. If the access certification processes supporting this validation and documentation are not thoughtfully implemented, however, they can place a high burden on both business line managers and IT administrators. Inefficient access certification processes can lead managers to simply “rubber-stamp” in order to get back to their day jobs.

Fortunately, there are a number of steps organizations can take to eliminate this burden, remain compliant, and reduce risk:

  • Focus efforts where risk is greatest. It is both impractical and unnecessary to review access for every user across every application in the enterprise. The vast majority of risk can be tied to a subset of users, applications, and entitlements. By working with your audit and compliance team, you can define an access certification program which will eliminate the need to certify all access in the organization every time. The first step to focusing your efforts is to identify high risk areas users and systems. For users, privileged access or SOD violations can be good flags for what to include. For systems, identify where personally identifiable information (PII), PCI data, customer records, and accounts payable are stored. Next, ensure your identity management software provides the ability to dynamically calculate risk levels for users and applications based on your defined risk factors. Finally, use these calculated risk scores to automatically focus access certifications on high risk areas. Following these steps can significantly reduce the time required for access certifications and even enable organizations to implement more frequent certification campaigns for the highest risk systems and users while still saving time overall.
  • Design with business users in mind. While access certifications are a critical security and compliance function, they are not—and should not be—something that business line managers spend significant time thinking about. The certification experience needs to be easy to follow, with a clear workflow and risk alerts that highlight policy violations and changes from previous access reviews. Another aspect of making the process easy is providing business context and content tailored to each reviewer’s needs. For example, managers may need a detailed description of the access entitlements whereas an application or data owner may need to know in which department a user works.
  • Select the best person to certify access. Most organizations already recognize the importance of the manager ownership in ensuring effective access certification. But getting to a highly efficient process requires more. Reviewers need the ability to delegate partial certification tasks to other users. In addition, administrators should be able to monitor certification tasks and reassign certain tasks to other reviewers. Alternatively, the application or data owner may be in the best position to certify who should have access to specific IT assets. It’s important to design your access certification program around the certifiers who are in the best position to assess ongoing access to sensitive applications and data.
  • Ensure all applications and data are covered. In order for access certifications to be both efficient and effective, they must cover not only legacy, on-premises applications, but also cloud-based applications. Further, certification campaigns must include both structured application data and unstructured data contained on file shares, email servers, SharePoint, Box, and Google Drive. Ensuring your access certification software is able to handle all application and data types through a single process and view is paramount to keeping your organization’s crown jewels secure.
  • Develop and implement rigorous governance and policy enforcement. Understanding who should have access is a key step many organizations fail to address. This “upfront” work can avoid many access-related issues from being created in the first place. A best practice for defining proper use of access is leveraging a role-based access model. Roles provide an effective and easy way for business line managers to select only the access their employees need.

With a properly designed identity governance program, access certification processes can have a minimal impact on business users while continuing to address audit, compliance, and security objectives.