Attestation and Recertification: Identify, Define, and Determine
- August 28, 2023
- Posted by: admin
- Category: Blog
So now you have the access, but how do you review it? Recertifying access is a common pain point that many organizations face, no matter their size or industry. As a rule of thumb, access certification should be an ongoing process through which managers and designated approvers review who has access to what. However, setting up these processes and implementing them in practice can be challenging and strenuous.
Issues pertaining to access certification commonly stem from three causes: a lack of information, a lack of awareness, and a lack of a defined process. Managers and application owners who are tasked with recertifying end user entitlements often find that they have insufficient data on these end users, that the entitlements they are associated with are not descriptive, or that the process of attestation and recertification is loosely defined. For example, a manager is given a list of end users to attest to and while they can confirm if a user is still active in their department or has the same job title, they may have very little details about what access rights that user has been granted. This makes it difficult for the manager to attest to whether all the access an end user has accumulated is actually necessary for them to have.
As is the case in many organizations, entitlements, folders and groups, may not follow a standard naming convention. This results in titles that are non-descriptive and confusing to the end user. For instance, while a manager may be provided with the full entitlement data of end users they are to attest to, the fact that user “John Doe” has access to “Folder 123” provides them very little insight into what that folder grants them access to, and whether it is appropriate for them to have such access.
Furthermore, the process of attestation and recertification may be ill-defined or informal. Many organizations rely on provisioning to address the challenges of access certification, and don’t create a process for ongoing certification of access, thus allowing the over-accumulation of entitlements for end users. It is precisely this over-access of end users that poses a security risk to an organization, as a higher population of users have access to potentially sensitive data that they don’t want to get into the wrong hands.
Although it may seem daunting, mitigating the risk associated with over-access is essential to securing your organization and doing so can be accomplished with these three steps:
1. Identify: The first step towards building a robust access recertification process is to identify your end user population. Ensure that you have an up-to-date list of all the identities to be attested to in your organization and assign the appropriate personnel to review their entitlements, such as managers, application owners, or team leaders. It is imperative to utilize personnel who have the knowledge required to determine what access is required for certain job functions and understands what those access rights entail.
2. Define: The most crucial step for creating a proper access recertification process is to “translate” entitlements into plain and clear English. Doing so will avoid the confusion around entitlement codes, such as “Folder 123” mentioned in the example earlier. This eases the recertification process by making it easier to ascertain what an entitlement actually grants the user, so the approver is able to make an informed decision on whether certain entitlements are warranted. Once existing entitlements have been renamed in simpler terms, any entitlements that are added in the future should follow the same naming convention for consistency.
3. Determine: This final step is easier and approachable now that end users have been identified and entitlements have been defined. The certifier can make an educated determination on whether to attest to end user’s current access or request modifications to better suit the user’s current role. This way you can ensure your organization has instituted the “least privilege principle” – that end users have no more authorizations than necessary to perform their required job functions.
With this three-step process in place, your organization is set to run a successful and continuous cycle of access recertification. To elevate your attestation process, automated access certification tools are also available. These tools contain a central directory that is linked to your organization’s Identity Data Store and lists the identities in your organization, the entitlements being collected, and the relationship between these users and the entitlements. Additionally, these tools can automate the discovery of new roles, identify risks and anomalies, enforce centralized policies, and apply access entitlement review workflows, audit, tracking, and reporting.
Contact the experts at Identity And Access Solutions to see how your organization can elevate its attestation and recertification processes.
Leave a Reply
Contact us at the Consulting WP office nearest to you or submit a business inquiry online.
Todd is a recognized IAM and Cloud industry expert who brings over 20 years of experience in managing, advising, architecting, and deploying IGA, Authentication and Authorization, and Cloud solutions and services across IDaaS, SaaS, IaaS, and PaaS. Todd is a frequent speaker on effective risk and security practices at leading industry events. He is responsible for the oversight of CyberSolve’s business segments and for the development of strategic plans to sustain the company’s rapid growth while providing trusted advice to clients across the security and risk spectrum.
Atul has over 20 years of experience in managing, designing and implementing Customer Relationship Management (CRM) and Salesforce integrations. He has acted as a cloud-focused solutions expert in both domestic and international markets. Prior to founding CyberSolve, Atul was a Technical Consulting Director at Salesforce where he demonstrated his strong experience architecting financial services industry solutions. Atul holds a Bachelor of Engineering from Madan Mohan Malaviya University of Technology.
Shub possesses over 15 years of experience in the Identity and Access Management (IAM) industry in pre-Sales and technology architecture roles. Shubham has held various positions with SailPoint, RSA, Saviynt, and Okta. He has extensive Identity and Access Management industry technology and sales experience in both domestic and international markets as well strong knowledge of how Identity and Access Management satisfies Audit and IT compliance issues. Shub holds a 
Rajesh has served Multi-National Corporations and large organizations as a full time Vice President of Finance, Chief Financial Officer and in equivalent roles. In order to fulfill his duties as a CFO he is a Chartered Accountant, holds a Diploma in Information System Audit (DISA certified by the Institute of Chartered Accountants of India), is a Certified SAP Consultant, Certified QuickBooks Professional Advisor, and Zoho Partner with 30+ years of experience in managing Finance, Accounting and ERP Systems for Medium to Large organizations in diverse sectors.
John is an experienced IT executive with extensive business leadership, operations management, project management, technology delivery and consulting skills who spent over two decades with General Electric where he was responsible for all aspects of their Global PIM program, he was also a key member of the security assurance team for the organizations Capital business. John leads the delivery of client services across the business landscape, to include Privileged Access Management, Managed Services, Identity Governance & Administration, Cybersecurity and Cloud Services.
Luis has been facilitating IAM programs for 20+ years. He was the CRO at Clear Skye, which builds identity governance capabilities on the ServiceNow Platform. His prior experience with services companies that deliver real world identity solutions has made him a trusted resource for information security executives that he has the privilege of advising. Luis assists in the management of our global sales organization, driving revenue growth via direct sales, ensuring our customers have the best plan and solution to ensure their IAM investment achieves the lowest TCO while providing the highest ROI.
Amit brings over 15 years of Identity and Access Management (IAM) experience to the organization. He has a proven track record in providing customers with the best of breed Identity and Access Management solutions. He ensures success within all engagements by staying integrated with the customer throughout the engagement whether it is a program, project or managed services and support. Amit acts as a customer champion at all times to ensure the right solution and resources are in place to achieve the right requirements.
James leads the delivery of client services across the Identity, Access, and Authorization landscape. He has delivered projects across a wide range of products including Okta, Ping, ForgeRock, Oracle, Microsoft, Citrix, Imprivata, Radiant Logic, Axiomatics and many others. With the advent of modern cloud services, James has served as the internal cloud architect and administrator for almost 10 years and uses that experience to help users make the best use of it.
As a veteran of the Identity Governance and Administration (IGA) landscape, Tony’s career has spanned from being a hands-on Architect\Engineer on numerous industry-leading IGA solutions to building and managing industry-leading Professional Services delivery teams. Tony brings that vast knowledge to CyberSolve and the teams under his management. In recent years Tony has been instrumental in the migration away from the legacy on-prem Identity Governance & Administration solutions to modern cost-effective cloud products.
Clark is a Channels, Sales and Marketing executive with 40+ years of experience as a direct seller, Executive and Founder. His experience includes services, software and hardware sales to Commercial, Federal, and State/Local/Education entities across US Domestic and International markets. Within the IAM spectrum, Clark spent over 5 years as SailPoint’s Channel Manager, Federal & Healthcare markets. He has developed and managed Partner relationships and strategies globally, and is known for significantly growing the revenue of his partners by building trusted, profitable relationships and business strategies.