Political campaigning is a necessary component of any successful politician’s strategy for winning an election, passing legislation, or otherwise remaining productive in their seat. In rosy terms, candidates will hit the campaign trail to meet voters, listen to their concerns, and adapt policies to meet the needs of their constituents. It’s a way for them to get a feel for what is really happening in the lives of people in their communities and help elected officials create positive solutions based on real-time feedback. In identity governance, security and IAM leaders need a different type of campaigns, certification campaigns, in order to right-size access to fit the current needs of the workforce based on the feedback of their teams.
Specifically, access certification campaigns are a way for organizations to audit entitlements and formally validate that identities’ access rights are appropriate. When we think conceptually about what these campaigns aim to do, they are meant to remove unneeded access if it’s no longer needed or approve access on a permanent basis to things that were previously granted ad hoc. Certification campaigns are a good way of ensuring least privilege is in place. The data and findings that come from them can be critical in ensuring that unneeded access is removed to help security and that access to required resources is smooth and efficient. However, as is often the case, there are a multitude of factors that determine how campaigns are run and how successful they inevitably are. This includes being organized and keeping surveys concise, as we’ve covered in a prior post, but also the following 4 criteria:
1. Cadence. Determining the process for how frequently campaigns are going out is critical, not only in protecting against survey fatigue, but also in time management. There is often more urgency in ensuring that privileged access rights are properly assigned, and therefore a certification campaign for privileged identities and accounts would be run more frequently than determining if office workers still need access to certain printers. This can help keep reviewers on task and optimize time spent so that their entire job does not revolve around these campaigns.
2. Start and End. After determining how often campaigns are run, defining clear start and end dates for how long the campaign is going to be open for is important. While it is typically best to get information as soon as possible so as to get to work removing or adding access as needed, setting realistic timelines for recipients helps set expectations while maintaining a sense of urgency. Different types of campaigns will require different lengths of time to certify, and data quality should always be the top priority for IAM leaders.
3. Objectives. Defining criteria for what a successful campaign looks like is important to prevent sprawl and positions the team for tangible success. An example would be running a certification campaign to meet GPDR compliance. Determining who has access to what personal data in adhering, or who should be able to use certain privileged accounts might be two examples of campaigns run to certify proper access. Additionally, putting together a plan to identify the consequences of not completing the campaign are important to again create urgency amongst recipients, but also to define success for reviewers.
4. Data Gathering. Part of a successful certification campaign also requires that reviewers of the data are identified and clearly communicated. Does it make sense for a certain campaign to be owned and reviewed by the application owner? The IAM program owner? Someone from the Help Desk? Additionally, to have any chance of running a successful campaign, access data needs to be refreshed from the applications or systems that are being evaluated, otherwise bad data piles up and results can be misleading, inconclusive, or both. The process of gathering data should be clearly detailed and desired outcomes should be documented.
Certification campaigns are a lot like political ones, in that they require care, a tailormade approach, and above all, the ability to listen and act accordingly. These four tips are a good start to defining success, but for more information on setting up the process of access certification campaigns, check out Omada IdentityPROCESS+.