Why Certify Access
Why is regular access certification so important for organizations? At a fundamental level, identity governance and administration (IGA) is all about ensuring that the right people have access to the right resources to do their jobs. However, as workforce sprawl occurs, access requirements can change on a dime. As businesses rush to enable employees, third-party contractors, auditors, and seasonal workers, they may be unknowingly providing them with too much access that is unnecessary for job performance which can cause serious security risks and/or lead to missed audits. It may be a product manager who jumped into sales still having access to Jira in addition to gaining sweeping access across Salesforce, or the office administrator who moves across the country to a different office location, yet still has a key to the front door at HQ. In either of these cases, or plenty others, maintaining a current roster of who has access to what, and having a plan to remove access rights or entitlements that are no longer needed, sits at the core of any successful IGA program.
In addition to the examples listed above, there are a huge number of variables that dictate what access and entitlements should be granted:
- Business resources. Different people require access to different types of applications, whether it’s infrastructure like Azure, AWS, or databases, communication applications like Teams or Slack, CRMs like Salesforce, or ITSM tools like ServiceNow. Certain applications will be required for certain groups of the workforce, some of them all-encompassing. The most straightforward example is that all members of an organization should likely have access to email.
- Working locations. Depending on where people work, they may require access to different things, including physical locations like offices, or be routed to log in using different VPN locations, geographic subsets of applications, or specific customer data in order to adhere to local data privacy laws like GDPR or CCPA.
- Job function or status. Job function is mostly tied into roles. A couple of examples are one where a person working on an assembly line is granted access to manufacturing-type systems, or another where a back-office worker has a completely different set of entitlements to corporate finance and accounting applications. Another variable might be employment type, where full-time employees should be granted different access rights than temporary workers and have access to things like workplace benefits. It is always important to identify roles and contexts as being a critical component of managing and governing access on a continuous basis.
These variables, which are often context-driven then, are met with a different axis, where access can also be granted based on events, which can either be regularly occurring and scheduled or occur at a moment’s notice. A couple of things that come to mind are:
- Audits. Come audit time, organizations need ways to prove that only certain people have access to certain systems. They also may need to assign additional people with access to databases and different applications to help gather data needed for a specific audit.
- Busy season. This typically revolves around the holidays, particularly for retail businesses, but different organizations have different ‘busy seasons’ that may coincide with hiring additional staff to help on a temporary basis, leading to a surge in temporary workers. It can also mean an all-hands-on-deck approach, where people are reassigned access to certain high-priority resources, but also is especially pertinent to remove said access when the season passes.
Access Certification Campaigns
With all of these things to account for, organizations need ways to continually certify that access is accounted for, managed, and needed. Access certification campaigns are a way for organizations to audit entitlements and formally validate that identities’ access rights are appropriate. When we think conceptually about what these campaigns aim to do, they are meant to remove unneeded access if it’s no longer needed or approve access on a permanent basis to things that were previously granted ad hoc. When constructing certification campaigns, organizations should strive to:
- Gather data of who is accessing what, when, why, how often, etc.
- Set up surveys that are quick to answer for business users and quick to set up for administrators
- Gather granular data so as to inform smarter business decisions
- Interpret the results in a way that is easily actionable by security and risk management teams, so that least privilege is maintained
- Prove compliance to auditors
- Automate processes that were previously manual
Craig Ramsay and I discuss some of these points in finer detail in an on-demand webinar. We outline the challenges with certification campaigns, provide some helpful pointers on how to avoid common pitfalls of legacy approaches to certifying access, and do a live demonstration of how easy it is to set up tangible, targeted certification campaigns and surveys with Omada. Watch the webinar Certify Access with Regularity (and Confidence!).