Access certification is one of the most important types of reviews within organizations today. An access certification, also called an attestation, occurs when a manager reviews a user’s access and validates that the user still requires—or no longer requires—access to an application, system, or platform. If access is considered unnecessary, then it should be removed.
Manual certification processes can be extremely time and labor intensive for the management team, and can lead to what is commonly referred to as ‘certification fatigue,’ or even worse, rubber stamping. No one looks forward to these periodic processes. But to make access reviews easier to execute, improve accuracy, and avoid the use of web-based text lists or spreadsheets, a more intelligent, visual solution is required. This approach groups like-access privileges together in a visually appealing format, which provides better context for the review. It also enables managers to understand which users have access to specific systems, and which users are outliers when compared to their peers. This leads to greater access review accuracy across the organization because reviewers have an increased understanding of what they are reviewing.
However, even if you do all the work necessary to schedule access reviews on some sort of frequency, you still need to consider what occurs with user permissions and access between scheduled access review cycles. Because they are constantly changing and difficult to identify, it is necessary to have micro-certifications between review cycles. This blog will examine the role of micro-certifications and provide three reasons they are essential in Identity Governance and Administration (IGA). Let’s first start by defining this term and then examine when micro-certifications are best used within the business.
What Are Micro-Certifications in Identity Governance?
There are two types of micro-certifications. One type focuses on the entire access an individual possesses and is a proactive measure intended for reviewing access. The other type of micro-certification is focused more on a specific element of access or combination of access. For the purposes of this blog, we will spend more time highlighting this second type of micro-certification because it is the riskier of the two scenarios.
In this second type, micro-certifications are access reviews triggered in real time or very soon after the at-risk access is discovered. They happen when a policy violation has occurred by a specific change to user access. This means an individual has gone outside the normal IGA process—commonly referred to as ‘out-of-band’ access. Micro-certifications in this scenario alert application owners of the policy violation and enable them to immediately perform a limited access review focused on the access that triggered the event. Since the time between new provisioning and an organization’s next audit or review process can be fairly lengthy, it is important to have a set of automated controls in place that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. Micro-certifications go hand-in-hand with access risk intelligence solutions that identify, prioritize, and manage risk in your organization.
Consider the following scenario: Imagine an accountant in your organization who needs to get an important financial report published on a short deadline. He might normally work with a senior accountant who has the elevated permissions needed within the financial reporting system, but she is unexpectedly out of the office. Rather than waiting for the senior accountant to return, since it would be past the deadline, the accountant reaches out to his colleague who administers the financial system and directly obtains access to the system. Because the process of requesting access and obtaining proper approvals through a centralized IGA solution was not followed, the change to the accountant’s access is detected and an automated micro-certification is triggered immediately, alerting the application owner. The application owner can instantly perform the review and examine this change in access, follow up with the accountant, and decide whether or not to revoke the access.
Why Are Micro-Certifications So Important?
Now that we’ve defined what micro-certifications are, let’s take a deeper dive into why they are so important for organizations today:
1) Micro-Certifications Empower Organizations to Govern Continuously and Effectively
Automated micro-certifications, within the context of leading-edge Identity Governance and Administration Solutions, enable organizations to continuously monitor users’ access and make informed decisions immediately when a policy violation is detected. A recent report from security analyst EMA indicated that 76 percent of organizations reported a violation of access policies within the last year, meaning that users had obtained inappropriate access or had improperly obtained access outside of the prescribed process. When users have unnecessary or excessive access privileges, or if these privileges were obtained out-of-band, it significantly increases the risk to an organization. Ultimately, organizations that include automated micro-certifications as part of their access review process and overall IGA strategy recognize that continuous monitoring and limiting access to only those individuals that need it enables them to manage access risks more effectively.
2) Micro-Certifications Enable the Business to Maintain Ongoing Regulatory Compliance
Companies today not only have to manage customer, vendor, and board member demands, they also must make sure they are compliant with any number of governing boards and regulations—from GDPR, HIPAA, and SOX to the Payment Card Industry Data Security Standard (PCI-DSS), and countless others. These increasing regulations require organizations to limit user access to only those individuals that need it, enabling them to stay in compliance. Organizations can receive audit requests at any time, so staying current in the review process using automated micro-certifications is essential to meeting relevant government and industry regulations. When individual policy violations are triggered for immediate review, organizations can ensure they stay compliant in real-time, and address the complexity and dynamic nature of user access without engaging countless resources from the organization.
3) Micro-Certifications Allow Companies to Reduce the Risk of Insider Threats
Insider threats are increasing within organizations today. In fact, 62 percent of organizations in the last year have experienced at least one insider attack in the past 12 months, according to the 2019 Insider Threat Report from Cybersecurity Insiders. These types of incidents create a big threat for companies. But automated micro-certifications reduce insider threats by enabling organizations to continuously monitor and control changing access levels within the business. Any policy violation immediately triggers a notification to the application owner or manager, enabling them to take action and respond to the change in access level or entitlement.
Take Advantage of Automated Micro-Certifications
Access reviews and certifications should be more than just periodic events across your organization. They should occur continuously to ensure you are monitoring for policy violations in between audit cycles. Micro-certifications are essential to organizations that manage a complicated landscape of user rights, permissions, and accounts. And they enable companies to ensure that users have the right access—at all times. Make sure you know who has access to your organizational systems, data, and applications by using micro-certifications to better meet compliance mandates, deter insider threats, and more effectively manage access within your company continuously.
Using the Review Process for Other Business Requirements
It is worth noting that the review process can also be leveraged to provide compensating controls for other business requirements when comprehensive roles are not yet defined within the organization. For example, a micro-certification could occur when a user transfers from one job to another and a review is required for the access the employee has as a result of the new position. In this scenario, a micro-certification is a compensating control if the company does not have controls defined for both the old and new access or a way of enforcing policies around overlapping access. The process of conducting an access review can also be useful in examining the manager reporting structure in cases where the HR system data may not be accurate. The review of manager hierarchy, similar to the transfer review, is another example of how the review process can be used effectively for other requirements within the business.