Access Certification Reviews: There’s Got to be a Better Way

Nobody loves access certification reviews. But everybody’s too busy dealing with them to consider ways to make the process better. Here are some ideas that will appeal to line-of-business managers and security teams alike.

istock 625738384

What’s not to love about access certification reviews? Plenty. They take forever, take people away from their core responsibilities, and take a toll on everyone involved - from lines of business to the security team. Here’s a look at the issues these reviews create for different roles within an organization—and ideas for how to address them.

So Many Users and Entitlements, So Little Time

Every minute that a line-of-business manager spends sifting through data to see who has access to what, who has access they shouldn’t, and whether users have too many privileges is time that business user isn’t spending on core responsibilities and duties to the business. And, let’s face it, when we say minutes, we mean hours and hours, because that’s how long it can take. What reviewers need is data that’s been prioritized to see where there are issues that require close attention, so they can use their time more efficiently.

Nobody enjoys asking line-of-business managers to put everything on hold for access reviews, but in lieu of a better, faster way to get the work done, what other choice is there? After all, security managers need to be confident they know has access to what, including whether access is appropriate and in compliance with corporate and regulatory policies. Access certification reviews are critical for that knowledge. But that doesn’t mean reviews have to be arduous.

Technology for Faster, Easier Reviews

What organizations need is identity governance technology that applies analytics and automation to simplify the access certification review process. For example, what if critical and high-risk issues—such as a user having access to a highly-critical application, or a clear compliance violation—could be automatically flagged, signaling where to direct closer attention? Or what if areas that don’t really need special attention could be similarly indicated? Reviewers also need business context to make it clear what they’re reviewing. Information for access reviews has historically been presented in massive, hard-to-manage spreadsheets, or using IT terminology that’s not generally accessible to business users. Changing that would go a long way toward making reviews easier and more effective, and reducing the risk of rubber-stamping approvals. 

An overly complex process for reviewing access certifications can lead to rubber-stamping. While most of those who do access certification reviews find ways to give the process the care and time it deserves, there will always be times when the demands are overwhelming—when, for example, reviewers are required to laboriously certify every single user’s access, even for an application that they already know everyone in their unit needs. If reviewers had tools that enabled them to fulfill their duties quickly and accurately, that wouldn’t be an issue.

Coming up with ways to make access certification reviews less problematic is a key priority for RSA.  Download this e-book to learn about four key strategies to help you overcome access management challenges, mitigate identity risk and improve your overall approach to identity governance.


Copyright © 2018 IDG Communications, Inc.