Access certification reviews may only be an occasional event, but for business owners who find themselves sifting through mountains of data to figure out which users have access to what, who has access they shouldn’t, and whether privileged users have too many privileges, that’s more than often enough. “If I wanted to do this, I would have become an auditor,” they’re thinking, as the tough, time-consuming task forces them to leave critical core responsibilities behind until it’s done.
If you’re lucky, you’re working with business owners who may not like access reviews, but understand their importance—and are willing to work diligently to confirm that the users they manage have access to all the resources they should and none of the ones they shouldn’t. But because it’s such an inherently burdensome chore, there’s always the risk that some will find it difficult to devote the scrupulous attention that’s needed to get it done right. Even if they’re not intentionally cutting corners, they could easily overlook a detail or two that might ultimately create problems ranging from serious data breaches to fines for noncompliance.
The good news is there are ways to make reviews easier—but historically, few identity governance systems have offered the relevant capabilities. So what are the specific problems, and how could they be solved? Let’s look at two of the overall challenges with access reviews and how to address them.
Challenge: Where to start? Access review data typically hits the business owner’s desktop without any context as to where there may be high-risk activity. So there’s no option but to painstakingly comb through every item to identify where there might be issues.
Solution: Provide priorities. Business owners will benefit from an access certification review process that automatically flags critical and high-risk issues in the data they receive—issues such as, for example, a user having access that was previously revoked, a user having access to a highly critical application, or compliance violations.
Challenge: Rubber-stamping. Having to certify every instance of access to an application that’s common to all the users can seem like a needless waste of time. So can having to recertify access that the business owner just approved only days or weeks ago. This can lead to the risk of rubber-stamping certifications.
Solution: Simplify review. Simplifying review of common and recent access approvals will enable business owners to fulfill their certification duties quickly and accurately, without the frustration of seemingly unnecessary extra work.
There are countless specific steps within these two areas that a more curated, automated process could eliminate.
At RSA, we’re always working hard to improve the experience associated with access certification reviews, and we’d love to talk with you about the latest capabilities we have to offer. Visit our exhibit at the 2018 Gartner Identity and Access Management Summit in London March 5 and 6 or visit us online to learn more about the latest release of RSA® Identity Governance & Lifecycle.