When recertification of authorizations makes sense
Recertifications are intended to ensure that everyone only has access to what they need to do their work. It is therefore a matter of regularly checking and confirming employees’ access rights.
Anyone who deals with the topic of Identity & Access Management will ask themselves why recertification of authorizations is necessary at all. With a well-engineered IAM solution, the processes are already so optimized and partially fully automated that no additional control instance is required. So, why is the topic of “recertification of authorizations” on everyone’s lips?
Desire for 100% security
On the one hand, it shows that security is the number one topic for many companies. There is always the challenge of protecting sensitive data and applications in such a way that they cannot be misused. Companies, and IT managers in particular, are actively considering how best to keep access authorizations under control, prevent data theft and strengthen IT compliance in general.
Of course, you have to admit that a 100% guarantee is not possible, because even automated processes have to be initiated and monitored by people. In a company, employees are so networked and technically equipped that it is impossible to completely control everything and everyone.
On the other hand, it is clear that many company executives do not fully exploit the potential of IAM solutions or consider additional control instances to be necessary.
Recertification as a control mechanism
Recertification essentially means that the access rights of each employee must be regularly reviewed and reconfirmed. It describes a control mechanism that involves active monitoring and approval by a responsible person (“recertification officer”). This is intended to ensure that the internal compliance guidelines are adhered to.
Trainees or interns are often used as an example to justify the need for recertification. During their training period, they move through several departments in order to get to know as many processes in the company as possible. This also gives them access to various drives and applications. The important question here is: Where is the trainee organizationally assigned?
If they are assigned to department groups and not removed again after a change, they will retain the access authorizations of many groups for months/years. This unnoticed over-authorization of an individual employee, be it a trainee or permanent employee, represents a security risk and a failure to comply with compliance regulations.
A recertification check provides an opportunity to regularly check group memberships and remove members.
Recertification of authorizations is a nuisance
At first glance, it seems that recertification is a chore. It takes time and is an unloved task that people like to put off. In practice, however, it is not a particularly time-consuming task.
With recertification in the FirstWare IDM-Portal, a responsible person is finished with the homework in a short time. These are the steps of our solution:
1. The Automation Service in IDM-Portal runs through all groups in Active Directory once a day and checks the date of the “Last Check”.
2. Depending on the definition, the service knows when the next “compliance check” is due for a group (weekly, monthly, annually – depending on the setting) and applies the rules.
3. If the “Compliance Check” is imminent, the Automation Service sends an e-mail to the person responsible for recertification in the group (usually the group owner) stating: “Recertification required”.
4. The owner accesses the IDM-Portal via a link and checks the members of the group. If he discovers members who are no longer up to date, he can remove them immediately.
5. At the end, he confirms the “Compliance Check” by ticking the box. The date is saved as the “Last Check”.
6. If the owner does not respond before the deadline expires, the Automation Service sends an e-mail to IT security.
The IDM-Portal simplifies an inherently complex process and makes it user-friendly. Recertifications can be completed quickly and are not a burden.
Recertification is not required for fully automated groups
Full automation through attribute-based rules
However, recertification is not necessary per se.
If a company uses a solution with IAM automation, such as the FirstWare IDM-Portal, then managers do not have to deal with such “trainee issues”. The full automation that companies receive with the IDM-Portal makes recertifications obsolete.
How does this work in practice?
IAM full automation is based on an attribute and its value, e.g. attribute “department = marketing”. Most attributes are single value attributes, i.e. the “department” attribute can only have one value:
- Marketing OR
- HR OR
The full automation in IDM-Portal is based on clear rules, e.g. there is a dynamic group for the marketing department. It contains the filter:
A user is a member if the attribute “department = Marketing”.
If this value is changed to “department = Logistics”, the membership in the old department expires and another one may apply.
There is therefore no over-authorization, as this is not possible due to the defined rules. An employee cannot be a member of two department groups at the same time.
Time control and temporary authorizations
With IDM-Portal, it is also possible to automatically revoke authorizations after a certain period of time. This “time control” replaces manual checking by a responsible person.</p
A temporary authorization is therefore assigned manually and withdrawn automatically. This can be implemented in parallel for several departments.
In a further stage, so-called “scheduled functions” can be integrated into the IDM-Portal, i.e. there is a rule that is checked daily, for example. This can be varied.
IAM solutions with automation functions, such as
- attribute-based rules,
- time control and
- additional planned tasks
tighten the safety net so that further control mechanisms (such as recertification) are not necessary.
Recertification of authorizations makes sense here
Companies want recertification of authorizations
In our discussions with numerous interested parties and customers, it is clear that top management wants to use recertification. It gives them the certainty that an auditing body will check the group members at least once a year and can thus uncover over-authorizations. Last but not least, auditors also demand these audit processes, as data theft is seen as a significant risk factor.
Companies do not manage group memberships fully automatically
Even companies that use an Identity & Access Management system want to use recertification. As IAM systems do not conform to any standard pattern and are configured differently, full automation is not always integrated.
Automations, rules and time controls must also be created manually and checked again and again. Unfortunately, human error cannot be completely eliminated in any respect. In any case, it makes sense to subject certain groups to regular recertification.
Limits of recertifications
It is important to define a scope for the recertification of authorizations. A complete approach for all authorizations is generally not useful. If, for example, a department head has a large number of authorizations to confirm, it is easy for careless errors to occur – or the person responsible simply lacks the desire to check them. In extreme cases, this can lead to them not actually carrying out the check, but simply clicking “OK”. This would clarify liability, but over-authorization or worse would still be possible.
A good mix of fully automated and time-limited authorizations together with some permanent authorizations that are recertified can be a good solution.
Would you like to better control your access authorizations? Get to know our IAM solution with automation, time control and recertification. We will be happy to advise you on which option will achieve the best result for you.