IDG Contributor Network: Improving access certification processes makes life easier for business users. But that’s not the point

Let’s face it: Nobody looks forward to access certifications. Not the business user who has to take a big chunk of time out of an already stretched schedule to go through every single user’s access privileges and confirm whether they’re correct. Not the internal audit team that has to play the bad guy and prod the business user to quit procrastinating and get the reviews done. And certainly not the CISO, who’s ultimately responsible for the organization’s security and compliance posture—knowing that for every business user who conscientiously and painstakingly examines each user’s access, there could be another who’s just checking boxes as fast as possible (and leaving behind unmitigated risks of inappropriate access for someone to come along and exploit).  

It’s probably safe to say the process for access certifications at any given organization isn’t making anyone particularly happy. That’s a big problem, and the reason it’s a big problem is that it creates a much bigger problem: the threat to security. When access certification reviews are as burdensome as they can sometimes be these days, business users may take shortcuts. When they take shortcuts, they create security gaps. And when they create security gaps, they leave the door open to every bad actor out there who is just waiting for a gap they can sneak through.  

When you take action to make access certification review easier, you reduce the burden on your business users, improve your ability to achieve compliance, and most importantly, become more effective at closing security gaps. You make it possible to achieve “access assurance,” or the confidence that a user’s access privileges are exactly as they should be, and that the organization is compliant and secure. But to get to that happy ending, we have to first look back at how access certifications got to be so challenging in the first place, then examine what can be done to make them reviews more effective—and thus make organizations more secure.

Where’s Waldo? Business users are overwhelmed by sheer numbers

Access certification processes were originally adopted largely in response to the need for organizations to attest to compliance with the Sarbanes-Oxley Act of 2002 (SOX). This mandate has companies creating annual certification processes to regularly attest that user’s access is appropriate. These annual (and sometimes more frequent) ceremonies were built on the principle that we needed managers to look at their employees’ access to gain the assurance their access privileges are appropriate to their jobs. After all, who better than an employee’s manager to know what the employee needs in order to be successful, right?