Are you using access certification to remove access once it’s no longer needed? Do you find the access certification process to be inefficient and tedious?
If so, you’re not alone. I agree with you. So does Gartner’s Brian Iverson. In a recent post on the Gartner blog, Brian went so far as to ask if access certification even has to exist anymore. And he makes a compelling case supporting ending access certification. I encourage you to read the full post, but wanted to call out a few key parts of his post.
I agree with Brian that access certification isn’t needed anymore. Unfortunately, that’s not the world we live in - yet. He gives two main reasons as to why it’s still used.
Auditors - as Brian notes, it could be interpreted that Sarbanes Oxley requires access certification, and auditors can be very literal in their interpretations.
Difficulty - simply put, it’s hard for vendors to implement technology that removes access based on events.
Valid reasons, but when I see these reasons, I feel like they’re excuses more than substantiated reasons to continue access certification practices.
Brian did a nice job of deconstructing auditor guidance as a reason to maintain access certification when he wrote, “the real reasoning behind requirements for access certification is that we (and especially auditors) don’t trust the typical processes for assigning and removing user access...access certification has been bolted on to backstop clearly inadequate processes.”
He went on to say, “However, auditors usually will acknowledge the faults inherent in access certification. Auditors can be convinced to rely on controls that are properly (and transparently) implemented as an alternative to processes like access certification.”
So if you can show auditors an alternative, they’re willing to listen.
When it comes to difficulty as an excuse to continue access certification though, Brian’s argument against the excuse wasn’t quite as strong. He mentions that the industry has talked of making access changes based on events, but “it seems that most organizations have found that the original ideas were too hard to implement (because they were flawed), so they gave up and instead rely on a process like access certification that is tedious, inefficient and error-prone. There are better ways, but organizations seem to be avoiding the work by relying on the cover provided by auditors saying that access certification is the approved way to remove unnecessary access.”
He essentially admitted that alternatives to access certification are too much work to implement with the statement, “In many cases, we are stuck with inefficient and tedious access certification processes because IGA products often do not offer credible alternatives (at least, not without significant work) to the access administration processes that have evolved from flawed manual processes.”
This is where I disagree with Brian. It’s not that much work! It can be done! We’re doing it! Identity Automation is doing exactly what Brian wants to see from the industry. We’re using technology to make access changes and processes more transparent, trustworthy, and efficient. Our automation isn’t an automation of manual processes; it’s a true technological automation designed to make things easier.
If you’re interested in learning more on this topic, I encourage you to read Brian Iverson’s full post.
To learn how to improve access certifcation to be more transparent, trustworthy, and efficient, click here to request a demo of RapidIdentity.