Are you using access certification to remove access once it’s no longer needed? Do you find the access certification process to be inefficient and tedious?
If so, you’re not alone. I agree with you, and so does Gartner’s Brian Iverson. Brian has written on the subject of access certification and even posed the question: Why Does Access Certification Even Have to Exist Any Longer? His writing made a compelling case for supporting the end of access certification.
Access certification isn’t needed anymore. Unfortunately, that’s not the world we live in—yet. He gives two main reasons as to why it’s still used:
Auditors - As Brian notes, it could be interpreted that Sarbanes Oxley requires access certification, and auditors can be very literal in their interpretations.
Difficulty - Simply put, it’s hard for vendors to implement technology that removes access based on events.
Valid reasons—but when I see them I feel like they’re excuses more than substantiated reasons to continue access certification practices.
Brian did a nice job of deconstructing auditor guidance as a reason to maintain access certification when he wrote, “the real reasoning behind requirements for access certification is that we (and especially auditors) don’t trust the typical processes for assigning and removing user access...access certification has been bolted on to backstop clearly inadequate processes.”
He went on to say, “However, auditors usually will acknowledge the faults inherent in access certification. Auditors can be convinced to rely on controls that are properly (and transparently) implemented as an alternative to processes like access certification.”
Essentially, if you can show auditors an alternative, they’re willing to listen.
When it comes to difficulty as an excuse to continue access certification though, Brian’s argument against the excuse wasn’t quite as strong. He mentions that the industry has talked about making access changes based on events, but “it seems that most organizations have found that the original ideas were too hard to implement (because they were flawed), so they gave up and instead rely on a process like access certification that is tedious, inefficient and error-prone. There are better ways, but organizations seem to be avoiding the work by relying on the cover provided by auditors saying that access certification is the approved way to remove unnecessary access.”
He essentially admitted that alternatives to access certification are too much work to implement with the statement, “In many cases, we are stuck with inefficient and tedious access certification processes because IGA products often do not offer credible alternatives (at least, not without significant work) to the access administration processes that have evolved from flawed manual processes.”
This is where I disagree with Brian. It’s not that much work! It can be done! We’re doing it!
Identity Automation is doing exactly what Brian wants to see from the industry. If you’re interested in learning more on this topic, I encourage you to read more about how we enable organizations to make access changes and processes more transparent, trustworthy, and efficient. Our automation isn’t an automation of manual processes; it’s a true technological automation designed to make things easier.