Client Case Study
UK & International Insurer
Recertification Process Highlights
Why It’s Needed
Many organisations discover that access recertification hasn’t been undertaken as a result of audit scrutiny.
It was on this basis that a multinational general insurance company asked i-confidential to recertify its privileged access to key databases. Such an exercise had never been carried out before, and the organisation was under pressure from external auditors to address this critical gap.
Unlike organisations selling recertification software, our Access Recert approach employs can be quickly deployed via the standard Microsoft Office suite. It enables us to feed in user access data and distribute recertification emails in a simple format. This makes it quick and easy for managers to validate their direct reports’ permissions.
In preparation for this recertification, additional time was required to communicate with the client’s IT Security team due to the complexity of the data. And we had to ensure that the reviewing managers understood what they were approving.
The data we received, however, wasn’t usable in its existing state. Extra work was required to make the access understandable to managers and not all users had a unique ID. One of the fundamental principles of user access management is that a user’s unique ID should be traceable from the HR data through to the systems they have access to.
Data cleansing would usually be partially automated through formulas. In this case, however, a lot of manual updates to the thousands of rows of data was required to get it into a fit state to enable a successful recertification cycle.
We reviewed over 35,000 entitlements, the majority of which were later ruled out of scope (though the work to get the data into a fit state had already been done). Of the few thousand that remained in scope, 57% were identified as requiring revocation - a large proportion. But, as this was the first time these were being reviewed, it was to be expected.
When recertification isn’t carried out, employees tend to gradually accumulate more access rights. Therefore, the first review of any application tends to see a large number of revocations. As we repeat recertification cycles on the same systems we see the proportion of revocations drastically reduce. This is good, as it shows the process is working as intended.
The majority of revocations came from both leavers and accounts whose owner we could not identify (known as orphans). The large amount of orphans speaks to the problems we had with data quality, as we were unable to find the owners of many accounts. Whereas the leavers figure, again, comes down to this being the first time such access was being recertified.
As in this case, clients are often surprised at the amount of inappropriate access that has built up when we first come in to review it. But as the client conducts more recertification cycles, their numbers will begin to fall. And as they continue to recertify, access won’t get out of hand. This means that when auditors come knocking again, the client will be fully prepared to answer the call.
35% Orphaned Accounts
7% No Longer Required Access