Access Recertification - We’ve Got It Covered
By Katy Fraser, Senior Security Analyst at i-confidential
Access recertification risks are real.
As a security analyst, I know this only too well from the findings auditors regularly highlight in organisations I work with. I’d like to share here how I have helped those clients avert audit challenges and reduce their access management risks in the process.
Without recertification and the removal of inappropriate access, users may have more rights to systems or entitlements than they need - a primary enabling factor behind insider risk. This scenario leaves employees, innocently or otherwise, open to abusing their access. It also increases their chance of being a target for bribery or blackmail.
Ideally, you want to shut down the potential for that kind of malicious activity as quickly as possible. Think of it as, “Lead us not into temptation” security.
It’s not all doom and gloom though.
From my experience, many organisations put some form of practice in place to ensure they regularly review access. Problems can reveal themselves, however, when you ask:
What percentage of high-risk applications are you recertifying?
How do you manage orphans (access where the person is unidentifiable)?
How much time do you invest in adding systems to the recertification process?
Working for i-confidential, which offers an access recertification service, and with six years’ direct experience of my own, I know it’s really hard to recertify and manage some systems (especially where the word ‘legacy’ is involved). Despite the challenges inherent to the process I’ve seen what a big difference can be made with the right approach.
For the last couple of years, i-confidential has run its recertification service for a client in the financial services sector. Having increased the coverage of in-scope applications over time, the organisation is now at 98%, but it has been a bumpy journey to get there.
As we fed new applications into the process, we saw a jump in both the number of orphans and the revocation rate. Once the cycle completed, our job was clear. We worked with the relevant client teams to offer advice and support to help the business areas understand and agree what they should do with their orphans. Once the business completed the clean-up, it left an extremely low residual orphan rate – less than five percent.
In my view, the evidence speaks for itself.
The key to success is following a clear, end-to-end process, with a view to increasing coverage as much as possible.
This success, however, is dependent on having sufficient time to analyse the data, which is not always feasible from a cost perspective. When making the investment argument, it’s important to stress the added value of having conversations with application owners, not only about the controls in place but, more importantly, how they can be changed for the better. You can then demonstrate how you proactively make your access to systems more robust.
While effective controls are the ‘straightforward’ first step in any good recertification practice, I would argue it’s how you expand your empire where the difficulties often lie, but it can be done with the right investment. Coverage is king, and we can help you take those steps to protect the ‘crown jewels.’