Chris Harragan
Security Analyst at i-confidential
Access recertification is easy. This is a commonly held view.
Organisations should ensure people only have the minimum systems access needed to do their job.
So, you simply install a dedicated software tool to look after that and your problems are solved.
But that’s misguided.
When it comes to access recertification, process trumps software. Every time.
Yes, the primary goal is simple, but relying on software to deal with it is actually a complex, challenging form of solution. And here’s why:
· Data is tough to integrate.
· Software requires an expensive upfront purchase.
· Software support requires additional staff resources.
· Implementing software can eat up all your time.
Let’s look at each of these in turn.
Data is tough to integrate
First of all, you will likely have to integrate a substantial number of systems into the process. If you’re reviewing 50 applications, you need to get the list of users and their access rights into a uniform format.
When using software, the process is bound to trip up here. You’ll either be left with applications missing from the recertification cycle or some of the data will be unintelligible.
As part of i-confidential’s Access Recert service, we spend up to two weeks cleansing data from all the different systems in scope to ensure it’s fit for purpose. Organisations typically have a large number of applications they’ve accumulated over the years. And the data is never consistent across the board, so it won’t be ‘plug and play’ compatible with a software tool.
Software requires an expensive upfront purchase
If you decide you want to go down the software route, it could cost you a lot. First and foremost, there’s the upfront cost. And once you’ve purchased it, you’d better be happy, because there’s no try before you buy.
Our Access Recert service features a pilot recertification cycle. Maybe you’re getting audited and only a handful of applications need to be reviewed. Or maybe you want to see how effective it is before you proceed further to get the long-term benefits.
Whatever the reason, a flexible approach early on ensures an organisation can gain confidence that they have found the right solution.
Software support requires additional staff resources
Once you’ve paid the upfront price to get the recertification software, there are still more costs ahead.
Software comes with a whole range of issues that require people to manage. Initially, there’s the onboarding of applications, which isn’t always easy due to data quality issues.
And if you’re not hiring new people to help with these problems, then you might be left with colleagues inexperienced in recertification holding the bag. Alternatively, experienced operational staff can step in, but this will leave other gaps that require backfilling. Either way, there are going to be additional costs in training staff and managing the tool.
Now, not all of these issues magically go away if you don’t use software. We have to deal with many of them in the clients that use our service. But having direct access to our team ensures the support of people who have seen it all before and know how to deal with any issues.
Implementing software can eat up all your time
At every stage of the recertification software journey there is a fundamental resource you're losing – time.
As well as the unexpected issues that arise in a project like this, time needs to be taken into account for:
· Procuring the software
· Integrating the software
· Training teams to manage the software
By the time you're ready to use the software, you're already many months (at least) down the line. And in that time, access is not being recertified, leaving you open to the risks you were trying to sort out in the first place.
When organisations want to address their recertification needs, the go-to answer is often software.
Because recertification is seen as easy, people think software is the simplest solution. But they fail to account for the difficulty, cost, and time to implement it.
That often leads to years going by without having a robust solution in place.
i-confidential’s Access Recert service is software-free and can start straight away:
· Our consistent approach accurately identifies the access rights requiring revocation.
· We review quarterly, so users don’t hold on to inappropriate access for long.
· It’s easily scalable to increase the coverage of the applications being reviewed.
Why not learn more by contacting us at info@i-confidential.com.