Security Analyst at i-confidential
Most organisations don’t persist with recertification long enough to see the long-term benefits.
At i-confidential, we’ve been providing our Access Recert Service to a number of well-known organisations for 14 years. And the main reason we get called in to help these organisations is because they have auditors on their back.
So, we come in and fix their audit issues. Often this involves:
· Applications not being recertified.
· Revocations that haven’t been actioned.
· A range of other ‘spot’ problems stemming from a general lack of rigour.
Unless the underlying process is fixed and maintained, however, the organisation won’t reap all the potential gains.
The benefits from recertification tend to come in three stages:
1. Initial access removal.
2. Increasing the coverage scope.
3. Compounding the rewards of an effective process.
Initial access removal
When you start recertifying an application, you’ll revoke a lot of access.
Processes have likely fallen by the wayside, leading to people accumulating more and more rights. Taken across multiple applications, this leads to a lot of organisational risk.
People should only have the access needed to fulfil their job role. Any more than that is deemed ‘inappropriate’ and increases business risk.
The first application review will tidy up most of the redundant access. And over the next few years, as you add more of your applications to the recertification process, you’ll continue to go through this clean-up exercise.
Increasing the coverage scope
When you start recertifying access, it’s easier to begin with a small subset of applications – usually those presenting the highest risk to the organisation.
Recertifying a smaller group to begin with gives you the time to get the process right.
Once that is done, it’s simply a case of feeding in more applications. And over time you can onboard the organisation’s entire application estate.
Compounding the rewards of an effective process
After a number of years of increasing scope with an effective process, you’ll earn the benefits of compounding.
At a certain point, you’ll reach the stage whereby the majority of applications are recertified. They will all have been through the process and any inappropriate access lingering there revoked.
After this point, recertification will act as intended – a check on your access.
But if you don’t continue to run the process consistently, you lose the compounding effects. Inappropriate access builds up and your risk increases. This will take you back to where you began, with auditors knocking on your door asking why this isn’t being done properly.
Hidden in the seeming simplicity of recertification are the complexities that lead many to struggle. And when the activity is difficult to get right, it’s not done properly. This is where auditors pick up on those issues. But when you have an effective process, and are consistent with it, you begin to see the real benefits of recertification.