SBO Blog Het blog van Studiecentrum voor Bedrijf en Overheid
Almost every job includes monotonous—but necessary—tasks that we dread completing. For line of business (LOB) managers, access certification is one of these tasks. Imagine a seemingly endless list or spreadsheet containing lines upon lines of users’ names coupled with their levels of access. In addition to a long list of other responsibilities, LOB managers are responsible for carefully evaluating whether each user’s level of access is appropriate for his or her level of responsibility. This task is necessary not only for the sake of meeting regulatory compliance but also because users with unnecessarily wide access can cause catastrophe.
The Problem with Access Certifications
Certifying access for every user is a lot to ask of LOB managers, who are already extremely busy with other responsibilities. To make this tedious and time-consuming task even more onerous, LOB managers have almost no context for evaluating each user’s appropriate level of access. These busy professionals are therefore inclined to “rubber stamp” current access levels, thus certifying users’ access without proper evaluation.
The rubber-stamp method may help LOB managers complete access certifications in time for audits, but it does not a secure enterprise make. Again: Access certifications are an important part of your organization’s identity governance program. This makes the current, largely ineffective approach a cause for concern.
While it’s tempting to blame LOB managers for employing the rubber-stamp method when it comes to access certifications, it wouldn’t be entirely fair to do so. While many access certification solutions focus on IT efficiency by giving IT organizations automated tools for collecting entitlements and creating and distributing reports, they leave LOB managers with little by way of decision support. Sure, sometimes LOB managers get a pretty UI instead of a spreadsheet, but even then, they’re ultimately shooting in the dark when it comes to assessing appropriate access levels—and they must still manually check all of the boxes.
Give Managers the Tools They Need
Making access certifications easier for the LOB managers, who decide which levels of access are appropriate for which users, is the key to achieving compliant and secure identity governance..
But how do you make access certifications easier? Give LOB managers the right tools. Consider an identity governance solution that includes risk-scoring tools. These tools prioritize access reviews for users who present the greatest risk to the top of the list, thus letting LOB managers know that a more careful evaluation is necessary. Managers will also know which access levels represent very little risk, so they won’t need to spend time they don’t have carefully evaluating access for users with these levels. In other words, solutions such as this can provide both a context for evaluating access and the double benefit of easing LOB managers’ workloads, ultimately mitigating insider and privileged-user risks by reducing their access footprint.
Do you want to know more?
On the Cyber Security Event 2016 you learn from Micro Focus how you can protect your organisation against cyber crime and other cyber security risks.
