Many companies are faced with the task of documenting the access and permissions granted to employees, external persons and technical accounts and keeping them up to date. Unfortunately, this is still often treated very stepmotherly – for various reasons. Of course, people are busy with different activities or other projects in their daily work, which is why they don’t like to deal with granted permissions. The departments are also happy to hand over this task to IT. “This is a topic that belongs to the IT department anyway.”
Thus the misconception!
The next internal audit at the latest will bring problem cases and optimization potential to light. For example, the continued access of user accounts whose owners left the company months ago.
But this does not have to be the case! Regular recertification can be a good way to prevent the problems described above.
What is Recertification?
Strictly speaking, recertification is an audit that checks the validity of a certificate and extends it if necessary. However, this article does not deal with such recertifications.
We want to deal with the “recertification of permissions”.
Recertification of access is a process in which the control and acceptance of a state is confirmed. Acceptance of a condition is confirmed. In this process, a suitable responsible person (CISO, supervisor, specialist) checks the granted permissions of the users and decides whether this state should continue to exist or not. Ideally, the necessary changes are also implemented immediately. In simple terms, this is a review of permissions as part of user management.
In the IAM environment, recertification is already required by law, based on the DSGVO and BSI recommendations. Thus, the introduction of a recertification process can protect a company from security breaches and possible fines.
Today, recertification should be an integral part of permission management and compliance regulations.
Download our Whitepaper!
In it, you will learn all the necessary steps to successfully implement an IAM system.
What should be recertified?
For recertifications of accesses or permissions, the following areas should be considered when creating the audit concept:
- Role Identity Assignments
- Role-Rights Assignments
- Rules of the assignments
- Validity of identities
Role Identity Assignments
Here, it should be checked whether an employee has the roles in the company that correspond to his job description and are required for the fulfillment of his daily tasks.
In the case of role/rights assignments, a check is made to ensure that the individual roles in the company still have the correct permissions on the systems used. Not only enterprise roles should be checked, but also access roles in the business applications and in the infrastructure.
The current status should be compared with existing or updated policies and guidelines, and any necessary adjustments made.
Rules of the Assignments
Are the rules and processes used to link roles to permissions and identities to roles still up-to-date and correct? Are the necessary approval steps for assignment still up-to-date and are the approvers still in the company?
Validity of Identities
When considering the validity of identities, one focuses on the different accounts that are in use across the enterprise.
The following questions can be asked:
- Is an employee, external consultant, administrator account or service account still current?
- Did a former employee go through the exit process correctly?
- Is an external consultant still active in the company or can his account be deleted?
- Has the administrator account of an outgoing employee also been transferred to the exit process?
- Does the service account continue to serve its original purpose or is it used for other tasks, if necessary?
Are you looking for professional advice?
Do you need support with the introduction of an IAM system? Feel free to contact us!
How do you build Recertification in a meaningful way?
The implementation of a recertification process can be set up and executed both manually and automatically. Today, there are numerous software products from the access governance area on the market that even small companies can afford the costs of implementing a recertification process.
With the help of such applications, such recertifications are not only easier to set up and control in terms of time, they are also documented in an audit-proof manner and any changes that arise are implemented immediately if necessary.
The structure of a recertification is very simple. The “good old” table approach is used for this purpose. We would like to explain this here using an example. Let’s assume we want to recertify our CRM system, which controls access via system-internal roles.
The structure of such a recertification table could look as follows:
With the table, a cross matrix is created from the available roles and the owner of the roles. The recertifier then only has to decide whether or not to agree with the role assignment for the person.
Such a matrix is easy to understand and intuitive to use. The recertifier can immediately see what permissions have been granted to an individual and, based on guidelines, policies, audits, or their own discretion, can decide whether or not they should remain assigned.
These matrix tables can also be ported to the other 3 recertification areas by simply adjusting the column and row headings accordingly.
Modern systems for access governance or identity access management (IAM) offer recertification functionalities based on the example shown above and generate these tables automatically.
In addition to the question of how to set up a recertification, one must also ask how often this process should be executed.
Experience shows that recertifications should be repeated in a period between 3 and 6 months. This reduces the time during which incorrect roles or permissions may remain assigned to a person. Of course, the time period also depends on the amount of roles, permissions and identities to be verified. Individual permissions are usually checked more frequently than role assignments. There is no right or wrong here.
The process must fit into the company’s particular way of working.
In summary, recertification is an efficient means of regularly reviewing the permission management in place and keeping it in a clean state. It also avoids unpleasant situations, such as data protection violations or fines.