Advanced Attestation and Recertification for Today's Organizations

Level 3: Recertification of single permissions through automated processes and request and approval workflows Organizations can achieve tighter control over the correctness of permission assignments by adopting continuous recertification processes. The initial permissions assigned for these processes are validated through well-documented request and-approval workflows, and users retain appropriate permissions through recertification. Continuous recertification is best achieved by implementing an automated identity management system that includes a workflow component. This allows recertification to be processed using the same workflow system as the one assigning permissions, and the automation reduces manual effort. It also avoids the risk of incomplete review present in Level 2, since every set of assigned permissions is determined via a defined and documented process.  However, like Level 2, Level 3 lacks transparency. The names of permissions and entitlements tend to be cryptic — understandable to technical staff but not to the manager who needs to recertify or reject them. Additionally, this approach is not user friendly, due to the large numbers of single permissions to be managed. Level 4: Continuous recertification on multiple levels using business roles Using descriptive roles to assign permissions, rather than assigning permissions individually, offers multiple benefits. The first is transparency: when arcane and technically-oriented IT entitlements are replaced with descriptive roles, responsibility for granting permissions can be moved from IT staff to the business managers who better understand who needs access to what. This in turn reduces the risk of inappropriate permission assignments. Moreover, business roles streamline the process of changing a user’s permission when technical or organizational changes occur. For example, suppose an employee changes positions within the company, moving from Finance to Marketing. Updating his role assignment will automatically revoke his permissions to access sensitive financial data he should no longer see, while ensuring he can access all the marketing documents he now needs in his new position. Using roles also helps organizations deal with the challenge of mass attestations, which can arise, for example, due to a comprehensive reorganization or the need for recertification of a large stock of permissions. Instead of blindly hitting the common “Accept all” button, the organization can use a multi-stage attestation process that recertifies users based on their roles in the organization: the department manager attests to only the affiliation of employees to specific roles (such as “Purchasing Manager”) without having to know each of the specific permissions associated with each role. Finally, if desired, the definition of business roles can itself be part of the recertification workflow, enhancing security. Recertification is the ongoing process of revalidating permissions, privileges and entitlements granted to users. 3 Figure 1. Identity Manager’s interactive report displays all the information needed by the attester while still providing a clear overview of the recertification process. Level 5: Recertification using risk management principles Risk management practices are quickly becoming the next extension of attestation and recertification processes. Instead of looking at all users, all access privileges or all data, organizations are concentrating on where risk is highest by asking questions like: • Which systems house the most • critical data? • Who has access to those systems? • What kind of authority do they have to change things on those systems? • Is a user’s access a violation of separation of duties (Sod)? For example, does a user have both the power to set up a vendor and pay a vendor? Level 5 recertification systems enable organizations to answer those questions, adding an element of intelligence to the recertification process. Implementing attestation and recertification Identity Manager How can you implement a modern attestation and recertification architecture that uses business roles to control permission assignments? Identity Manager is an identity management and user 4 provisioning solution that is designed to manage the complete lifecycle of identities, not just the recertification tasks. Identity Manager Includes an entire set of processes and technologies for maintaining and updating digital identities. Its identity lifecycle management capabilities include identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements. Attestation and recertification architecture Identity Manager’s architecture consists of two major components: • The attestation object, which is, in principle, an interactive report for attestors (see Figure 1). The design of this report is critical: notice that it displays all the relevant information needed by the attester while still providing a clear overview of the process. • The attestation policy, which specifies who should perform attestations for each object, including how and under which conditions. This architecture not only meets the highest levels of sophistication and provides the security required by many regulations throughout the world, but also enables the management of data more complex than permissions, such as: • Objects such as processes, personal statuses, request and approval workflows, business roles, ITShop articles, web front-end versions and compliance rules • Triggers, which in addition to normal scheduling triggers can include user additions, changes, moves, deletions or disabling Attestation and recertification dashboards Dashboards are useful monitoring tools, helping organizations achieve effective status control, regardless of whether attestation and recertification are implemented as a continuing process or as single projects. A typical dashboard displays tables listing the state of multiple attestation processes in order to answer questions such as: • How many objects have been attested or recertified? • How are we doing compared to previous attestation or recertification processing? • How do the various departments compare in their performance? For example, Identity Manager’s attestation dashboard provides charts that enable you to see the status of attestation policies at a glance (see Figure 2).
Please complete the form to gain access to this content