The most common alternative to the term “access certification” or “access review” is “attestation”. Attestation is an ongoing review and confirmation process that will help enterprises to reduce risk by:
- Correlating users with their access to systems and applications
- Evaluating the risk associated with that access
- Reviewing access deemed as risky or inappropriate
In practice, the enterprise distributes lists of people, their accounts, and the entitlements of those accounts (also known as ‘access’), to different constituents (often line-of-business managers and application owners) for review. The participants in this process decide whether access is appropriate and thus should be retained or inappropriate and thus must be removed.
Access certification is a powerful process where the primary goal is the reduction of risk. This goal can be accomplished in direct and indirect ways. Access certification directly reduces risk by addressing threats associated with over privileged and toxic combinations in excessive access. Revoking inappropriate access removes potential threats to the organizations. The indirect way where access certification reduces risk is by transferring some responsibility to the individual. Participants in the access certification process are charged with evaluating the risks associated with the access they review. They are held responsible for their evaluations.
Deep Identity offers access certification not only of users, but also certification of roles, both business and technical. While user access certification limits who has access to what, role attestation refers to aggregation of access independent of any particular user. Both these attestations have their own advantages and uses in an enterprise.
Deep Identity – Identity Audit and Compliance Manager (Deep IACM) facilitates user and role attestation with three phase attestation approach, serving as the best practice for enterprises to accomplish Identity Governance and Administration (IGA).
- Self-service Attestation – In this process, during the attestation campaign, snapshots of users’ access information are put together and automatic notifications are sent out to user community requiring their actions during the campaign period. Users are required to self-attest or declare the accesses they have been granted. Users are required to verify and confirm whether they continue to require such accesses in these systems and applications. As part of this self-attestation process, users can provide justifications/information to make their managers’ review process more focused and efficient.
- Attestation/Access Review by Group (Department/Manager) – In this second part of the attestation process, the Departmental heads, group leaders and Managers review accesses of each user under his/her supervision. Information from the Self service attestations is provided to these reviewers so that informed decision can be made during the review process. Managers can avoid manual calls and clarifications with their employees during this review process. In this manner, though the managers continue to be ‘accountable’, the responsibility and information are shared between managers and user community.
- Attestation/Access Review by Business or Endpoint System Owners – In some cases the final step of this attestation process could be the target systems owner review and carry out attestation of all the users specific to application(s). At this stage of attestation, the business or target systems owners have complete information from the previous two attestation stages facilitating easier decision making without impacting the day-to-day business.
Achieve better checks and internal controls through a smoother and more efficient attestation process.