Let's assume you are responsible for security in your organization and one day a highly recommended magician comes over. He proposes that he can magically make you company secure, sort out all accounts and entitlements so everybody suddenly has only what he needs. Sounds nice, doesn't it? And he offers to do all that for free. Would you go for it? Let's say you would.
What next? Is your job done? For now, yes, but what is going to happen during next year? New people are going to be hired, some are going to change positions, you will have new application, possible responsibilities of some positions will change. This means that in a year from now accounts and entitlements are going to become messy again. What to you do then, call the magician?
The point is that identity management is not about getting accounts and entitlements assigned in a correct way it's about creating a process that keeps them correct in the long run.
This is where we need certification. Identity certification is not exceptionally innovative, it is a process where someone responsible checks, on regular basis, if least privileges concept holds true for your organization. Certification comes in various forms and there are many reasons why it should be considered.
Major reason is of course to keep entitlements of your employees correct at all times. But as I described in previous post, roles are supposed to do that, right? Well, almost. I have never seen a company where all accounts can be assigned purely based on defined roles. There's always a margin, bigger or smaller, where account and entitlements must be assigned based on individual requests and approvals. Now what happens when a person with such privileges moves to another position? She will get new roles and lose the old ones so some of the entitlements will be be taken care of. But what about all that was assigned based on requests? changing roles will not affect these. These entitlements will stay and the only way to address that is to run a certification. All above is based on the assumption that roles are kept up to date. What if the aren't (and very often they change and adapt slower than surrounding environment)? This only increases the need for well orchestrated certification process.
It's important to understand that there are few types of certification based on the goal we are trying to achieve. It's best to distinguish them based on what is being certified and who is responsible for it. There are three major types of certifications: resource owner, manager and role certification.
Information owner (could be known as resource owner) is responsible for managing access to "his" information, hence he needs a tool to perform the job. Resource owner certification will allow owner, on regular basis, to validate who has access to what they are responsible for so they can check if such access is still required for each employee. Similar situation goes for manager. She is responsible for her employees hence the tool to validate whether the current access is justified. Going back to example above, when new person joins manager's team, the manager should perform certification for just that new person to see if current entitlements match requirements for the position. In risk terms, if his team's risk exposure isn't unnecessary extended. During manager's certification both accounts, entitlements and roles should be validated. One could say that if you check the roles and then only entitlements outside the roles then access should be validated. True, but if we check all the entitlements even those outside the roles and revoke some of them we get an extra benefit. Next time someone runs role mining process to validate current status, he will notice that possibly the role has changes since a lot of managers removed the entitlement the was part of role but is no longer needed. This can be additional control in place to mitigate the risk of role not matching business environment (and from what I've seen this is one reason that can make identity system ignored by business and lead to project failure).
Role certification is there to make sure the roles stay correct. This type of certification should be ran by role owners and it's aim is to validate if entitlements and accounts that are part of the role should still be there. With role consolidation and regular role mining, role certification is part of the process that guaranties that roles match business surrounding.
One question remains. Is my organization ready for certification? You can clearly see that this is a necessary process but it is additional work for for managers, resource owners. Will they understand and agree to undertake the extra load? To help that, there are few elements of certification that must be in place.
First of all certification must use business friendly language, business entitlements descriptions that people performing certification understand. If you have don'e your homework you should already have all the names and descriptions in place as described in the first part of the my series.
Another element is the content. Should ALL entitlements and roles be certified every time? Of course not. There are ones that are important and valuable and there are ones that are related to low value information. Again, if we have approached identity governance process in correct way we should have all the entitlements and roles categorized based on risk. We can use it here. On one side certification design can be based on resource risk level. Run the high risk entitlements certification more often than the low risk. On the other hand if we use simple color coded identifiers we can provide simple visual indicators for business people to let them know what to focus on. Send following instructions for example "Please perform certification, focus on the red items as these are critical and livelihood of our organization depends on it, amber ones are also important and the green ones are to be done if time allows". Between the lines you send a message: This is important process that must be don but we value your time so we tell you what to focus on and use the time in best way.
Finally there is one more case for certification where it might be extremely valuable during identity project. When you are at the stage where you need to design the roles you might be tempted to use existing accounts and entitlements to come up with role propositions. But when you start identity management project most likely your entitlements are in chaos and from messy entitlements you will get useless roles. To fix that you could run first major certification to clean up the data and only then do role mining and get much better results to start with.
So, don't hire magician ;-) Design and implement certification process that will keep an order for years to come.
No comments:
Post a Comment