Inventory of identities: How to certify access rights

Access certification describes the independent review of access rights by an auditor. The auditor examines whether the rights granted to users are really necessary.

A thorough process for certifying user access ensures that each employee’s digital identity only has the authorizations required to perform their tasks. This also ensures the security of internal data.

As the workforce grows and expands, access requirements can change in the blink of an eye. Companies must be careful not to hastily grant their employees, external contractors, auditors or seasonal workers too many access rights to perform their tasks that are not necessary.

To avoid serious security risks and missed audits, every company should carry out regular access certifications. This article clarifies which areas of the company should be prioritized and what advantages access certifications can offer IT security managers.

Important areas for access control

A list of active access permissions and a plan to remove permissions that are no longer needed are at the heart of a successful IGA (Identity Governance and Administration) program.

There are a large number of variables that determine which access rights and authorizations should be granted:

1. Business resources

Different people need access to different types of applications, be it infrastructure such as Azure or AWS, databases, communication applications such as Teams and Slack, CRMs such as Salesforce or ITSM tools such as ServiceNow.

It is also important to bear this in mind: Certain applications are only required for certain groups of the workforce, while some of them are needed by everyone. An example of such a common denominator: Most likely, all employees in an organization need access to an email system.

2. Places of work

Depending on where employees work, they may need access to different things, such as physical locations like offices. They may also need to log in via different VPN locations, geographical subsets of applications or specific customer data in order to comply with local data protection laws such as the General Data Protection Regulation (GDPR).

3. Function or status of the workplace

The workplace function is usually linked to the role in the company. A person working on an assembly line, for example, has access to production-related systems, while a back-office employee has completely different authorizations for the company’s financial and accounting applications.

Another variable could be the type of employment relationship: full-time employees should be given different access rights than temporary workers and have access to resources such as company benefits. It is always important to identify roles and contexts as a critical component for the ongoing management and regulation of access rights.

These variables, which are often context-dependent, can also be granted on the basis of events: either regularly occurring and planned or those that occur at short notice. Examples include:

• Audits: When an audit is due, companies need to be able to prove that only certain people have access to certain systems. They may also need to assign additional people with access to databases and various applications to collect the data needed for a particular audit.

• Peak season: The retail sector in particular often experiences peak season around the holidays. However, this occurs at different times in different industries and can coincide with the hiring of additional staff for short-term support, leading to an increase in the number of temporary workers. During these times, IT teams have their hands full as employees are assigned high priority access to certain resources. It is then all the more important to withdraw this access when the season is over.

Advantages of regular certification of access management

With regular certification of access management, organizations can verify that the right people still have access to the right resources to do their jobs – while identifying inactive and suspended accounts.

It is essential to validate the correct access assignment for the various business roles in order to minimize security and compliance risks in the company.

Campaigns for access certification

Companies need the option of continuous certification. This is the only way to manage access rights securely and ensure that they are still required.

When creating certification campaigns, organizations should strive for the following:

• Collect data on who accesses what, when, why, how often, etc.
• Set up surveys that are quick to answer for business users and quick to set up for administrators
• Collect detailed data to make smarter business decisions
• Interpretation of results in a way that is easy for security and risk management teams to implement, so that the least privilege is maintained
• Proof of conformity to inspectors
• Automation of processes that were previously carried out manually

Access certification campaigns are a way for organizations to review permissions and formally confirm that individuals’ access rights are appropriate. Conceptually, these campaigns aim to remove access that is no longer needed or to permanently approve access to resources that were previously granted on an ad hoc basis.

Those who take certification campaigns seriously and carry them out regularly not only ensure compliance and adherence to legal regulations, but also protect valuable customer and company data. Even if, in the worst-case scenario, cyber criminals obtain and corrupt login data, their paths are cut off at an early stage by assigning the least possible access rights beforehand.