Introduction:
Access Certification is the process of certifying employee,
contractor and vendor access to applications and is often mandated by a number
of industry regulations such as SOX, NIST, FDA 21, GDPR, PCI-DSS etc. The user access certifications
require approvers who range from application owners to reporting managers to
review and approve/revoke access and privileges for each user/identity. Access
Certifications are effective in helping organizations navigate the ever
evolving threat landscape by removing orphaned accounts. Up until recently, SMB
organizations could either do access certifications manually or buy enterprise
level products mentioned on Gartner Magic Quadrant for Identity
Governance and Administration (IGA). The issue with the manual
access certification is that it is prone to errors such as “rubber stamping”.
On the other hand, enterprise products are expensive and come with long
implementation cycles. As it turns out, Moore’s Law, which was mostly related
to hardware computing, is driving innovation in software. Emerging technologies
such as containers, AI/ML are driving innovations in Identity Governance &
Administration space. New vendors are emerging with lightweight cloud ready
products that can automate access certifications effectively without breaking
the bank. The focus on this article is to present a roadmap that SMB can use on
their automation journey.
Understand Current State:
It is hard to develop a roadmap for access certifications without
understanding existing capability. People and Process play a big role in the
current state. Understand the current policies and procedures for certifying
employees, contractors and vendors. Review previous year’s audit findings to
develop an understanding of risks. Understand the on boarding and off boarding
requirements for Joiner, Mover and Leavers. Knowing workflow gaps at this stage
is critical as well and will drive the RFP
process.
Define Future State:
This encompasses creating the user access certification
process of the future. If the company expects to grow by way of
acquisitions, the future state IGA should have a robust centralized access
requests and approvals. Risk factors for data breaches as well as compliance
requirements for protecting data should be considered. One must also understand
security and compliance controls (e.g., segregation of duties, unauthorized
access permissions). The team must validate the Future State with designated
stakeholders. By going through a check list of questions with the stakeholders
picture of the future state will emerge that accommodates the complexities of
the computing environment across the enterprise.
Conduct Proof of Concept (POC):
Once companies have a clear understanding of future state and goal,
it is time for a Proof of Concept (POC).
The ultimate objective of the POC is to mitigate the risk of a purchase by ensuring
that the product has all the features that are needed for the future state. As
a best practice, non-functional considerations such as connectors should
generally be ignored. Focus should be on trying out the access certification
workflow.
Implanting access certification/IGA software requires an incremental approach. Cutting the scope into manageable stages increases the chances for success. SecurEnds with its proprietary rapid deployment approach allows access certifications on high risk applications and databases using CSV file upload while connectors are being build. This is now a leading practice for accelerated value delivery. It is also important to ensure that the vendor team engaged in the POC is actually the one that does the implementation. IGA implementation fails when software vendor hands off customers to third party implementers who don’t have sufficient product knowledge.
For More information, Please go through the following link:
https://securends.com/access-certification-roadmap-for-small-and-medium-sized-business/
No comments:
Post a Comment