A Sustainable Approach to Access Certification

The demands of regulatory compliance are driving corporate IT and security managers to improve their process for governing user access. What the most knowledgeable among them worry about most of all, however, is not just regulatory compliance but the entire array of serious problems that can result from their inability to see who has access to which information resources, to manage access change as user job responsibilities change, to maintain audit trails, and to ensure that all users have access that is appropriate for their job function – no more, no less.

Without a comprehensive, automated policy-based approach for governing access, it is virtually impossible to address the entire spectrum of access-related risks before they lead to compliance violations, costly incidents, or malicious events.

The process by which access entitlements and roles are authorized, reviewed, certified, and periodically recertified is critical to an organization’s ability to meet compliance standards and to protect itself against access-related business risks. But establishing a genuinely sustainable access certification process has proven to be difficult for many large enterprises. Many organizations have implemented a variety of access security enforcement technologies that provide a degree of protection, but which tend to operate in silos, specifically at the application account level. Fragmentation creates a complexity problem for IT security organizations, preventing them from obtaining a unified view of user access across all information resources and all entitlements to those information resources. It becomes nearly impossible to enforce business and compliance access policies in a consistent fashion or to understand where compliance violations or business risk may occur.

Many enterprises are still trying to manage access certification with resource-intensive, spreadsheet-based systems that are costly and error-prone. With such systems in place, IT security teams are hard-pressed to keep up with the pace of change to user access as employees and contractors transfer between departments or leave the company, or understand exactly user access privileges.

Homegrown systems are typically difficult to audit, and often do not provide adequate evidence of compliance. Business managers may be asked to certify user access rights without a clear understanding of current entitlements because the information provided provides no context for determining whether user entitlements are appropriate for the associated business roles or job functions. Internal auditing and compliance teams struggle to make sure that a complex web of regulatory requirements and company policies that relate to user access is adhered to.

The result is often an unnecessarily high cost of compliance and an increased risk of compliance violations, security breaches, and operational errors that can have serious consequences for an organization.

Making sure that users have access to all the information resources they need to do their jobs is, of course, critical to any enterprise. It is just as important to ensure that no user has any access entitlements that are unnecessary or in violation of regulatory requirements or company policies. All of this requires a continuous process in which every entitlement is properly authorized, certified, and regularly recertified. Compliance is not a one-time event.

More than compliance at stake
Publicly-held companies are subject to many types of regulations including Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), Basel II Accord, Healthcare Insurance Portability and Accountability Act (HIPAA), U.S. Patriot Act, Payment Card Industry Data Security Standard (PCI), California SB 1386, and its equivalent state disclosure laws.

Regulatory bodies and external audit firms are well aware of the frequency with which large enterprises still fail to maintain the necessary access control procedures, which is why access control is so often a focal point of their audits.

Fines and other penalties for compliance failure are not the entire sum of an organization’s risk exposure when user access controls are inadequate. The immediate financial impact of fraud or a malicious act of “information vandalism” can be enormous, and the damage to an organization’s public image can be crippling. Even in a secure and compliant environment, it is still possible to issue inappropriate access entitlements that can lead to mistakes resulting in lost data or service interruptions, but at the same time not actually violate any particular compliance regulation. Regulatory compliance, while prescriptive in terms of controls that are pertinent, is not comprehensive enough to ensure that all access-related risks are being properly controlled. Passing a regulatory audit or being in compliance with a regulation simply isn’t good enough.

Creating a sustainable access certification process
Creating an automated access control process in which access entitlements are properly authorized, reviewed, certified, and periodically recertified is an achievable goal. A sustainable process – one that takes hold, works, and is maintained – requires five key capabilities.

1. Establishing full visibility of user entitlements and roles
This has been virtually impossible in large organizations, where the number of applications ranges in the thousands, user populations can run into the tens of thousands, and the number of individual access entitlements is in the billions. To further complicate matters, user access information is typically fragmented and siloed in many repositories and applications throughout the enterprise. Trying to manually manage access change across this type of landscape is incredibly complex.

Fortunately, technology is now available that can provide a “snapshot” of all user entitlements throughout a large enterprise at any point in time by collecting access-related data from all user directories/repositories or applications, aggregating it to get a composite view of a user’s access across the entire enterprise, and then normalizing it into reports that IT personnel, business managers, and auditors can easily understand and use to make better decisions on access.

2. Automating authorization and access certification
Having made this information available to the business managers in an easily understood format, it is then necessary to provide a simple, automated way for those managers to certify (or decertify) existing roles and their corresponding entitlements or to authorize new ones. It is critical to simplify and automate this process in order to ensure the business managers’ cooperation and to ensure accuracy.

3. Providing a business-centric view of user entitlements and roles
User entitlement data is typically recorded in cryptic security syntax that lacks business context and is meaningless to non-technical managers. Because of this, many business managers are just rubber-stamping access certification and recertification reports. Technology is now available that can help provide business-centric descriptions of entitlements to ensure that managers understand exactly what they are certifying and make a determination as to whether the entitlement is appropriate for a person’s business role. Putting access certification data in business-friendly terms will strengthen the control environment, improve accountability, and enable governance to be achieved.

4. Maintaining a system of record for evidence of compliance
Many homegrown access request systems are efficient for creating access but aren’t designed with governance or compliance in mind. A properly automated system can make it relatively easy for auditing and compliance personnel to input current regulatory requirements and internal policies and ensure that violations are prevented. In effect, this gets the regulations and policies out of the three-ring binder and into the daily operating practice of the organization. Additionally, external auditors have a centralized system of record that houses all the information necessary to attest to the effectiveness of controls governing access which will, in turn, further reduce the cost of compliance.

5. Automating change management and entitlement remediation
Access certification in any large enterprise is a perishable commodity. New-hires, transfers, promotions, reassignments, terminations, mergers, acquisitions, and new regulations are just some of the changes that require continual attention. In an automated access governance system, change requests can be tracked to completion. In addition to establishing policies and procedures to ensure that each of these kinds of events triggers appropriate action within the access certification system (for example, requiring that employees who leave the company have all of their access entitlements removed immediately), it is necessary to create a process for conducting regular, periodic recertification of all access entitlements. When this process is automated, it can be both accurate and relatively easy for all involved. Efforts can also be focused on the riskiest categories of information resources, business roles, and their entitlements, since Sarbanes Oxley guidance has shifted to allowing organizations to use material-based risk scoping to determine controls.

How it works in practice
One of the largest investor-owned health benefits organizations in the US is an Aveksa customer. Its IT network has 28,000 users with approximately 200,000 user IDs and millions of entitlements. The organization has also been recognized as a leader in IT security strategy.

The company must comply with a variety of regulatory mandates including HIPAA and SOX. But its concerns about access-related risk management go well beyond compliance issues: the organization’s customers rely on it to protect the confidentiality of their personal data. Safeguarding that information and maintaining the trust of its customers is a mission-critical responsibility for the enterprise.

The company had made progress toward improving its access control procedures by deploying a roles-based access control system, but it realized that more automation was needed to ensure that all user access was limited to what each user actually needed to perform his or her job and that any segregation-of-duties violations were identified and eliminated.

Access governance procedures were, at first, largely manual and spreadsheet-based. As the company grew, the organization’s IT Security team realized that these manual systems could not scale up. IT Security also recognized that many of the access requests being received were for out-of-role requests that added still more to the burden of maintaining the system.

Much of that burden fell on business managers throughout the organization who are responsible for maintaining role definitions and assignments and for access certification. The company’s IT Security team determined that it needed a reliable and repeatable workflow tool that would be simple and business-friendly enough to be sustainable.

The capabilities that attracted the enterprise to Aveksa access governance technology included:

1. An application that could retrieve user access information from all of the organization’s applications, normalize it, and then provide business users with meaningful information for conducting access certification reviews
2. Comprehensive role life cycle management that includes: role discovery, design, engineering, and automated change management and maintenance
3. An easy-to-learn user interface that would encourage adoption
4. A flexible reporting system that would satisfy all relevant regulatory and auditing requirements and provide a system of record for access compliance across the organization
5. Scalability for handling high volumes in a complex environment
6. Deployment efficiency

The company has since deployed Aveksa Compliance Manager and Aveksa Role Manager. Through the Aveksa solutions, the organization’s IT Security team now has:

• The ability to understand who has access across all information resources and entitlements, how they got it, and who authorized it
• An automated approach for review and certification of all employees', contractors', and consultants' access to privileged information, either by a supervisor or an application owner
• Confirmation that privileges have been granted or revoked as directed by the system
• Proactive role management through an automated, sustainable system

With Aveksa solutions, the company is assured of effective and automated access governance across the organization through effective presentation of entitlement reviews in a manner that is understandable by business managers for certification of user access to information systems and evidence of compliance.

Going beyond the checkbox
As noted earlier, compliance with regulatory requirements does not guarantee adequate access control. True enterprise access governance requires a broader vision of the organization’s vulnerabilities and the right approach to automating key tasks. Experience has shown that internally developed systems tend to fall short of the mark while consuming valuable resources better suited to addressing the organization’s core business objectives. Meanwhile, the stakes involved in the event of a serious data breach continue to rise.

More and more large enterprises are finding that the best solution is to work with an outside firm specializing in access governance that can provide both the technology and the implementation expertise to ensure success. The key is to go beyond the checkbox, to understand the broader perspective of access-related business risk, and to deploy a system that can both protect a company’s brand and unique IP and enable your business to leverage good security governance as a marketplace competitive advantage.