Manual access recertification is tedious and ineffective. So…why do we still ask managers to do this?
A look into the manual recertification process and the extremes companies think to go to to ensure the process is done correctly.
I still remember the conversation – twice, I had to ask for clarification as I couldn’t believe what I heard.
It was a few years ago now, but I was at an Identity Governance conference and leaving a session on recertification challenges. I was chatting with a senior security executive from a large U.S. bank and he said, “My compliance team wanted us to install cameras in each manager’s office for this.”
Thinking he misspoke, I asked if he meant keystroke logging or screen capture software. He explained that no, he literally meant physical cameras in their offices.
So again, I assumed I still misunderstood and that this move must be for some other security reason involving money transactions.
He stopped, looked at me almost laughing and said, “No, I know this sounds crazy, but they literally wanted us to install cameras in each manager’s office so they could get a video record of the managers physically doing recertification. They said they needed to see whether or not the managers appeared to be paying attention and focused while doing recertifications. So looking for things like if they were on the phone, did they hesitate, etc.”
The conversation went on and we were soon discussing the futility of compliance teams requiring managers to do these recertifications, as they are routinely inaccurate. Most managers simply select all (if that is still an option in whatever software they use) and approve as quickly as possible.
Even if a manager takes the time to do a detailed review of each employee’s entitlements, it’s only accurate for that moment in time.
If an employee changes roles or does something to elevate their risk level even moments after the manager has completed the task, that recertification is now pointless and this may not be discovered until months later.
Of course, that assumes the manager doesn’t simply take the easiest route and select all for approval.
The situations above involving managers using a rubber stamp approach to approval are likely one of the reasons the National Institute of Standards and Technology (NIST) promotes the adoption of a Zero Trust architecture (ZTA).
In theory, by following a Zero Trust approach employees are not automatically granted, nor do they retain entitlements, but are always challenged and approved (or denied) at each point of use based on a predetermined policy that evaluates specified conditions.
This means access is not based on the latest recertification, but on the conditions and context of everything evaluated in that precise moment in time.
If the ultimate goal is risk reduction and securing sensitive information, then surely the zero trust approach leveraging policy-driven authorization provides the most accurate outcome.
So why then do so many compliance teams still force routine recertification tasks when their effectiveness has been debunked?
I have heard multiple security professionals pose this same question in one way or another over the last couple years.
When discussed in more depth, the answer is that there are several compliance regulations (SOX, ISO27001, HIPAA, PCI, GDPR) that still require access recertifications every month/quarter/year/etc.. The lack of a consistent, internationally accepted standard for how this is done means enterprise compliance teams still complete this manually to have a report to show an auditor when asked.
However, if it’s commonly agreed this is a waste of time, not effective and not accurate, is it now time that we start to ask auditors to accept that an organization leveraging policy-driven authorization leveraging ABAC is compliant? These organizations can quickly and easily demonstrate policies and processes reflecting that a micro-recertification is done continually, at the moment of an access request, for every access request.
If an enterprise can show an auditor the decision tree of how every access request is treated, every time, based on current conditions, wouldn’t that be more valuable than a report done a month ago by a manager based on conditions that are no longer valid (even if we have that manager on film doing the approval)?
I’m not saying recertifications shouldn’t be done anymore.
What I am saying is we should move to the model that achieves an accurate and current result, and does so continuously – every time at the point of access. Because if the idea behind recertification was to lower risk and increase security, then let’s actually do that, and do so without wasting time (or buying a bunch of security cameras).
The bottom line
To learn more about how Axiomatics can automate and remove challenges related to the recertification process, read our solution brief. It explains how we can implement a process where access decisions are made based on the policies, conditions and context of the moment in time of each request, instead of a months old static approval that doesn’t account for changing conditions.
P.S. That bank security executive went on to explain that they never got the cameras as thankfully the legal team pointed out this would violate the privacy of the managers in question.
Join us on LinkedIn for more insights