Solving the headache around recertification

Jamie Manuel   ·   Wednesday, May 31st, 2023

Recertification, also known as access review or attestation, is primarily based on a role-based access control (RBAC) approach and is commonly-tied into an Identity Governance and Administration (IGA) solution.

Recertification can be a lengthy process, and depending on the industry, the process could be done on a monthly or quarterly basis.

As recertification is an RBAC approach, it depends on the managers/app owners/department heads to go into a governance solution portal. They have to ‘attest’ or ‘recertify’ that the employees who are currently entitled access, should indeed still retain that entitlement.

This process can leave room for human error and is only capturing a moment in time.

Why is recertification a concern?

For compliance professionals or IT, the term recertification will most likely swirl around thoughts of the amount of cost, time, and lack of resources that go into the recertification process.

According to Vanta, the process can take many days and over $10,000 in labor costs. Most startup companies don’t have dedicated security personnel so this means the review might be done by a founder or engineer, taking them away from more strategic work.

The traditional recertification process can be siloed and limited by the use of spreadsheets, some applications which may be connected to an IGA solution or other applications managed separately – and all by different people.

This can make recertification very time consuming as one needs to consolidate all the data in order to fully capture a complete view of everything.

Timing is everything

Another key concern around recertification is that it is static and only addresses a moment in time when it is done.

This means that if any changes to roles are made within even a few hours of the recertification process being complete it wouldn’t take into consideration that role change until the process is redone the next time you plan to do your recertification.

This can leave employees with more permissions than what they should have.

What if we thought about recertification differently?

At Axiomatics, we believe that authorization should not be dependent on the normal, in-the-moment process of recertification. Things can happen at a rapid pace that could endanger your system if you rely on the typical periodic recertification processes.

When using an attribute-based access control (ABAC) solution it makes access decisions in real-time at the point of access, each time, based on the attributes collected at that exact point in time.

This makes recertification become a quick activity instead of the labor-intensive nightmare we are used to with the RBAC approach.

If there are any changes that happen at any point, even a few hours after the recertification process, that recertification would suddenly be inaccurate and unsecure.

When using ABAC, authorization is completed in real-time.

We will always provide the decision based on the policies, conditions and context of that moment in time. This can help relieve some stress as the system is always running in the background, and it doesn’t wait for the next time the recertification process is done.

The difference between static and dynamic recertification

For an example of the difference between static and dynamic recertification, we will use Susan Smith, who was just promoted, to a new role within the company she works for.

As a part of her new role she also moved to a new city to work at a different office.

Since Susan was promoted a few weeks after the last recertification process was done, she still has access to applications that she no longer needs to use for her new role.

If you are only relying on the recertification process, it isn’t going to catch that until the next time you go through and do that process again. It is a static process which can leave employees with more permissions than what they should have.

When using our solution, it will immediately flag that Susan is in a new role and is in a different city so she no longer meets the criteria to use the application and is blocked.

Additionally, if an employee has entitlement which was previously removed, IT can leverage Axiomatics to understand why that employee has that entitlement again.

Many identity solutions will tell you when and how the employee got that entitlement back though they don’t have the ability to tell you why. We have the ability to show the policy and content of the exact scenarios in which that employee would have that entitlement.

It is also good to know that you don’t have to rely on the effectiveness of others to go through and review access to their employees – as it mitigates the risk of human error.

By making the access decisions in real-time at the point of access, each time, we are making recertification a redundant exercise. This can help remove the stress around recertification because it becomes an indisputable point and ensures that compliance is up to date.

Mitigate your risks and increase your confidence with dynamic authorization

Our award-winning solution runs in the background at all times so you can check the box, but as life happens the system updates in real-time as the request is happening. This provides a safety net of knowing that access is based on real time information, so you might not be as concerned about how often you do recertification.

It also means that you don’t have to rely on the effectiveness of others. It can give you extra confidence in the results as it mitigates the risk of human error. If there are breaches or surprise audits, you know that this has been running in the background all of the time.

Take the next step

Download our executive overview to learn how Axiomatics can help your organization streamline the recertification / access review process to help save time and money.

Request a demo with one of our solution experts to see how we can help provide confidence when it comes to control access around recertification.

You can also download our white paper to learn how an authorization strategy can fill in gaps and help IGA reach its full potential.