AllAdvanced Attestation and Recertification for Today's Organizations
Advanced Attestation and Recertification for Today's Organizations
Level 3: Recertification of single
permissions through automated
processes and request and
approval workflows
Organizations can achieve
tighter control over the correctness
of permission assignments by
adopting continuous recertification
processes. The initial permissions
assigned for these processes are
validated through well-documented
request and-approval workflows,
and users retain appropriate
permissions through recertification.
Continuous recertification is best
achieved by implementing an
automated identity management
system that includes a workflow
component. This allows recertification
to be processed using the same
workflow system as the one assigning
permissions, and the automation
reduces manual effort. It also avoids
the risk of incomplete review present
in Level 2, since every set of assigned
permissions is determined via
a defined and documented
process. However, like Level 2, Level
3 lacks transparency. The names
of permissions and entitlements tend
to be cryptic — understandable to
technical staff but not to the manager
who needs to recertify or reject them.
Additionally, this approach is not user
friendly, due to the large numbers of
single permissions to be managed.
Level 4: Continuous
recertification on multiple levels
using business roles
Using descriptive roles to
assign permissions, rather than
assigning permissions individually,
offers multiple benefits. The first
is transparency: when arcane
and technically-oriented IT
entitlements are replaced with
descriptive roles, responsibility
for granting permissions can be
moved from IT staff to the business
managers who better understand
who needs access to what. This in
turn reduces the risk of inappropriate
permission assignments.
Moreover, business roles streamline
the process of changing a user’s
permission when technical or
organizational changes occur. For
example, suppose an employee
changes positions within the company,
moving from Finance to Marketing.
Updating his role assignment will
automatically revoke his permissions to
access sensitive financial data he should
no longer see, while ensuring he can
access all the marketing documents
he now needs in his new position.
Using roles also helps organizations
deal with the challenge of mass
attestations, which can arise, for
example, due to a comprehensive
reorganization or the need for
recertification of a large stock of
permissions. Instead of blindly
hitting the common “Accept all”
button, the organization can use
a multi-stage attestation process
that recertifies users based on
their roles in the organization: the
department manager attests to
only the affiliation of employees to
specific roles (such as “Purchasing
Manager”) without having to know
each of the specific permissions
associated with each role.
Finally, if desired, the definition
of business roles can itself
be part of the recertification
workflow, enhancing security.
Recertification is the ongoing
process of revalidating permissions,
privileges and entitlements granted to users.
3
Figure 1. Identity Manager’s interactive report displays all the information needed by the attester while still providing a clear
overview of the recertification process.
Level 5: Recertification using risk
management principles
Risk management practices are
quickly becoming the next extension
of attestation and recertification
processes. Instead of looking at
all users, all access privileges
or all data, organizations
are concentrating on where risk is
highest by asking questions like:
• Which systems house the most
• critical data?
• Who has access to those systems?
• What kind of authority do they have
to change things on those systems?
• Is a user’s access a violation of
separation of duties (Sod)? For
example, does a user have both
the power to set up a vendor and
pay a vendor?
Level 5 recertification systems
enable organizations to answer
those questions, adding an
element of intelligence to the
recertification process.
Implementing attestation and
recertification
Identity Manager
How can you implement a
modern attestation and
recertification architecture that
uses business roles to control
permission assignments?
Identity Manager is an
identity management and user
4
provisioning solution that is
designed to manage the complete
lifecycle of identities, not just the
recertification tasks. Identity
Manager Includes an entire set
of processes and technologies for
maintaining and updating digital
identities. Its identity lifecycle
management capabilities include
identity synchronization, provisioning,
de-provisioning, and the ongoing
management of user attributes,
credentials and entitlements.
Attestation and
recertification architecture
Identity Manager’s
architecture consists of two
major components:
• The attestation object, which is,
in principle, an interactive report for
attestors (see Figure 1). The design
of this report is critical: notice
that it displays all the relevant
information needed by the attester
while still providing a clear overview
of the process.
• The attestation policy, which specifies
who should perform attestations for
each object, including how and under
which conditions.
This architecture not only meets the
highest levels of sophistication and
provides the security required
by many regulations throughout
the world, but also enables the
management of data more complex
than permissions, such as:
• Objects such as processes, personal
statuses, request and approval
workflows, business roles, ITShop
articles, web front-end versions and
compliance rules
• Triggers, which in addition to
normal scheduling triggers can
include user additions, changes,
moves, deletions or disabling
Attestation and
recertification dashboards
Dashboards are useful monitoring
tools, helping organizations achieve
effective status control, regardless of
whether attestation and recertification
are implemented as a continuing
process or as single projects.
A typical dashboard displays
tables listing the state of multiple
attestation processes in order to
answer questions such as:
• How many objects have been
attested or recertified?
• How are we doing compared
to previous attestation or
recertification processing?
• How do the various departments
compare in their performance?
For example, Identity
Manager’s attestation dashboard
provides charts that enable you
to see the status of attestation
policies at a glance (see Figure 2).
Please complete the form to gain access to this content
