What Makes Recertification of Access Rights So Important?
Redundant access rights pose a significant security risk in terms of external and internal cyber attacks. If too many rights are assigned to an account, the potential for damage in the event of a security breach increases tremendously. The regular monitoring of access rights helps to comply with the Principle of Least Privilege and thus to minimize vulnerabilities.
Key points:
Compliance and regulation: Many standards and regulations require regular review of permissions.
Minimizing the potential for damage: Fewer permissions reduce the risk of a compromised account causing significant damage.
Awareness: Employees and managers are trained to handle permissions consciously.
Regulatory Requirements
Various national and international regulations require continuous review of user access rights. These guidelines are designed to ensure organizational security and compliance:
European Standard ISO 27001 (control A.9.2.5 Review of user access rights): Organizations are required to regularly verify whether access rights are still required or can be revoked.
EU Directive NIS2: Article 21 requires “basic procedures in the area of cyber hygiene”, which also includes recertification.
MaRisk of the German Federal Financial Supervisory Authority (BaFin) (AT 4.3.1): The minimum requirements for risk management underpin the need-to-know principle and require regular reviews.
International norms such as the US laws HIPAA and SOX: These also set strict requirements for the administration and review of authorizations.
The German Federal Office for Information Security’s systematic approach to information security called “IT-Grundschutz”, which is often used as a benchmark for Critical Infrastructures (KRITIS), states the following with regard to organization and personnel: “User authorizations must be reviewed at regular intervals, but at least once a year, to ensure that they still correspond to the user’s tasks and role.” (see chapter ORP.4.A11)
Purposes of Recertification
In day-to-day work, an extensive set of authorizations may seem more convenient than a strict minimum of rights, because even minor changes in job responsibilities require new authorization requests. Such requests cause additional work before the actual work can begin.
It is therefore not surprising that only a very small number of employees actively request a restriction of their access rights. Often, the people affected are not even aware of all the rights they have. That is why it is important to proactively search for authorizations that are no longer needed.
The main goal of recertification is to reduce obsolete authorizations and thus minimize security risks. At the same time, this approach yields additional benefits:
Raising employee awareness: A more conscious approach to access rights is encouraged. It is only through recertification that access rights are checked and, in the case of questionable authorizations, either the individual case is examined more closely or, if necessary, the authorization is documented in a more comprehensible manner. Without recertification, certain critical questions would not even arise.
Optimization of authorization structures: A clearer and more efficient IT environment is created. Due to queries, it becomes apparent where there are difficulties in assessing roles or individual rights. This can lead to a revision or optimization of roles and rights and have a positive long-term effect on authorization structures and lead to enhanced cyber hygiene.
Meeting compliance requirements: Regular checks ensure compliance with legal and regulatory requirements.
The Challenges of Recertification
The implementation of an effective recertification process comes with a number of challenges:
High number of authorizations: Especially in companies with a large variety of applications and systems, there are often thousands of authorizations that need to be checked. This enormous amount of work makes recertification a time-consuming process that can lead to frustration among all parties involved.
Lack of transparency: Without a central access management system, it is often unclear who has which access rights. This makes it almost impossible to achieve full transparency.
Complex structures: As the number of different systems grows, so does the variety of authorization structures. Many systems have technical authorization names that non-IT personnel often find difficult to understand.
Low acceptance among managers: Checking authorizations is perceived as an additional administrative task that is not part of the actual core competencies. As the immediate added value is not always obvious, recertification is often seen as a formal necessity and therefore not prioritized.
For this reason, manual recertification, e.g. based on Excel spreadsheets, is not recommended. With this type of recertification, the actual objectives are unlikely to be achieved.
How Do IAM Systems Facilitate the Recertification Process?
This is precisely where modern IAM systems come into play, significantly simplifying the recertification process for both IT administrators and managers. These systems offer a number of advantages:
Intuitive User Interfaces
Making recertification as easy as possible for everyone involved should be the primary goal of an IAM system. The focus should therefore be on an intuitive interface, reducing complexity and providing efficient ways to process tasks quickly.
:quality(50))
Flexible Campaigns
Recertification campaigns can be configured to be application-based or risk-based, thereby reducing the audit effort. A campaign is based on a recertification rule that defines who checks something and how often.
Managers’ workloads can be significantly reduced by allowing them to focus only on the directly assigned authorizations during employee recertification, while all indirect assignments are handled in a separate campaign. This not only significantly reduces the number of authorizations to be reviewed, but also simplifies the decision-making process for managers as the data is easier to process. The number of authorizations is reduced by all authorizations that are assigned through a role.
For example, if a role contains 50 individual rights, only the one role assignment needs to be checked, and not the 50 individual rights it contains. The role contents are in turn checked in a separate campaign by the role owner, who thus ensures that the role only contains the individual rights that are necessary for that role.
This separation improves the quality of the recertification, since each person performing the recertification only has to assess what corresponds to their expertise.
Compliance Transparency
Auditors and compliance managers get a clear overview of the recertification process and its results. They can see progress in campaigns and view the results after the campaign is completed.
Auditors are particularly interested in campaigns in which there have been no withdrawals of authorizations. This indicates that assignments may have been simply confirmed without actually checking whether some rights could be revoked. This information and any resulting queries improve the quality of recertifications in the long term and help to ensure that the initial goal is achieved.
Automation and provisioning
Recertification results are automatically implemented and provisioned in the connected systems, which reduces errors and manual effort.
Provisioning in the area of recertification refers to the automatic revocation of group memberships, such as the withdrawal of Windows AD groups or, in the context of SAP, the withdrawal of single or group roles. Our overview of connectors for Garancy shows which target systems we can connect.
Conclusion: Efficient Recertification Requires IAM
Regular recertification of authorizations is an indispensable part of modern IT security and regulatory compliance. Using IAM systems not only makes this process more efficient, but also traceable and user-friendly – which ultimately increases security.
During the first recertifications, we were able to withdraw between 10 and 15% of unnecessary authorizations – proving that standard Joiner, Mover and Leaver processes alone just aren’t enough.
Findings from our customers show that as many as 10 to 15% of authorizations can be withdrawn during initial recertifications – despite having Joiner, Mover and Leaver processes in place. This clearly shows that these standard processes alone are not sufficient to ensure protection against excessive authorizations.
Did we spark your interest?
Find out how modern IAM solutions can streamline your recertification processes. Contact us for a free consultation and discover how you can improve your company’s security with targeted authorizations checks.