Blog Article

One checked box between empty boxes
Efficient Recertification: Increased Security Through Targeted Authorization Validation

Cyber attacks are constantly on the rise – and with them the risks associated with excessive access authorizations. Nowadays, a compromised account can have devastating consequences, making regular reviews and adjustments of authorizations more important than ever. This article shows why recertifications are a crucial component of IT security in Identity & Access Management (IAM), outlines some of the relevant regulatory requirements, and explains how modern IAM systems can simplify recertification processes.

Find out more

What Makes Recertification of Access Rights So Important?

Redundant access rights pose a significant security risk in terms of external and internal cyber attacks. If too many rights are assigned to an account, the potential for damage in the event of a security breach increases tremendously. The regular monitoring of access rights helps to comply with the Principle of Least Privilege and thus to minimize vulnerabilities.

Key points:

  • Compliance and regulation: Many standards and regulations require regular review of permissions.

  • Minimizing the potential for damage: Fewer permissions reduce the risk of a compromised account causing significant damage.

  • Awareness: Employees and managers are trained to handle permissions consciously.

Regulatory Requirements

Various national and international regulations require continuous review of user access rights. These guidelines are designed to ensure organizational security and compliance:

  • European Standard ISO 27001 (control A.9.2.5 Review of user access rights): Organizations are required to regularly verify whether access rights are still required or can be revoked.

  • EU Directive NIS2: Article 21 requires “basic procedures in the area of cyber hygiene”, which also includes recertification.

  • MaRisk of the German Federal Financial Supervisory Authority (BaFin) (AT 4.3.1): The minimum requirements for risk management underpin the need-to-know principle and require regular reviews.

  • International norms such as the US laws HIPAA and SOX: These also set strict requirements for the administration and review of authorizations.

  • The German Federal Office for Information Security’s systematic approach to information security called “IT-Grundschutz”, which is often used as a benchmark for Critical Infrastructures (KRITIS), states the following with regard to organization and personnel: “User authorizations must be reviewed at regular intervals, but at least once a year, to ensure that they still correspond to the user’s tasks and role.” (see chapter ORP.4.A11)

Purposes of Recertification

In day-to-day work, an extensive set of authorizations may seem more convenient than a strict minimum of rights, because even minor changes in job responsibilities require new authorization requests. Such requests cause additional work before the actual work can begin.

It is therefore not surprising that only a very small number of employees actively request a restriction of their access rights. Often, the people affected are not even aware of all the rights they have. That is why it is important to proactively search for authorizations that are no longer needed.

The main goal of recertification is to reduce obsolete authorizations and thus minimize security risks. At the same time, this approach yields additional benefits:

  • Raising employee awareness: A more conscious approach to access rights is encouraged. It is only through recertification that access rights are checked and, in the case of questionable authorizations, either the individual case is examined more closely or, if necessary, the authorization is documented in a more comprehensible manner. Without recertification, certain critical questions would not even arise.

  • Optimization of authorization structures: A clearer and more efficient IT environment is created. Due to queries, it becomes apparent where there are difficulties in assessing roles or individual rights. This can lead to a revision or optimization of roles and rights and have a positive long-term effect on authorization structures and lead to enhanced cyber hygiene.

  • Meeting compliance requirements: Regular checks ensure compliance with legal and regulatory requirements.

The Challenges of Recertification

The implementation of an effective recertification process comes with a number of challenges:

  • High number of authorizations: Especially in companies with a large variety of applications and systems, there are often thousands of authorizations that need to be checked. This enormous amount of work makes recertification a time-consuming process that can lead to frustration among all parties involved.

  • Lack of transparency: Without a central access management system, it is often unclear who has which access rights. This makes it almost impossible to achieve full transparency.

  • Complex structures: As the number of different systems grows, so does the variety of authorization structures. Many systems have technical authorization names that non-IT personnel often find difficult to understand.

  • Low acceptance among managers: Checking authorizations is perceived as an additional administrative task that is not part of the actual core competencies. As the immediate added value is not always obvious, recertification is often seen as a formal necessity and therefore not prioritized.

For this reason, manual recertification, e.g. based on Excel spreadsheets, is not recommended. With this type of recertification, the actual objectives are unlikely to be achieved.

How Do IAM Systems Facilitate the Recertification Process?

This is precisely where modern IAM systems come into play, significantly simplifying the recertification process for both IT administrators and managers. These systems offer a number of advantages:

Intuitive User Interfaces

Making recertification as easy as possible for everyone involved should be the primary goal of an IAM system. The focus should therefore be on an intuitive interface, reducing complexity and providing efficient ways to process tasks quickly.

Recertification task in Garancy IAM Suite as a cross table

Flexible Campaigns

Recertification campaigns can be configured to be application-based or risk-based, thereby reducing the audit effort. A campaign is based on a recertification rule that defines who checks something and how often.

Managers’ workloads can be significantly reduced by allowing them to focus only on the directly assigned authorizations during employee recertification, while all indirect assignments are handled in a separate campaign. This not only significantly reduces the number of authorizations to be reviewed, but also simplifies the decision-making process for managers as the data is easier to process. The number of authorizations is reduced by all authorizations that are assigned through a role.

For example, if a role contains 50 individual rights, only the one role assignment needs to be checked, and not the 50 individual rights it contains. The role contents are in turn checked in a separate campaign by the role owner, who thus ensures that the role only contains the individual rights that are necessary for that role.

This separation improves the quality of the recertification, since each person performing the recertification only has to assess what corresponds to their expertise.

Compliance Transparency

Auditors and compliance managers get a clear overview of the recertification process and its results. They can see progress in campaigns and view the results after the campaign is completed.

Auditors are particularly interested in campaigns in which there have been no withdrawals of authorizations. This indicates that assignments may have been simply confirmed without actually checking whether some rights could be revoked. This information and any resulting queries improve the quality of recertifications in the long term and help to ensure that the initial goal is achieved.

Status of a recertification campaign in the Garancy IAM Suite

Automation and provisioning

Recertification results are automatically implemented and provisioned in the connected systems, which reduces errors and manual effort.

Provisioning in the area of recertification refers to the automatic revocation of group memberships, such as the withdrawal of Windows AD groups or, in the context of SAP, the withdrawal of single or group roles. Our overview of connectors for Garancy shows which target systems we can connect.

Conclusion: Efficient Recertification Requires IAM

Regular recertification of authorizations is an indispensable part of modern IT security and regulatory compliance. Using IAM systems not only makes this process more efficient, but also traceable and user-friendly – which ultimately increases security.

During the first recertifications, we were able to withdraw between 10 and 15% of unnecessary authorizations – proving that standard Joiner, Mover and Leaver processes alone just aren’t enough.

Customer Voice

Findings from our customers show that as many as 10 to 15% of authorizations can be withdrawn during initial recertifications – despite having Joiner, Mover and Leaver processes in place. This clearly shows that these standard processes alone are not sufficient to ensure protection against excessive authorizations.

Did we spark your interest?

Find out how modern IAM solutions can streamline your recertification processes. Contact us for a free consultation and discover how you can improve your company’s security with targeted authorizations checks.

Find out more

Author

Beta Systems Mitarbeiterin Stefanie Pfau
Stefanie Pfau
Senior Product Manager

Tags

IT SecurityIAMAccess ProvisioningAccess Management

Share

Further Resources

Webinar
Beta Systems Webinar on VAIT: NIS2 Requirements and Implementation in Identity Access Management

NIS-2: Requirements and Implementation in Identity & Access Management (DE)

The revised EU directives on the security of network and information systems (NIS-2) are designed to enhance cybersecurity across the EU. Aimed at increasing the IT protection of critical infrastructures, these directives must be implemented by mid-October 2024. Our recent webinar covered the key aspects of NIS-2, including implementation strategies, impact and risk analysis, governance, risk mitigation, and reporting. We placed particular emphasis on the required cyber hygiene in identity and access management.
Blog Article
mainframe-z16-beta-systems-header.jpg

Solving the Mainframe Administration Challenge with an IAM Solution

Diminishing skills in administration staff of IBM zSystems (also known as Mainframes) have been a concern since the early 1990s, and there has been nearly no substantial improvement since then. Many z/OS administrators hired in the nineties have retired or are nearing retirement, with no skilled replacements in sight. This shortage of skilled z/OS administrators poses a significant challenge for companies that rely on mainframes for business-critical processes. This article demonstrates how to delegate typical mainframe administration tasks to employees with limited or no mainframe experience, thereby making more efficient use of the remaining mainframe skills within the company.
Webinar
cybersecurity-with-iam-webinar-on-demand.jpg

Cybersecurity with IAM as the Cornerstone of a Robust Security Achitecture (DE)

Discover how Identity Access Management (IAM) is the cornerstone of a strong IT security architecture. This German on-demand webinar explores the "Identity First" approach and demonstrates how core principles such as Zero Trust, Single Sign-On (SSO), Multi-Factor Authentication (MFA), and the "Least Privilege" model work together to reduce the attack surface effectively. The session also delves into the critical IAM segments—Identity Governance and Administration (IGA), Access Management/Identity Provider (AM/IdP), and Privileged Access Management (PAM)—highlighting their roles in building a comprehensive and cohesive security strategy, illustrated through an integrated big-picture framework.