I don’t know why, but I get excited when I get to talk about topics like application access review, access certification, attestation and pretty much anything that deals with application governance or the like. Ever since I first started hearing these terminologies, as they entered the market, the concepts absolutely fascinated me. They fascinated me almost as much as the first time I heard about identity management technologies, which blew my mind!
As with any new technology, you don’t learn about its short comings until it has been out for a while, and the end users have given it a spin around the block. The process of automating the access review process was an awesome idea; it allowed organizations to get rid of their cumbersome Excel spreadsheet review processes, integrate workflows for specialized processes, automate escalations, provide oversight, determine separation of duties (SoD), etc. What we didn’t realize, but began to understand, was that even though the solution helped to provide automation to a cumbersome process, no one remembers this after the solution has been in place for a couple quarters.
What you immediately see is that although we provided the line of business managers visibility into what their end users have access to—along with the ability to determine more granular levels of access for the users they are reviewing—this quickly became another boring, cumbersome process for them. More granularity, more oversight, more processes means more time spent during the attestation review and more time spent looking for ways to get out of doing the work.
What we most often see is reviewers invoking the “rubber stamp” of the attestation and review process. This essentially looks like clicking the select all button on their outstanding attestations page and clicking accept. There might be a cursory review of the waiting attestations, but it’s really just a formality. Obviously, reviewers are not actually “reviewing” anything when it comes to their waiting attestations, and this tends to create certain issues. Like the issue of not really understanding who has access to what or who should have access to what, creating the problem of access creep or just general bad access that is not getting handled by those in the know. No matter the sophistication of the solution, you can’t get the end users to utilize it in the way it was intended without some coercion; intentional or not.
So, to review, it was hard to get reviewers to do their job when it was hard, and it is still hard to get reviewers to do their jobs with application governance solutions. So what strategies can be used to help encourage reviewers to take their very important jobs seriously? Here are a couple of ideas that might spark some of your own ideas, which are oftentimes based on your culture, to make the attestation review most relevant to the reviewers.
- Do a full review of all access only one or twice a year, rather than at every attestation cycle. This way the users are not burdened with a huge review cycle every time one is run.
- Do an incremental review every time you are not running a full access review; this way there is a lot less information involved in the review cycle, and it might hold the reviewer’s attention longer if they know there isn’t a days’ worth of access to sift through.
- Have as many SoDs pre-defined as possible, so that they are automatically called out to reviewers. This allows them to create necessary exceptions or to revoke access dependent on the case at hand.
Risk mitigation benefits of access certification are only as relevant as how careful the approvers are in examining access rights. Access certification efforts that suffer from the “rubber stamp” syndrome, mentioned above, help no one in terms of access review or, most importantly, the security of the organization in terms of what an individual should have access to.
Work with your line of business managers and other organizational approvers to determine what their fatigue level is in terms of approvals of access. Then cater to them as much as possible, without sacrificing security, to get them engaged for each review cycle. If you are still using a manual access review process, then reach out to me; there are better ways to do things that you are missing out on. Access governance solutions are here to stay.