Why recertification of access rights is a matter of importance!

Isn’t it fantastic when an employee takes the next step in his or her career? For example, when the faithful salary assistant becomes HR Manager?

However, there may follow some implications that are not too obvious.  The former assistant now also has the ability to approve salary changes in the system.  In other words, the person may both change and approve his or her own salary in the HR system.

The example above is striking, but not uncommon or fiction since it’s picked from the real world. Still, there are other examples, maybe not that apparent, but where the consequences for the business are much more devastating.

Employees who has been part of the organization for many years and who has moved around on different positions and roles has a tendency to collect user accounts and access rights. If and when the person leaves the organization, the busy manager may be able to recollect the key card, cell phone and laptop and hopefully also tell HR to stop pay salary. However, it’s not unusual that user accounts and access rights are still abundant in different systems.  Just because no one knows that they exist, when they were created, who assigned them or who approved them.

Another issue is that it’s not always very obvious what the consequences for the business are from different combinations of access rights.  It may very well be that a seemingly harmless access right, in combination with another one, will allow the person to access information and resources that are both dangerous and in conflict with current rules and policies for the organization.

There are two important keys to rectify above issues:

First, to create a thorough set of policies that governs the business with a well-defined “Segregation of Duties” (SoD – sometimes known as “Separation of Duties”).  This set of policies must follow the requirements on the organization, both the internal requirements, but also with compliance to laws and other regulations that impacts the business of the organization.

Second, to regularly re-approve users access rights and accounts in the various systems of the organization. Then it’s possible to early find the snags hidden in plain sight. Re-approval of user accounts and access rights are preferable performed in “campaigns” a few times per year and there are tools available to facilitate this. Usually real time integration with systems are not necessary and many organizations are well off by importing necessary data and after the re-approval extract reports on what accounts and access rights to keep or remove. The most important is to get an overall picture of the current state of affairs. This will support compliance to, for example, EU General Data Protection Regulation, which is now the governing set of rules for handling identities and access rights in the organization. Each campaign will bring the organization closer to be in control and able to prove it when it comes to identity and access management.

To be really advanced, it’s possible today to implement tools that in real time can act upon when a user seeks access to information and resources with toxic combination of access rights. However, you’ll get quite a bit closer to control over the situation just by working with the two key points mentioned above.